Many consumer IoT companies failing to adopt fundamental security measures despite the threat of legislation and regulation

Latest report finds that providers of consumer IoT are less likely to have a readily detectable vulnerability disclosure policy in place than firms operating in the business-to-business space.

Published today (4 November 2021), the latest IoT Security Foundation (IoTSF) report examining the adoption of vulnerability disclosure in IoT – commissioned by the IoTSF and prepared by Copper Horse – finds little improvement on last year’s figures. The overall trend, while moving in the right direction, remains far short of what’s needed to bolster confidence in the security of IoT products. Given the persistently slow pace of voluntary adoption, regulatory wheels have started turning to force companies to think more seriously about their vulnerability disclosure processes.

Slow progress: 100% adoption is a long way off based on the survey results.

2021 headlines 

  • The adoption of vulnerability disclosure in the IoT sector remains unacceptably low (just 21.6% of firms surveyed had a readily detectable policy in place). Based on these findings, almost 4 out of 5 companies are failing to provide the very basic security hygiene mechanism to allow security vulnerabilities to be reported to vendors so they can be fixed. 
  • The slow pace of vulnerability disclosure adoption by IoT providers continues to put users at risk by failing to maximise the opportunity to close gaps in product security (the percentage of firms surveyed with a readily detectable policy in place is up just 2.7% on findings for 2020). 
  • Anticipating forthcoming legislation, only 21 out of the more than 300 IoT providers surveyed would meet modest regulatory requirements. 
  • Business-to-business IoT providers are much more likely to have a readily detectable policy in place compared with firms operating in the consumer sector. 
  • Lack of information is no longer an excuse for IoT providers as best practice guides have been updated and new tools made available to streamline putting a vulnerability disclosure policy in place.

Security benefits are too good to ignore 

Reporting a product security issue should be made simple so that a vendor can get to work on investigating and developing a fix as soon as possible.  Coordinated Vulnerability Disclosure (CVD) policies cover all stages of the process from advertising the correct point of contact, through to the timescale for fixing any issues and recognition for any bugs discovered. 

Vulnerability disclosure, backed by a Vulnerability Disclosure Programme (VDP), benefits multiple parties – governments, businesses, security researchers and customers – so much so, that the process is well on its way to becoming a mandatory requirement at an international level.

Free guides and online tools 

2021 has seen a jump in the provision of information to help firms, which includes the IoTSF’s updated Best Practice Guide and a time-saving policy-maker tool, developed by disclose.io. More details and links can be found in the report. 

Legislative wheels are turning 

With governments around the world turning to legislative and regulatory means to tackle the lack of improvement in the market, it is surprising to us that there hasn’t been an increase in the rate of adoption of CVD, particularly in the last year. These companies will find it difficult to sell their products if they don’t change their ways, and soon. 

David Rogers, the CEO of Copper Horse said, “The report provides measurable evidence of IoT manufacturer and brands’ lax attitudes towards security in general. There is nowhere to hide for these companies – international standards are there to be used and coordinated vulnerability disclosure is recognised good security practice. The question for consumers globally is: ‘why should I buy products from these companies if they don’t look after security?’”

Mapping IoT Security and Privacy Recommendations and Guidance to the Consumer IoT Standard ETSI EN 303 645

In 2018 we took on the task of mapping the IoT security standards and recommendations space to the UK government’s Code of Practice for Consumer IoT Security. This was done with the hopes of garnering a better understanding of the heavily fragmented space. Now that we are seeing worldwide adoption of ETSI EN 303 645, an international, European standard, we have refocused our mapping so that you can understand how different recommendations, standards and compliance schemes map to that standard.  

We are pleased to launch iotsecuritymapping.com, realigned to focus on the ETSI EN including all previously mapped documents from the existing site, including the UK Code of Practice itself (with the older versions of this work still available here). As well as the EN provision 5.1-5.13 maps and open data, there is a high-level relationship map mapping all the referenced organisations within the documents we reviewed. This provides an excellent high-level view on which organisations and material are frequently referenced. 

Once again, we’re making all the data available to use as open data as we really want to help people to use this information in their own organisations. 

