close
close

Roadmap for IoT device manufacturers

Posted on by darion

There are over 15 billion IoT devices worldwide, and this number is expected to reach 29 million by 2030, with more than half made up of consumer products such as baby monitors, smart watches and refrigerators. However, connectivity costs money. Data exploitation, privacy concerns and cyberattacks pose serious threats to users and manufacturers. To address this issue, the government has implemented the Cyber ​​Trust Mark program to help people easily identify products that meet security standards. The initiative provides manufacturers with a roadmap to improve safety and prepare for future requirements.

A key part of the Cyber ​​Trust Mark program is that devices must pass tests to ensure data security and privacy. Securing connected solutions presents unique challenges for manufacturers. While patching a network configuration problem is simple, software is often separated from the design processes of connected devices. This means that security testing takes place in the final stages of product design, making it difficult to build security from scratch.

Unlike computers and tablets, IoT solutions typically rely on unique operating systems with custom libraries and versions, making it difficult to test for known vulnerabilities. The comprehensive assessment includes verifying device interfaces against multiple encryption schemes, process versions, and attack vectors. Testing all possible configurations and interfaces can help determine the types of attacks to which a product may be vulnerable. But how do you do it? Below are some of the most sensitive components and the tools, technology and testing needed to protect them.

Vulnerability scanners enable design teams to check whether embedded components are vulnerable to cyberattacks. These automated tools analyze connected devices to create an inventory of all software, firmware, operating systems, code, open ports, and user credentials. After cataloging components, the scanner checks the bill of materials for known security risks, including common vulnerabilities and threats, weak credentials, and insecure network services.

These scanners are the first line of defense; however, they are not exhaustive. They are best used for quickly identifying common security vulnerabilities that would otherwise take up most of your testing time. This allows teams to focus on uncovering hidden issues while R&D prioritizes fixes (as required by most device security standards).

Fuzzers are systematic, automated testing tools that reveal some of the most hidden vulnerabilities. They inject random, corrupted, or malformed data into a program or device stack to see if the device under test is behaving unexpectedly, such as crashing, disconnecting, or generating an error message.

It is important to note that while testers see erratic response as a disadvantage, cybercriminals see an opportunity. Because IoT solutions lack multi-layered memory protection and security mechanisms, a forced error in one part will often impact others. In such a situation, a cybercriminal can take control of the device or disable it.

Brute-force attacks are among the oldest and simplest forms of cyberattacks and remain popular because many IoT products ship with weak or default passwords or embedded firmware fails to lock after repeated failed login attempts. Online scanners provide manufacturers with a simple way to defend against such attacks. These tools can test logins via multiple services, including SSH, FTP, FTPS, telnet, and Mongo, to ensure that your device is using custom, unique passwords by default. Additionally, they can simulate repeated login attempts to verify that the device does not allow more than three to five login attempts before locking out.

SSH, TLS, and SSL analyzers are network testing tools and are critical components of your cybersecurity compliance stack. The Cyber ​​Trust Mark requires proof that the product uses best practices for encrypting data in transit, and the best way to verify this is with network testing tools. In addition to checking whether the device is using the latest version of TLS, they scan for weak ciphers and cryptographic algorithms.

Like network testing tools, firmware analyzers are not traditional security tools. However, they are essential for checking the security aspects of the Cyber ​​Trust Mark standard from the very beginning. How else can you prove that the device verifies the authenticity of software updates or safely stores sensitive parameters? A scan of the device’s source code shows that design teams do not make changes at the end of the development cycle. Additionally, firmware analyzers can help teams easily detect missed issues, such as forgotten, built-in debug passwords.

The promises and pitfalls of self-certification

The final Cyber ​​Trust Mark certification specifications will be released in the fourth quarter of 2024. The FCC is expected to offer manufacturers multiple paths to compliance, including sending products to a certified lab or self-certifying them. This latter option will appeal to manufacturers because they can purchase a pre-certified, off-the-shelf solution or build their own test kit.

Using the above tools, you can build a custom compliance solution. However, putting them together requires extensive management and maintenance. Without significant investment in configuration and automation, planning, executing and documenting tests for certification is challenging.

Test management starts with combining your entire toolkit into a single test suite and dashboard. API integration ensures that your test management platform will always invoke the right tool to execute each test. You can then build automated scripts for each test and set pass/fail criteria according to the certification parameters. By doing this, you gain insight into why tests fail and how to ensure their success.

Maintenance is crucial; you need to check each tool for updates, load the latest version and check their operation. This includes multiple rounds of regression testing to confirm there are no configuration issues.

The power of compliance

Cyber ​​Trust Mark certified products will make a lasting impact on the market. However, it is important to remember that there is no right or wrong approach to compliance. The key is to prioritize the security of IoT solutions, which benefits everyone.

Mike Hodge is the Cybersecurity Solutions Leader at Keysight. A self-proclaimed geek, he believes that you don’t need pretentious jargon to write about technology. Breaking down complex topics like digital twins, cybersecurity, and software development into layman’s terms, he’s never met a story he wasn’t interested in telling. When he’s not working, Mike can usually be found exploring the Colorado wilderness with his wife and their floppy-eared dogs