The UK government has recently published an update regarding its plans to lay down mandatory cyber security requirements for IoT products. The previously published voluntary guidelines, named “Code of Practice for consumer IoT security” are planned to become mandatory for products sold across the UK.
In this post, we will review some of the main topics covered in the guidelines, and which practical steps can be done to ensure their implementation as a part of the R&D lifecycle.
Keep software updated
“Software components in internet-connected devices should be securely updateable. Updates shall be timely and should not impact on the functioning of the device”
Here is a call to a much-needed shift in the paradigm of IoT device software updates. As in the IT industry applying timely security updates became a standard, the IoT industry isn’t there yet. We can often see products, being sold with outdated firmware, and if any software update mechanism does exist, it’s rarely been used. This leaves the device vulnerable to malicious attacks, and the end user exposed to having personal information stolen, ransomware attacks, and other cybersecurity threats.
Besides a necessity to include a software update mechanism, IoT device manufacturers face a need to perform ongoing monitoring of their firmware security. As CVEs are being discovered and published daily, and modern software consists of hundreds of different components, some of them coming from open source communities, the required effort to perform such maintenance manually is enormous. With Trivium Solutions, an IoT manufacturer can outsource this task to an experienced team of security engineers that are using the automatic Hardenite Audit tool to automate this process.
Ensure software integrity
“Software on IoT devices should be verified using secure boot mechanisms”
We have covered the topic of secure boot in a separate blog post: “IoT device security and IP protection“.
Numerous OS hardening requirements
“Any credentials shall be stored securely within services and on devices”
“Security-sensitive data, including any remote management and control, should be encrypted in transit, appropriate to the properties of the technology and usage. All keys should be managed securely.”
“All devices and services should operate on the ‘principle of least privilege’; unused ports should be closed, hardware should not unnecessarily expose access, services should not be available if they are not used and code should be minimized to the functionality necessary for the service to operate. Software should run with appropriate privileges, taking account of both security and functionality.”
The requirements above, as well as others specified in the “Code of Practice”, are basically generic and basic hardening guidelines. Whereas they can be implemented at a certain period of the firmware development process, the real effort is to keep validating that they are not broken as a part of subsequent R&D cycles. Therefore, there is a clear need to include security testing as an integral part of the R&D cycle in the process of software development for IoT products. Automation of this task can significantly lower the required effort. Again, the “Hardenite Audit” is the ultimate tool for this task for Linux-based IoT firmware development, as it was designed especially for such purposes.
Conclusion
As governments are taking measures to protect society from poorly secured IoT devices, IoT manufacturers have to integrate their ongoing security maintenance procedures into different layers of their products’ lifecycle. Trivium Solutions is here to help with the task, allowing the R&D team to concentrate on product features and ensuring their time to market.