Similar to our approach to the Code of Practice mapping site, we aim to update this regularly. As inevitably there were standards released during or after our research, and others we hope to include. However, for now at least, we are satisfied that this mapping helps people and organisations understand the commonalities between the numerous bodies and organisations creating standards and recommendations in this area, during a period of defragmentation and harmonisation. With legislation being pushed over the line in many countries, this is an exciting time for the space and we are hoping for even greater harmonisation than ever. The next steps for IoT security will be focused on conformance and compliance, so we’ll keep track of progress in that space too.  

Considering the Future 

Comment from David Rogers: When we tweeted about the new site, we had a comment from Art Manion “I’m concerned that IoT security will sink under the weight and complexity. Any chance of avoiding this common compliance failure?”. It’s a view and concern that we share and goes back to our original rationale for creating the site. As an aside – one of the greatest moves in the UK work was to have the Code of Practice translated into the world’s major languages. It instantly removed barriers and friction to understanding and ultimately, adoption. In this space, we started out with massive fragmentation and no real common view on how to move forward – we had some approaches which were really deeply implementation specific versus super high-level guidance and even some that said we should just educate users. There were a lot of voices however saying the same thing and I’d spoken to a lot of those people and also worked on the technologies that had already been developed in the mobile industry to tackle these issues already. Where we are now is that we do have a harmonised view, we’ve successfully defragmented in a big way such that the major regions and countries of the world are looking at only a couple of (very similar) ways forward now in the consumer IoT space. The devil however is in the detail, as companies implement these standards they will want to do so in different ways. This is perfect because the last thing we wanted to do was to stifle innovation. However, that could (in theory) make compliance processes really cumbersome and complicated – or worse – useless and not worth the paper they’re written on. There has been a lot of work to try and break this down. ETSI’s conformance work for EN 303 645 is this standard – TS 103 701. It is prescriptive to a point and crucially doesn’t ultimately rely on a decision by a company not to implement the measures via a risk assessment. A risky approach but a necessary one in my view – for too long companies have not been doing any risk assessments or threat analysis and even if they have done, they’ve missed the real threats by a country mile. We really need a new approach that is more prescriptive in the short term. If this evolves over time beyond these baseline measures, I have no problem with that, but it is an effective solution for the problems we face today and in the near-term. Another final thing is that we haven’t bitten off more than we can chew when it comes to being tempted into looking at other IoT verticals such as industrial which has a lot of existing standards and safety concerns. 

There is no doubt we’ll get some edge cases. I’ve had to think about them a lot – in fact I painfully missed out on a day’s skiing on holiday while diving deep into the Bluetooth specifications and thinking about Smart TV child locks, while trying to find a way through the ‘default credentials’ problem. None of this stuff is easy, but I don’t think we need to be afraid of playing hard ball on the basics. We’ve had a few decades of this stuff not being designed properly and we have technical solutions that can fix those. 

Visit the new site here

Preventing Insecure Connected Products Being Sold

Work on improving security in the Internet of Things (IoT) continues apace! The UK government has reached another milestone in its mission to make the country one of the most secure places to do business and to live in, with the release of proposals for regulating the cyber security of smart products. They are well worth a read and provide a good steer as to what the future of insecure connected products will look like when we collectively say ‘Enough is enough’.

This Call for Views invites feedback until early September 2020 on a range of options as the government moves towards legislation based around the top 3 items in the UK’s Code of Practice for IoT Security:

1) To eliminate the problem of default passwords.
2) To ensure that companies in the IoT space have a way for security researchers to be able to contact them to report vulnerabilities in products.
3) To be transparent to consumers about how long software updates will be available.

These are anchored in the recently approved European standard for IoT security, ETSI EN 303 645 which has the support of industry and governments across the world, marking a significant harmonisation of views on how the problem should be approached.

The Call for Views outlines the aims of the government – to achieve an outcome where there are no products available on the UK market that are non-compliant with the above. In simple terms – you shouldn’t be able to buy a product that has not been designed securely.

