Yin and yang of IoT security: security function and quality
The security of an Internet of Things (IoT) product, or any networked system, has two dimensions. First, there are security functions such as user authentication and data encryption. This also includes tasks like handling private data and software update functionality. Second, there is the quality aspect of security, as low-quality software easily contains vulnerabilities. Programming mistakes, insecure libraries, and insufficient testing and reviews leave weaknesses in the code.
The two aspects have a negative correlation: the more security functions a manufacturer adds to a product, the more features and code it has that require quality assurance. Thus, a low-quality security function may introduce new vulnerabilities, even when it was added for security. In all product development, the focus is often on adding new features rather than increasing the quality of the product. This is the same in IoT and in security.
The gut feeling is that the number of vulnerabilities caused by a lack of quality dramatically exceeds those caused by missing security features. The lack of encryption for sensitive information and missing strong authentication have been besetting sins in IoT, but this has been changing. My research paper, “Vulnerabilities in IoT Devices, Backends, Applications, and Components” (Kaksonen, R., Halunen, K., & Röning, In ICISSP 2024), shows IoT has vulnerabilities in all parts: devices, backends, frontends, and software components.
So, what should be done? A security-focused manufacturer should put quality first and (security) features second. Adding new security features should be done carefully and only when quality can be ensured. The use of well-known, high-quality libraries over proprietary code should be the priority. The manufacturer must track public vulnerabilities in the components and proprietary code and publish updates throughout the product’s lifetime.
At Test of Things, we provide security assessment and testing for IoT manufacturers. We address both the correctness and quality of the security functions. Let us know if you need help!
