A friend and colleague complains each time I post
optimistically about the Internet of Things because, rightly so, he is very
concerned about the lack of good security practices used by developers in the
field.
His concern is quite valid. We’ve all heard about the taking
over of the Jeep
Cherokee through the vehicle entertainment system, activating a heart
pacemaker’s cardioverter-defibrillator through the remote terminal, or
using baby
monitors to invade privacy.
Fortunately, all three of these cases were found by people
studying IoT devices for vulnerabilities. Unfortunately, they found them and
there are most likely many more out there ripe for exploiting.
Let’s place the blame where it lies: at the feet of the
software engineers who design and build the systems without complete
considering the security and safety aspects of the end-to-end integrated
system. We can no longer rely on the old 4+1 architecture views. Today, we need
to supplement those with a security view used to assess the communications
paths and how to keep them secure.
For those building systems, review the vulnerabilities
identified by the Open Web Application Security Project (OWASP) to start
your assessments.