This is of course just the start. The items above are fundamental, but there many different types of security that should be built into products, it’s just that some manufacturers of products and services choose not to do that. You wouldn’t allow a food manufacturer to supply to shops if they hadn’t taken basic sanitation measures so why should that be allowed in the smart product space?

Proposed Scope

The scope of products included is broader than IoT products and covers the scope of nearly all the connected products you could find in a home, including laptops and mobile phones. As PCs and mobile phones have been under attack for many years now, the product security in those industries is significantly mature and it really shouldn’t be an issue for those companies to conform to the basics because they’re already doing them.

The core scope is the connected products that everyone has concerns about – children’s toys, cameras, appliances such as fridges or washing machines, safety-relevant products such as connected door locks and so on as well as IoT ‘hubs’.

One area that has been a significant concern for many years is home routers. These rarely get updated and often stay in place in homes for many years without being touched. If they’re compromised, they can create a big issue to users because they’re the point of entry to the home and everything else that is connected, but equally, compromised routers and other equipment at scale can create harm to others across the world by being part of other types of attack.

The proposed scope also covers home workers by including things like printers and office equipment that you might find in both a home or office. This is particularly relevant as businesses have shifted their workforces to home during the Covid-19 crisis.

Things that are out-of-scope are because there is existing or forthcoming regulation in those domains – for example, smart Electric Vehicle (EV) Chargers, Smart Meters and medical devices.

Enforcement

The work laid out in the proposals sets out the obligations on Producers and Distributers, formalising the language that has been used thus far such that it forms the basis of a legislative and regulatory framework governing people who make products but also those that sell them into the UK. It also means that there must be a way to test and declare compliance of these products. This comes at a good time as the EU Cyber Security Act will also require such action to take place across lots of different types of networked products. The proposals also lay out when they expect companies to be compliant – it is proposed that everything must be in place by 9 months following Royal Assent of legislation. The implication is that companies have had long enough and enough warnings that these practices are simply not acceptable.

The list of proposed enforcement actions aligns with other existing ways of removing products from the market – i.e. issuing compliance notices, through to enforcement with real teeth: it is proposed that order breaches are contempt of court which carries a maximum penalty of a fine and two years’ imprisonment. Forfeiture and destruction of products are also on the table as well as financial penalties – the fine amounts are to be determined but a note states that other regulations consider fines of up to 4% of annual worldwide turnover (a clear reference to the EU data protection regulation GDPR). This alone shows that the intent is for the regulation to have real teeth and that the government means business. The ‘Avengers’ team of superheroes working on this project at DCMS and NCSC have done a fantastic job once again, supported by lots of other government departments. Especially now as well – ‘Quiet Batpeople’ is certainly not the right term, but these individuals have all also been volunteering to deal with various aspects of the Covid-19 response, so to deliver this work as well is a huge achievement!

Mapping the Global Direction and Understanding of IoT Security

Understanding where everyone stands on this from a technical perspective is a tough job. I am lucky to have a fantastic team who have been working on doing just that. We have continually been monitoring the progress of IoT security recommendations and standardisation and will continue to do so. Our work can be seen at https://iotsecuritymapping.uk. We recently added recommendations from Australia, Singapore, California’s new law on connected device security and the US National Institute of Standards and Technology (NIST)’s Device Cybersecurity Capability Core Baseline. There are more documents being mapped soon and we’re tracking work from Brazil, to India, to proposed legislation in the US State of Oregon.

We have noticed that there is defragmentation of ideas and recommendations happening across the world as there is a greater collective understanding of the problem domain and how to solve it. The mappings that we have recently created show strong alignment against the top 3 items listed above. We have also observed that whilst some countries are slightly less mature than the UK in tackling the issue, they can benefit from the international standardisation that has taken place and are starting to adopt and endorse this already. Truly we can adopt a global stance that it is unacceptable to provide connected products without even considering the basics of product security.

The Call for Views is open until the 6th of September 2020 and anyone can give feedback on the proposals to DCMS at: securebydesign@dcms.co.uk.

