The Illusion of Security By Design

Security by design, an approach that seeks to make systems free from vulnerabilities during product design, is gaining popularity in the IoT world. Setting a strong security foundation and designing for privacy is necessary. However, this is just the first step towards achieving viable, long-lasting protection; even the most robust penetration testing regime does not help adapt to unknown attack vectors. In a world of an ever-changing IoT threat landscape, “security by design” is just the tip of the iceberg.

The next level of IoT security requires automatic and large scale detection and action against security compromises. A change of thought is required: security is a continuous effort, rather than a one-time mission during the system design.

Winning the attacker-defender arms race

Hackers love low hanging fruit like IoT devices. Billions of these devices are spread around the world with little to no security mitigations. Today, more than ever before, IoT devices are a fertile ground for cyber attacks, overand overand over. The IoT devices that surround us were designed with minimal attention to future security breaches, hence they are unmonitored, and in some cases, unpatchable. For this reason, IoT attacks are virtually undetectable until they reach an uncontrollable scale.

When designing a secure system, we should keep in mind that the expiration date of a secure design is the moment hackers manage to bypass it. Hackers are resilient and adaptive, as showcased in our post about local network attacks. Their agility should be met with adaptive security mitigations. Next-generation security solutions, ones that enhance visibility and provide reactive responses, are being deployed across multiple industries, from EDR systems for PCs, to behavioral security solutions for industrial and automotive systems. It’s time for the home IoT industry to adopt adaptive security.

Changes in IoT development require a new approach for security

The pitfall of the “security by design” approach is that it fails to react to new vulnerabilities. This is crucial for today’s connected devices that are largely based on open-source operating systems and external software.** Such integrations expose IoT products to a vast variety of vulnerabilities** that are often found in open-source projects; security bugs in the widely used OpenSSL encryption library and the Unix Shell are mere examples.

From my experience as an R&D manager, An important aspect of IoT security, that is frequently overlooked, is the real cost of security by design: the cost of applying, maintaining and delivering continuous security patches. IoT developers are required to meet tight schedules, dictated by business constraints and market needs, and they don’t have free resources for developing a cybersecurity expertise. Complicating production by putting IoT developers at the first line of security defense can hinder business operations; a better IoT cybersecurity strategy is needed.

Final words

At Firedome, we believe that a truly “secure design” is one that helps expect the unexpected, by providing constant monitoring, continuous protection and seamless delivery of security updates. Our mission is to secure the connected future, and we work hard to build innovative solutions for IoT security.