Examining software security implications for IoT device manufacturers

Over the past decade we’ve seen an increase in consumer grade IoT devices, but the security of those devices hasn’t always kept pace with the realities of the cyber threats targeting what is arguably an unmanaged computing device. These cyber threats are made more concerning when the expected lifespan of the device is factored in. After all, dishwashers, thermostats and doorbells aren’t devices like smartphones where there is social pressure to have the latest version.

This means that IoT device manufacturers need to invest in cybersecurity not only during design and for the initial software release, but also over the expected lifespan and potentially into obsolescence. For manufacturers new to the connected device world, it’s highly likely that their business plan for a new model includes a maintenance and service model that relies heavily on third parties to manufacture replacement parts and then install them.

When it comes to protecting against cybersecurity threats, this paradigm may not hold up if software patches are required. Effectively, addressing software defects requires cybersecurity skills, an understanding of the framework used to create the software, and an understanding of how the original software functions. Gaps in any of those areas could lead to patches that break other aspects of the software.

And unlike hardware which can be produced by any number of manufacturing facilities, software updates need to be based off the original source code and tested on the platform.

One reality of software development is that software engineers aren’t familiar with every line of code in a given application, and even the sections of code they are familiar with can be forgotten over time. Considering the average dishwasher’s lifespan can exceed ten years, that’s far longer than most engineers’ recollection of why they made the decisions they did when originally writing the code.

Of course, the direct damage of a hacked dishwasher might seem low, but when you consider that the software might have a diagnostic mode allowing water to flow while the door is open, if that can be triggered through a remote attack then the risk of water damage to the home increases.

Even without such a risk, a connected dishwasher is by definition connected to a network. That network has several other devices on it, each with varying levels of software patches and functions. The compromise of a connected dishwasher could provide attackers access to other devices that contain sensitive data.

It is ultimately the data and associated privacy side of the security coin that is most significant for manufacturers as they equip their products with WiFi capabilities. Decisions around what is acceptable data to collect, how that data is processed, where its processed, and who retains it are the subject of many global digital privacy laws. Navigating them is challenging at the best of times, but unlike hardware where once the hardware is designed, it rarely changes, digital privacy regulations are ever-shifting.

Consider that in 2020 the California Consumer Privacy Act came into effect and less than a month later the EU-US Privacy Shield was invalidated by the Court of Justice of the European Union. This ruling directly impacts the legal framework covering how data collected in the EU and sent to the US for processing or storage works. Importantly, when something like the EU-US Privacy Shield is invalidated, there often isn’t a grandfather clause allowing for ongoing operations to continue. This means that manufacturers need to plan for how they’ll address future regulatory hurdles throughout the lifecycle of their products.

For manufacturers creating their first connected products, the complexities of both cybersecurity and digital privacy can be daunting. Your first designs will likely form the template for future products, and they need to have a solid footing. Even if you’ve developed software in the past, adding WiFi or another networking capability opens up the attack surface and will force your development teams to learn new skills. This is precisely the point where external cybersecurity expertise will give the greatest impact, and also where internal collaboration between product, support and legal teams will pay dividends should a cyber incident occur.

Complicating matters further, the data collection rules associated with the product may run afoul of a future privacy law meaning that business decisions surrounding data management that were made during initial revisions of software may increase future business risk. Addressing these security and privacy issues requires device vendors to look at the cost of sale for a device not as a line item on a balance sheet, but instead as a function of overall goodwill to the business. In effect, product security practices and customer friendly secure data processes implemented when a business or product line is in its infancy can help reduce the overall business risk for successful products.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.