Here’s some more background material if you’re interested in further reading:

Legislating for Security in Consumer IoT

Copper Horse CEO, David Rogers discusses today’s UK government announcement on legislation for consumer IoT security.

Today marks another step along the road for IoT security – the teeth of legislation and regulation to deal with companies that do not implement security in their consumer IoT products. It is likely that the UK will become the first country in the world to legislate on IoT security.

In May 2019, the UK government launched a consultation into regulation for the security of consumer IoT. The consultation is now complete, with 49 responses and a decision to move ahead with legislating for the top 3 items from the Code of Practice for Consumer IoT Security and ETSI TS 103 645 (pdf). Work is ongoing to bring the ETSI TS to a full European Standard or EN – the draft EN is currently out for review (pdf) until the end of February with National Standards Organisations.

For everyone, the time to act is now

From a personal perspective, I really think this is a huge step. Over the past couple of years I’ve been privileged to work with a fantastic team at DCMS and the NCSC who have been really motivated to help people and understand the problem space. The consumer support for legislation is there and we know that security can be implemented by manufacturers because some companies are already doing it and the security technology is available to be used. We already knew what good looked like – we just wrote it down and prioritised it. What we’ve seen is support from a number of countries and organisations and a recognition that acting now to address the fundamental security concerns is the right way forward.

We also know to a certain extent what the real situation is like in the market. In 2018, we conducted research on behalf of the IoT Security Foundation which showed that fewer than 10% of the manufacturers we surveyed had any way for a security researcher to contact them. The results of our follow-up survey are out this quarter and will reflect a broadly similar situation. Security by design is a concept that some companies choose to ignore because they think that they can get away with it or it doesn’t matter. Well, if you want to ship products to the UK in the future, you had better get your act together pretty quickly.

Considerations

One of the things that I think we need to be aware of is the danger of penalising ‘good’ manufacturers, rather than the rogue ones. I’ve seen this before with work I’ve done against counterfeit and so-called ‘sub-standard’ electronic products. Some measures that are proposed against counterfeit only increase the cost for the ones who will abide by the rules anyway, while the rogue ones get away with continuing to do nothing. In this case, I think we have the balance right. The measures being put forward are a foundational baseline, these are things that are really fundamental, but if not implemented can cause huge consumer harm. Default passwords in consumer devices in this day and age are well, pretty stupid when there are better, safer alternatives for enrolling users to devices and for initiating products from factory defaults. What we’re also asking for is transparency:

  • in access – for security researchers who want to report vulnerabilities to manufacturers easily and;
  • about the minimum length of time that devices will get security updates.

Both of these areas will serve to demonstrate a responsible, public commitment by manufacturers to addressing and resolving discovered security issues. Primarily, manufacturers should be honest towards consumers.

Last year when we created our mapping website, https://iotsecuritymapping.uk , we set out to both help manufacturers to understand how the UK’s Code of Practice mapped to the existing body of work and guidance on IoT security and privacy but also to provide some reassurance that what we were saying was not unusual – in fact, there was a broad consensus on what we were recommending, the fragmentation was really just in the semantics of how documentation from across the world was written. We made that available as open data precisely to help in the process of defragmentation and facilitation of common understanding. The decision by DCMS to translate the Code of Practice into multiple languages reduced the barrier to entry and understanding and acknowledged the truly global nature of both the electronics and software supply chain as well as the designers, security experts and security researchers across the world.

Next steps

The next few months are going to be hard work. My own anxiety is that there will also always be edge cases – those points at which adjustments need to be made or possibly where we haven’t considered certain use cases. I’m certain that the team working on it are conscientious and will work to understand manufacturer concerns and the feedback from the public consultation. Ultimately in all of this, we have had a choice – sit on our hands and wait for things to get worse or get on do something and make the world a safer place. We chose action over procrastination.

More reading on this topic:

Copper Horse and Arm launch white paper on IoT security by design

“If you’re looking to deploy IoT, you need to do it right from the start and you need to think about what happens with that product throughout its lifetime, until you sunset it,” David Rogers MBE – founder of Copper Horse and author of the UK’s Code of Practice for Consumer IoT Security – told listeners at yesterday’s launch webinar (available to watch on-demand). “That means working with suppliers and partners who you can trust will take the right approach to security and platforms.”

