IoT Security May Not Be as Hard as You Think

Data and intellectual property are at risk in virtually every Internet of Things (IoT) project, but it needn’t be so, an expert will tell attendees at the upcoming Embedded Systems Conference in Boston.

Shawn Prestridge, US field applications engineering team leader for IAR Systems, will say that engineering teams often underestimate the risk of intrusion, while overestimating the difficulty of installing preventative measures. “They think that security is either too hard or too expensive,” Prestridge told Design News. “We want them to know that there are tools out there to make it easy.”

Prestridge said that the ingenuity of thieves can run the gamut. Some, he said, simply use positions of trust to make copies of intellectual property, while others find amazing ways to hack into private networks. He cited an example of data thieves in Las Vegas who gained access to a secure Wi-Fi network through a thermostat in a fish tank on a casino floor. The thieves eventually downloaded a list of the casino’s high-rolling customers, then published it on the Internet.

People will do it just because they can,” Prestridge said. “Then they’ll figure out what to do with the data later. And by the time you figure it out, the horse has already left the barn.”

Prestridge divides the security breaches into two categories. The first is intellectual property – theft of product software and algorithms, often by overseas manufacturers authorized to produce a company’s device in a distant locale. Those thieves sometimes over-produce the product and simply re-sell it, he said. “Whenever someone comes up with a hot new idea for the IoT, it’s not very long before someone else starts copying it,” Prestridge said. The second type of security breach is theft of data off a device, or theft of data as it’s being transmitted.

Either way, such theft is preventable, Prestridge told us. Using a security development environment called Embedded Trust, engineers can employ a certificate builder that lets them control limits on manufacturing, thus enabling product developers to protect IP. They can also leverage the secure hardware built into next-generation microcontrollers for IoT solutions, limit the number of people with access to application security, and encrypt applications to deter hackers.

At the session, titled How to Secure Your IoT Project, Prestridge will also discuss General Data Protection Regulations in Europe and pending legislation in the US that would affect IoT security. In addition, he will address ways for developers to be compliant with that legislation.

Such measures, he said, are rapidly becoming a necessity for IoT developers. Too often, he said, those developers mistakenly believe there’s no need for security because they see no obvious reason for hackers to want their data. But that reasoning is faulty, he said, because developers can’t always imagine why thieves might want data.

RELATED ARTICLES:

“Five years ago, people would say, ‘Why would anyone want to do that?’” Prestridge told us. “Now, they’re starting to realize that doesn’t matter. Sometimes people will do it just because they can.”  

Senior technical editor Chuck Murray has been writing about technology for 35 years. He joined Design News in 1987, and has covered electronics, automation, fluid power, and auto.