Security and the IoT - A Product Developer’s Dilemma

Published by Barbara Nelson July 28, 2016

Every day, there are new articles about security and connected products, and quite frankly, the more that is written, the more confusing it can get. On the one hand, there is a growing number of connected products whose primary purpose is to provide security and make us feel safer at home - security cameras, video-enabled door bells, sensors, monitors - the list goes on. The sole purpose of these products is to watch over our homes and our families, and to alert us when something is wrong.  

On the other hand, we hear that you can’t trust these connected products, that they are just another attack surface for the inevitable hacker, and by installing a connected product you are making it easier for a criminal to target your home. By remotely accessing your connected products, a criminal will be able to tap into your security camera feed, determine when you aren’t at home, and then let themselves in via your connected door lock, steal what they want, and leave again.

So, why are we seeing such conflicting information on these products? Should we trust them, or are they opening us up to new dangers? How do we know which products to trust, and which products to avoid? This depends a lot on the product developers, and the calibre of the company bringing the product to market. Did they think about security while they designed the product?  Did they make the right trade-offs between ease of use and security? Do they have the right safeguards in place to protect the consumers who will use their products?

I would like to say that most product developers will do the right thing, but then I saw a survey that really scared me. In a survey of product developers from Auth0, 85% of developers surveyed have felt rushed to get an application to market due to demand/pressure in the last 6 months, and 90% of developers surveyed do not believe that IoT devices on the market currently have the necessary security in place.

Shame on the product developers and shame on our industry for letting products get into the market that introduce new security vulnerabilities. We as an industry and we as product developers need to do more. We need to focus our attention on ensuring that security in a connected product is not an afterthought, that it is designed in alongside every other product feature.

We should be constantly asking ourselves questions about the environment in which our products will be used: How do I know that my product is connecting to the right network? How do I prevent an unauthorized user from taking control of the product? How do I ensure that the data my product gathers is safely delivered to the cloud, without being intercepted along the way? And more.  

As product developers, we have a responsibility to design and develop reliable products that behave correctly and are not vulnerable to attack. Our commitment to our customer base should include a commitment to delivering secure products, that work as expected, with no nasty surprises.

Partnering with a company like Cirrent whose mission is to deliver a seamless, secure on-boarding process for connected products is a great first step!