Arm commissioned Copper Horse to offer an impartial guide to IoT security by design, and the 19 page white paper guides readers on how to appropriately and securely manage solutions at scale.

“If you’re deploying IoT in any kind of environment – for example, consumer, automotive, agricultural, industrial or medical, you need to consider security from the beginning,” David reiterates. “Regulation is coming so it can’t be ignored.”

Topics covered in the briefing include: the threat landscape; future regulation; software updates and device management; public key infrastructure (PKI); end-of-life and decommissioning; and a reminder on identifying and eliminating bad practices.

Full details can be found at – https://learn.arm.com/securingiotbydesign.html.

Mapping New IoT Security Recommendations

In late 2018, to coincide with the launch of the UK’s Code of Practice for Consumer IoT Security we launched a website: iotsecuritymapping.uk which mapped IoT recommendations and standards from around the world. Our previous blog explains more of the detail. Earlier this year, we updated the site to include the European Telecommunications Standards Institute (ETSI) Technical Specification, TS 103 645 (pdf) which originated from the Code of Practice.

Today we have launched an updated version of the mapping site which stretches the landscape further with a number of new recommendations from around the world. These have either been sent to us as a result of people hearing about the original mapping work or work that we’ve seen launched since then.

The Windsor landscape towards the Copper Horse

The following additional recommendations are added, from all over the globe including Japan, South Korea and the USA:

Some recommendations we looked at had been updated, but these were either minor editorial changes or had changes not relevant to mapping against the Code of Practice, in these cases, the mapping was not updated.

Updating the External References

One useful thing we created last time was a mapping of external references from the recommendations – it is quite useful to understand where things are happening, which bodies are at least judged to be the most relevant. We’ve further updated this and it is no surprise that organisations like the IETF with massive contribution from industry are the most referenced and essentially used while other organisations like the ITU who try and lay claim to IoT are hardly referenced. We believe this work is the first time that any organisation has attempted to lay out these relationships, to break open the marketing hyperbole with real, factual data.

What are we observing and what does it mean?

There is a broad consensus on what needs to be done in IoT security, which is quite nice to see. Pretty much everyone who is looking at the problem is saying the same thing in different ways. The consumer space seems to be a common starting point because that is where the problem is most visible, but clearly the majority of this work provides a common foundation which is applicable across all IoT ‘verticals’ from industrial IoT, to connected cars.

There are differences in the level of abstraction in recommendations – some are very detailed, others at a high level. This is not a massive problem, it is just that more detailed and specific recommendations can be a real barrier to adoption. It can also affect innovation because detailed specifications tend to deal with the status quo of what exists now. They fail to consider or accommodate the possibility that someone could create something securely without doing exactly what has been put into a bit-level recommendation or standard. It can also affect organisations implementing security in the first place because detailed specifications look daunting. A high level recommendation is easier to access and implement (within the spirit of what is being asked), however it suffers from the fact that people could pay lip service to it or that more detail may be necessary to stop people doing something insecure. We need to find a happy medium between the two approaches for real security success in such a varied market as IoT.

The gaps between the specifications are going to get interesting – where is there divergence and why is that? This looks to be a key piece of work for the future and we may explore that in the coming year.

Keeping the site updated

We’ll keep updating the mapping site until there is a natural end. There is work ongoing which will rationalise these efforts at an international standards level. Once that has happened and there is consensus, we’ll have hopefully achieved what we set out to do – unification and defragmentation of IoT security; at least for the fundamental foundations. We hope you find the latest update useful and do please keep sending your feedback to us.

ETSI publishes European Standard on Consumer IoT Security


David Rogers writes about the launch of the specification: ‘Cyber Security for Consumer Internet of Things’ from ETSI’s TC Cyber group.

Today the European Telecommunications Standards Institute (ETSI) announced the publication of their ETSI Technical Specification, TS 103 645 (pdf).

