The many IoT threats and how designers can be prepared

This article originally appeared in the April '22 magazine issue of Electronic Specifier Design – see ES's Magazine Archives for more featured publications.

While this exponential growth of technology has provided greater convenience and accessibility for users, systems and devices can be vulnerable to cyber security threats. In particular, consumer-grade connected devices may unintentionally become an easy target for a cyber attack, which could threaten a user’s security and data privacy. Therefore, it is vital that product designers, manufacturers and retailers understand these risks, and are aware of the relevant regulations devised to offer protection and how to comply with them.

Manufacturers of devices that fail to recognise and meet cyber security expectations could incur severe losses, such as financial damages, legal penalties, brand erosion, or even injury or loss of life.

However, reports of growing numbers of cyber breaches are on the rise as every connected network is only as secure as its least secured device on the system. If a smart device is vulnerable, it could easily be hacked, and private data could be compromised or lost.

For example, in 2020, security researchers tested a popular brand of smart light and discovered that they could successfully hack into a homeowner’s computer network. The hack could easily have enabled someone to gain entry to the network and introduce malicious code.

Additionally, in 2019, researchers uncovered a security vulnerability in a smart lock that could leave a home open to attacks. Further investigation revealed that potential hackers could intercept network traffic between the mobile app and the smart lock – meaning, in essence, they could steal the keys to someone’s home ‘out of thin air’. As the smart lock’s firmware was not designed to facilitate updates, the only way to secure the house was to buy a more secure and updatable lock.

These are just some of the many real-life attacks that have been reported around the world. It is absolutely vital that manufacturers have ways of protecting and updating their products over the air, which is where designing and testing to applicable standards is shown to be very important.

Emerging standards and regulation on consumer IoT products

With the rise of IoT and related technologies, new regulatory stockholdings are increasingly being deployed globally. Consider the USA’s the Internet of Things (IoT) Cyber Security Improvement Act 2020. The Act requires agencies to increase cybersecurity for IoT devices owned or controlled by the federal government. The states of California and Oregon have already mandated cybersecurity provisioning for IoT devices.

In Europe, the European Telecommunications Standards Institute (ETSI) rolled out the IoT cyber security standards EN 303 645 in 2020. This outlines a series of protection provisions aimed at providing a baseline of protection.

Aside from IoT and cyber security-related standards, manufacturers must also adhere to data privacy regulations under GDPR (the General Data Protection Regulation) in which users must be informed of the data that their devices will collect, how the data is used, and what it means to the user.

Challenges faced by device manufacturers

Any and all manufactures of consumer IoT (CIoT) devices should be required to have a higher level of technological sophistication compared to those who develop unconnected devices. Manufacturers therefore face the challenge of the three Cs: connectivity, compliance, and cybersecurity.

There are many aspects to connectivity that CIoT manufacturers must consider, and they need to ensure that there is a seamless flow of information – both to and from their devices – that is always available. To keep up with the ever-changing technologies, constant upgrades are also required for the device in question. In terms of connectivity, CIoT devices must also be able to coexist with other devices in the crowded, mixed-signal environment.

Moreover, to ensure a competitive launch date and smooth global market entry, manufacturers of such technology must ensure compliance with the most up to date regulatory requirements. Ensuring the cybersecurity of a device may even be the most difficult design challenge of them all.

The growth in the number of connected devices and the use of new technology has led to fresh threats surfacing quickly and unseen. A critical analysis of emerging threats will help manufacturers to understand the investment needed for appropriate mitigation strategies.

Some typical threats that manufacturers face include malware (software programs designed to execute unwanted and unauthorised action on systems). Weak or default passwords are also a critical threat as the use of poor login credentials leads to an easy compromise – granting the attacker full authorisation. The leakage of sensitive data can also allow cyber criminals to gain unauthorised access to cause chaos and financial loss.

Other threats include attacks on privacy, which affects both the privacy of the user and the exposure of network elements to unauthorised entities. The threat method known as ‘eavesdropping’ is also a problem: this is where someone takes advantage of network communications to steal information shared or sent through digital devices.

There are also more sophisticated attacks designed for a specific target, and they are launched over a significant duration and carried out in stages. These types of attacks aim to collect as much sensitive data, information, and/or control as possible while remaining undetected. A problem that is becoming increasingly common is counterfeit malicious devices.

Such devices usually have backdoors and can be used to conduct attacks on other systems in the same environment. As counterfeit devices cannot be easily distinguished, this attack is difficult to discover. The list is almost endless!

Acting on the core need for IoT security

Manufacturers of consumer IoT products who wish to capitalise on the IoT market’s growth have lots of exciting new technologies at their disposal. However, the same technologies that enable value creation in an IoT product can also provide vulnerabilities open to attack.

Ensuring a good secure by design ethos, alongside demonstrating compliance with the relevant regulations, is the best way for a manufacturer to protect their product, and of course – even more importantly – their customer.