Very few IoT devices aren’t connected to the cloud or a mobile app. On the contrary, these connections are usually part of the product. That’s why security concerns should extend to these companion systems as well.
Security begins with the communication between these systems. Here, strong industry standard encryption mechanisms and protocols should be used. But they’re just tools. The real asset is a concrete understanding of how these tools are to be utilized correctly.
The next important link in the chain is a secure cloud backend. The challenges faced here are very different but just as important, because successfully attacking a cloud-application can compromise every device or user that communicates with it. Today, information is power and stealing information is a booming business. In this world, a carelessly implemented API endpoint that leaks customer data is a serious threat. Once found, draining these leaks can be automated. Aside from legal consequences, this can seriously damage a company’s reputation.
It’s commonly accepted that security by obscurity or secrecy can not work. Hoping a system might seem too complicated at first glance to discourage any attacker is futile. This is usually paired with a misunderstanding of how secure the code of an application is, once it’s downloaded onto a user device. Apps are deployed into hostile territory; no secrets are safe. Tools for Decompilation and Deobfuscation are available freely on the internet.
Last but not least, be aware of accidentally leaking meta-data about your user’s habits. For example, it’s easily conceivable that a device which controls the light in a user’s home could make a network request every time the light is switched on or off. Recording this meta-information over long periods of time can paint a very clear picture of a user’s daily routine.
As a bit of advice:
- Encrypt all communication. Use standardised security protocols. if you go with TLS, use at least version 1.3
- Don't communicate anything in plain text. Yes, this one is a duplicate, but just to underline the importance.
- Secure your API endpoints against automated data extraction by using rate limiting mechanisms and alert admins of suspicious behavior
- Remember, secrets in your code are not safe once they're on the users device. Use a platform's privileged APIs to store them
- Minimize the trail of meta-data left even by encrypted communication, randomize intervals and batch requests together