This work builds on the UK Code of Practice for IoT Security and has had input from experts around the world. It is great that this work has been elevated up to European level and published as a standard. This means a much wider technical audience and crucially, official endorsement at European level by companies and governments.

The discussions during the specification development were very rational and it also meant that some of the supporting text were promoted into provisions within the specification, making the overall work stronger. For example, wording that could be considered ambiguous from a technical standpoint has been clarified and considered at length by me and others. This means that whilst we still see this as a high level specification, we’ve also tried to further pin down what we’re trying to say, all whilst trying to ensure that we avoid unintended consequences and companies deliberately trying to avoid putting security into their products via loopholes.

These efforts will continue. During the specification process, there were some really good proposals brought forward on some deep technical aspects about IoT security and privacy that we see as being potential spin-off work items in ETSI – I’m keeping track of what those topics were. There are also things that some of us would like to bring into the Code of Practice for future revisions, such as consideration by manufacturers of issues such as coercive or controlling behaviour which can be compounded by IoT in the home. All these things are for the future, but the great thing is the enthusiasm is there from some brilliant minds both in government and industry, so watch this space!

The IoT Security Mapping site has also been updated to reflect how the ETSI specification maps to the UK Code of Practice in order to help implementers understand how it all fits together, including against other recommendations and specifications from around the world.

What are your devices saying about you?

 

In our recent blog, Ryan Ng wrote about new Smart Home connected devices being developed and sold in 2018. There are many new and innovative ways to improve our lives using technology appearing in stores and on crowd funding platforms such as Kickstarter every day. The majority of these devices interact with mobile apps, whether they are sending notifications or allow the user to control functionality, these devices often require a hub to connect the devices to the wider internet. Smart speakers and thermostats are now being used as hubs to connect other smart home appliances. Many of these devices, such as a PIR or door open/close sensors, are running on coin cell batteries which are expected to last multiple years and for this they need to use a low powered radio network to communicate with their hub. The Bluetooth and Zigbee radio protocols are widely used in this area with well-defined standards and optimisation of power usage  to maximise battery life.

 

We thought it would be interesting to buy some tools and see what data we could capture.

 

Bluetooth and Bluetooth Low Energy (which is a subset of Bluetooth 4.0) are maintained by the Bluetooth Special Interest Group and runs on 2.4 GHz. Bluetooth Low Energy was designed to provide much reduced comms and power drain whilst offering a similar range of communication.

 

We purchased an Ubertooth One from Greatscottgadgets.

 

 

 

 

The Ubertooth One is “an open source 2.4 GHz wireless development platform suitable for Bluetooth experimentation”. The device allows us to promiscuously sniff packets of Bluetooth data using a tool such as Wireshark, but something we found much more interesting is the open source project BlueHydra available on GitHub. BlueHydra is a Bluetooth discovery service built on top of BlueZ, the official Linux Bluetooth stack. Using these tools allows us to track Bluetooth devices as they pass by with BlueHydra showing us how often the devices are in our vicinity, how close and in many cases who the manufacturer of the device is. Devices can be detected even when Bluetooth is not in discoverable mode!

 

 

 

 

Functionality can be further extended with simple python scripts such as ble_finder.py written by Troy Brown and Garrett Gee which allows you to create a list Bluetooth devices to be monitored and will alert you when a device is detected in close proximity to the Ubertooth One.

 

We also purchased a Zigbee packet analyser a few years ago for a project before Zigbee became so popular in Smart Home systems. Based on IEEE 802.15.4, Zigbee is a low powered radio standard developed and maintained by the Zigbee Alliance with most devices running at 2.4 GHz, with some other regional frequencies available (784 MHz in China, 868 MHz in Europe and 915 MHz in the USA and Australia).

 

 

 

 

The device was manufactured by Freescale although they merged with NXP  in 2015. The analyser we’re using is a NXP USB-KW24D512 using this device, the Kinetis Protocol Analyser Adapter software provided by NXP and Wireshark, we’ve captured data packets being communicated between Amazon Echo Plus and Phillips Hue smart light bulbs and also Samsung Smart Things communicating with sensors. Although this data is encrypted, it does allow us to scan for Zigbee based Smart Home devices around us and as all devices are allocated their own Device Network ID, so we can see how many devices someone has in their home.

