Consider Cost-Effective Methods for IoT Security
So, what if you have a device that needs to be secure, but you’re not confident it’s worth a high-dollar security investment?
Maybe it’s a smart water valve or an internet-connected fish tank like the one we built with Koller Products. Chances are, you’re not terribly worried about a hacker breaking in and nefariously changing the colors of the lights in your fish tank. All the same, it’s a good idea to follow some sort of best practice for protecting devices from bad actors.
This is where client-side SSL comes in, a practice we implement regularly at Very. When we provision a device, we generate a unique secure key. We make that key part of the IoT firmware and upload it to the device. Whenever the device is out in the field, that key is in charge of managing communication back to the internet, the cloud, and secure communications and processes.
If an attacker were to somehow get ahold of that device and get ahold of that key, they wouldn't have access to everything. They would only have access to a very small attack surface, meaning they could cause less damage.
Educate Consumers on Security Measures
User or customer education is always important in technology security. When the web first started out, for example, people were creating lots of personal accounts and using terrible passwords that put their accounts at risk of being compromised. We had to explain to consumers that “123456” and “password” were too easy to guess.
Similarly, with IoT, we need to educate consumers about best practices, like:
1. Guarding your smart devices. Consumers need to understand that if their IoT devices have sensitive information, it’s important that they don’t leave it in an exposed area. If the device connects to the internet, for example, it may contain the customer’s WiFi credentials, which could be manipulated by malicious parties.
2. Inspecting the IoT products you buy. Keeping in mind that there are no set standards for IoT security, customers need to be thoughtful about their purchases. If a consumer wants a security camera outside their house, for example, they should consider one that doesn’t store personal information on the device itself. Instead, it might store data on a hub kept inside that wirelessly connects to the camera outdoors.
3. Proper disposal of IoT devices. Consumers need to know the proper procedures for selling, giving away, or disposing of IoT devices. Many of these products, like smart light bulbs, may still store WiFi credentials that they wouldn’t want to share with others — especially not people digging through trash cans looking for opportunities.
Only you can prevent forest fires, and sometimes, the user is the most valuable asset for maintaining IoT security. By educating those users, carefully crafting your IoT solutions, and implementing secure processes, you can protect yourself and your customers.