Common mistakes in IoT security are quite easy to avoid

The rise of IoT products and applications also poses increasing security risks. But why do companies fail to implement good security? Stefaan de Roeck from Dekimo tries during his lecture at E&A 2019 find answers to this question.

By: Dimitri Reijerman

De Roeck works at Dekimo in the consultancy department. He says: “Traditionally, a lot of this is about embedded systems. My focus is the software. That is also a transition from the hardware that has been going on for some time. In addition to consultancy, I also do some coaching and teaching.”

Companies from all kinds of industries turn to him when they encounter problems with product development, says De Roeck: “These are companies that are looking for something specific. Not so much in a particular industry. They want to see a problem solved in a combination of hardware and software. These are customers from, for example, the food industry or the high-tech industry. Our role has everything to do with electronics development and embedded software development.”

According to De Roeck, rapid technological developments, the important role of IoT and increasingly rapid product development are creating security problems: “Many companies are forced to make a transition to a product that must include security, while previously this was not an emphasis at all. Let alone that it was about connected devices. IoT is hip and everything is moving in that direction. But then suddenly there is a lot to consider. Security sometimes receives very little attention or the people who have to look at it do not yet have the expertise to do security conscious design at all, so there are still some challenges.”

Default passwords

According to the consultant, many problems can be prevented quite easily: “Often it is about carelessness. Standard passwords were once put in there by developers, then not documented because there was no intention to put these passwords in a final product. That password was simply forgotten along the way, perhaps because the person who put it in the software no longer works there or the person who actually releases it to the market has never heard of it. Sometimes it is not a technical cause, but a communicative question that lies behind it.”

However, there are also more fundamental problems in the field of cyber security that will take more time to be resolved. De Roeck: “We have more problems than solutions in the IoT world. That has to do with the industry. If a particular company has never emphasized security, then the communication channels are not set up for that either. Companies that specialize in equipment, for example for the avionics market, have special points of attention. They naturally pay attention to human safety. That is a design consideration.”

Another market where security has traditionally paid more attention is the medical world. This is partly due to the use of standards, says De Roeck: “There are standards for other markets, such as the medical market. Then it concerns human lives, especially when it comes to implants. There are very strict rules for this and fortunately there are agencies that are specifically involved in this. These are the right considerations made when developing such a product. Something like that helps.”

Role for regulation?

Another option to raise the security level of IoT software to a higher level is regulation, although De Roeck admits that this is always a difficult story: “Perhaps there can be feedback on this issue from the legislation, together with the establishment of a testing institute, that seems useful to me. Only if the government says: 'there should no longer be default passwords in IoT products', then they are being too specific because there are many more problems at play. That is how you get the problem that the legislation very quickly falls behind again.”

Concluding his argument, De Roeck says that companies must already have the basics in order if they venture into IoT product development: “If you first create a product and then want to add security, you have to redesign a lot and many companies are often not there. provided for. This must be carefully considered at the start of the product, otherwise you will run into problems, such as the impact on time-to-market and financial risk.”

You can visit Stefaan de Roeck's lecture by yourself to register for E&A 2019 free of charge.