With hype building around connected devices that range from smart refrigerators to networked TVs, the Internet of Things has already emerged as one of the year’s biggest technology trends. Research firm IDC has predicted that more than 200 billion devices will be connected to the internet by 2020. But even as the Internet of Things is expected to see rapid growth in the next few years, the security threats associated with more connected devices are growing as well. And the challenges for developers of embedded software in such devices are myriad.
Security firm Proofpoint recently released analysis of one major cyberattack that occurred between Dec. 23 and Jan. 6, in which malicious emails were sent in bursts of 100,000 messages three times a day. Of those emails, more than a quarter were sent by gadgets that weren’t traditional computers or mobile devices, such as home routers, televisions and even a refrigerator. The findings were indicative of the challenges of protecting devices that don’t have the same security as conventional computers.
“Internet-enabled devices represent an enormous threat because they are easy to penetrate, consumers have little incentive to make them more secure, the rapidly growing number of devices can send malicious content almost undetected, few vendors are taking steps to protect against this threat, and the existing security model simply won’t work to solve the problem,” Michael Osterman, principal analyst at Osterman Research, said.
The challenges of securing devices
If manufacturers seem to be taking the issue lightly, it’s likely because there are some substantial challenges to securing Internet of Things devices. A variety of limitations make connected device security more complicated than the current approaches being used with more traditional devices, Gartner analyst Earl Perkins wrote in a recent blog post. Experts are still trying to figure out how traditional identity and access management might be used with IoT devices.
More broadly, these devices generally have physical limitations governing what can actually be done from a security standpoint, he noted. Securing IoT devices often requires a return to the programming mindset of the past, since the gadgets often lack the user interface, memory and processing power needed to run advanced software. Often, the hardware is also designed to last for years at a time under harsh environmental conditions, with more of an emphasis on durability than on processing power. As a result, developers must design code carefully.
“Embedded systems design figures prominently into many of these devices, and those devices are often required to communicate and interact directly with other devices, thus requiring a multi-layered understanding of machine-to-machine communications,” Perkins wrote. “Creating a security plan for such devices isn’t as easy as it appears. Let’s just take one example. If you are interested in installing some client code on a device of the IoT, you’ll have to make sure you talk with the designers and programmers at the beginning of the cycle to even see if they have the memory and processing to handle it.”
The challenge of writing code for devices with limited memory has already come up as vendors have looked to add more encryption, for instance, Perkins noted. One approach that can be helpful in designing more secure embedded software is code refactoring. By trimming code down to its simplest form, developers can accomplish more with less memory. Although embedded software security on connected devices will continue to be a challenge, developers can begin to confront the problem by adopting a secure development lifecycle and using tools such as source code analysis and code refactoring software to simplify design.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.