Skip to content
Secure software updates for the Internet of ThingsContents

Contents

Close

Four considerations from manufacturers for security in the Internet of Things

The IoT manufacturers we spoke to told us about four main reasons for security:

  1. Updating a device while ensuring others can’t
  2. Controlling a device while ensuring others can’t
  3. Protecting data sent from a device
  4. Ensuring data from a device is genuine

1. Updating a device while ensuring others can't

Software has bugs; sometimes they can cause harm for example a bug allowing a baby monitor to be remotely hijacked. It’s essential that this type of bug can be fixed after the device has left the manufacturer. This usually means some sort of remote update capability.

A video baby monitor

A video baby monitor (Original photo: Binatone Global, CC BY-SA)

Fixing bugs is not the only reason remote updates need to be a feature of IoT devices. IoT manufacturers also told us there’s commercial pressure to ship a product quickly and add more software later through remote updates.

When it comes to apps and websites, there are established ways of developers doing software updates securely.

For web applications, developers simply deploy a new version of a site’s HTML, CSS and JavaScript, and rely on the browser to download the new version at some point in the future. The integrity of web applications relies on Transport Layer Security (TLS) in the form of HTTPS.

Update screens of Google Play Store and Apple App Store

Update screens of Google Play Store and Apple App Store (Screenshot/Google, Apple)

For app developers, software updates are handled automatically by the Apple App Store and Google Play Store — developers don’t need to implement any of this infrastructure themselves. App updates are cryptographically signed but this is bundled into Apple Xcode and Android Studio, and fairly hidden from the developer.

In contrast, in IoT there’s no equivalent to app stores and code isn’t delivered through a browser, so updates must be done manually with a custom update mechanism. There is a risk of ‘bricking’ the device (updating a device in a way that breaks it), in which case the manufacturer would have to go through an expensive recall exercise.

2. Controlling a device while ensuring others can't

As well as collecting and transmitting data, many devices can be controlled remotely. For example, it may be possible to use a smartphone app to arm and disarm an internet-connected burglar alarm or silence a smoke alarm.

Similar to the way that remote updates must be authenticated by the manufacturer, remote-controlled devices should only accept control commands from those who are authorised to give them.

3. Protecting data sent from a device

Connected devices have a particularly intimate status when we bring them into the home. To preserve our safety, these devices should protect the data they collect and transmit.

An example of a connected cuddly toy

An example of a connected cuddly toy

In the last few years there have been emotive examples of insecure baby monitors, smart TVs transmitting conversations and cuddly toys leaking recordings of children onto the internet. In fact, one manufacturer we spoke to told us they felt a responsibility to protect the data on their devices because the products are aimed at children.

Seemingly benign data can add up to reveal a much bigger picture. For example, a single temperature reading from a home’s smart thermostat might not mean much. But with a month’s worth of data, it's possible to tell exactly when someone’s late from work or on holiday. That information has the potential to endanger people if misused, so it’s essential to protect it.

For both mobile and web apps, this protection is again provided by TLS. Once a TLS connection is established with a remote server, data sent and received is encrypted inside the TLS session.

4. Ensuring data from a device is genuine

There are many important systems that rely on the data collected from IoT devices. For example, road traffic data is collected, aggregated, analysed and used to make planning decisions about which junctions to upgrade. Health monitoring devices send heart-rate and movement data about vulnerable patients to control rooms that can respond to a medical emergency.

To be able to trust and respond to data, there has to be confidence that the data is really coming from the device and hasn’t been tampered with.