While the speed in which manufacturers create and release new technology grows exponentially with each passing year, the security of these devices has failed to keep up. As a manufacturer, are you constantly testing your devices to make sure that you not only know what vulnerabilities exist but also how to patch them? As a customer, do you believe that your device is as secure as possible?
Here are 5 rules manufacturers should follow to keep consumers safe in the world of the Internet of Things:
- Scan, Test, Patch Repeat– You wouldn’t send out a new smart phone without making sure that it can connect to the internet or make a call, so why would you send it out if you didn’t know the security features were in tact? Before sending out any piece of equipment to consumers, you should be scanning, testing and patching vulnerabilities. However, just because the device is out the door and in the hands of consumers doesn’t mean your job is done. You should be consistently checking your device and software, especially with each new update, to ensure your security patches are holding and that there are no new patches needed.
- Be Transparent with Vulnerabilities– If you have scanned, patched and verified your devices from step one then you are well on your way here. However, you need to make sure that these vulnerabilities, along with their patches, are prominently displayed on your website for all to see. I know this may seem like you are posting your shortcomings, but you are actually showing your commitment to each customer to make sure that their experience is the best it can be. Let’s go one step further here, are you in healthcare? If so, your devices and their security can be a matter of life and death. For any industry where your devices play a critical role in someone’s wellbeing or livelihood, make sure you are also reporting these vulnerabilities, and patches, to the appropriate governing body like the FDA.
- Notify Users of Significant Changes and Make Updates Easy– How can you tell what is significant? If it impacts the way the device should be used or if it features changes that will remove or alter safety features or introduce a safety hazard, all users of this device should be alerted. Yes, I think push notifications are extremely annoying too and tend to opt out of them whenever possible. However, these notifications are the fastest way to not only alert users of security updates but with a few clicks it makes downloading these software patches extremely easy.
- Give Humans the Power to Opt-Out– I understand that the features in your device are amazing, life-changing even. However, when a device or its software affects someone’s life, they deserve a say in how they use it. It’s as simple as that. Especially if the software or its updates are in a life-saving healthcare device. The doctor and the patient must not only understand the features but need to come to an agreement on how and when they will be used. So yes, while sending an automatic order to the grocery store when you are out of milk seems innocuous, your customers should still get a say in how and when that order happens.
- Reinforce Security with Password/Input Authentication– I don’t know about you but every time I go to visit my nieces over the weekend I come back with about 20 new selfies and my phone apps rearranged into a pattern only a six year old could understand. Why is that? Well, I made the mistake (ONCE!) of showing them my password. Now, while these changes aren’t that big of a deal (some of the selfies are actually pretty funny), it would be a completely different situation if that same password unlocked my bank account or some other crucial application. When building in the ability to make changes to your device, make sure to put extra authentication in place. Weather it is using biometrics or multi-factor authentication, when you are giving humans the ability to change their settings, make sure it is the right human and not a mistake made when looking for a game of Candy Crush or worse a bad actor looking to steal their data.
Even though it seems like we have been talking about it forever, the IoT is still in its infancy when we think of the possibilities in just the next few years. As a manufacturer, you should be on the forefront of not just the next innovation but the next way to keep these devices safe for consumers and fortified against bad actors. Test your products. Alert your customers. Make updates easy and transparent. By doing these things you will not only build the best products but the best reputation for safety and security in the internet of things.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.