 

 

 

In Zigbee, the protocol is designed to not leak information beyond the initial pairing process. This prevents arbitrary traffic analysis. In Bluetooth, however, when a device communicates with another device e.g. a fitbit with a phone, the traffic can be observed, which gives at the very least metadata about user habits such as what time they get up in a morning. This is not good for user privacy.

Discussing the UK government’s Code of Practice for IoT Security and the Future

 

Copper Horse’s CEO, David Rogers had a chat with Rocco’s Jason Bryan for the Rocco Radio Newsdesk about the launch of the UK government’s Secure by Design report and the Code of Practice on IoT security. The government’s Secure by Design report is available here.

 

To listen, click the player below:


The podcast covers a range of topics including:

  • the UK government’s work to protect UK consumers:
    • how work from the mobile industry can be carried over into the IoT world.
    • what circumstances and threats led to the work being created?
    • the thinking behind the work
    • what other standards bodies and organisations are doing in the IoT security space
    • discussing the details of the Code of Practice including vulnerability disclosure, software updates and eliminating default passwords.
  • the implications of security attacks on network operators
  • machine-to-machine and IoT concerns
  • identifying insecure products and what “insecurity canaries” are
  • product labelling and future smart approaches to digital labelling
  • the use of digital certificates and the challenges of counterfeiting
  • certification of devices including those with embedded SIMs and how that might work
  • regulation and what might happen in the future
  • design approaches
  • safety in IoT and the future risks of death
  • signalling storms, resilience and future attacks on network operators
  • SLAs in business relationships between network operators to guarantee safety in IoT
  • Why smaller network operators need to pay attention to IoT security

If you’re interested in learning more about IoT security, we run an IoT security training programme which is led by David. Click on the link below for more details:

 

 

 

Why you and your staff need to skill up on IoT security

David Rogers with training delegates on the Introduction to IoT Security course

There have been a lot of problems with IoT from the outset. A marketing catch-all term, the truth about IoT is that many of these devices have been connected for years and it’s only now that attention is being paid to them by both security researchers and the bad guys. There are whole set of new devices coming to market which incredibly harbour some of the same issues as very old devices, making them very dangerous from a security perspective. Attack techniques have moved on significantly meaning that leaving old vulnerabilities around can be catastrophic. We’ve devised a training course dedicated to helping you understand these risks.

 

IoT is unique in that it is being adopted by nearly every different product and service sector, right across the world. The fast-paced implementation of these solutions is leading to some pretty bad decisions across the technology ecosystem. From internet-connected toys to connected fish tanks, bad configuration, insecure hardware and basic software design errors have created a toxic view of the security of IoT and the products on sale. The scary thing is that in fact we do know how to fix these problems and in a lot of cases the technology and methodologies are out there to address them, we just need to actually do it and do it properly – a secure by default approach to IoT security.

 

Do something now

The ship has already sailed on whether it’s appropriate or not to put security in a product – you have to do it or your product and company will ultimately fail. The time to act is now – get you and your staff skilled up and ensure that your company and products are actually fit for purpose in the IoT age. We’ve teamed up with the IoT Security Foundation to provide an Introduction to IoT Security, with no pre-requisites. Suitable for all levels, sign-up here and help make the world a bit more secure!

 

So what are the benefits of coming on the Introduction to IoT Security course?

You’ll understand the basics of what you need to do about your devices – right from the hardware up the technology stack to ensuring that you’re communicating securely and that the other components such as mobile applications and cloud services are being secured properly too.

 

We’ll share with you cutting edge knowledge from the frontline of IoT developments and we have our own first-hand experience to impart. As well as teaching you how best to secure your products and services, you’ll get some hands-on exposure to well-known IoT hacking techniques, giving you an experience of the attacker’s point of view. We’ll also show you how to implement a vulnerability disclosure policy, monitor your product security and how to get your products and services ready for certification through the IoT Security Foundation.

 

For more: Introduction to IoT Security Training course details.