EEJournal

editor's blog
Subscribe Now
May 6, 2014

IoT Paranoia – Not a Bad Thing

by Kevin Morris

While the Internet of Things (IoT) is full of promise, there’s one word that summarizes all that people fear about it: security.

We got to hear a bit about that at a session dedicated to the topic at the recent Internet of Things Engineering Summit co-conference at EE Live. Presented by consultant George Neville-Neil, it wasn’t about technology per se; it was about our state of mind.

Most of us believe it’s important to keep intruders out. His main takeaway: assume they will get in. Because, eventually, they will. Building sturdy walls is good and important, but planning for what happens next is also important.

What caught my ear in particular is one of the less-obvious possible consequences of not minding the store properly: a “consent decree.” I’ve heard the term in a generic sense, but it’s not obvious what the implications are if you’ve never had one (which I haven’t, which is why I asked). Apparently, if you’ve been careless with security, a consent decree allows the Federal Trade Commission (FTC) to become your overseer, getting all up in your business and stepping in when they want. Most of all, the documentation required during the term of the decree sounds particularly onerous. So… avoid this.

That aside, the following are my attempt to summarize his supporting recommendations (“attempt” because I was writing furiously to keep up):

  • Shrink the “attack surface” (i.e., expose less). Meaning, drivers, daemons, features, debug access, web servers, data loggers, etc.
  • Separate out “concerns.” I.e., no processes with root access or super-control; restrict access to data. Nothing gets access to anything irrelevant.
  • “Defense in Depth” – rings of security. What happens when the first wall is breached?
  • Provide only those features really needed. (OK, marketing will have a fun time with this. You know the drill:
    • Marketing: Here are the features we need in the next release.
    • Engineering: You can’t have them all; which ones do you really need?
    • Marketing: We need them all. We didn’t bother asking for the nice-to-haves.
    • Engineering: Well, which of these do you need least?

In other words, marketing probably already thinks they’re getting less than the really-needed features.)

  • Be conservative in what data you accept and send.
  • Review your code.
  • Review other people’s code – especially when incorporating someone else’s code or IP. Do an internet search for the package along with words like “crash” or swear words to find red flags.
  • Use “sandboxing” to provide isolation.
  • Use automation to test and analyze your code. Oh, and don’t forget to look at the results.
  • And, the bottom line, “Plan for Compromise.”

And sleep with one eye open. Because They’re coming, you know…

Leave a Reply

featured blogs
Webinar: Extend the Language Using Specman e Macros!
Feb 28, 2021
Using Cadence ® Specman ® Elite macros lets you extend the e language '”€ i.e. invent your own syntax. Today, every verification environment contains multiple macros. Some are simple '€œsyntax... [[ Click on the title to access the full blog on the Cadence Comm...
More from Cadence...
Is This The Swiss Army Knife Of Connectors?
Feb 27, 2021
New Edge Rate High Speed Connector Set Is Micro, Rugged Years ago, while hiking the Colorado River Trail in Rocky Mountain National Park with my two sons, the older one found a really nice Swiss Army Knife. By “really nice” I mean it was one of those big knives wi...
More from Samtec, Inc....
Gasp in Awe at the ShieldBuddy TC375
Feb 26, 2021
OMG! Three 32-bit processor cores each running at 300 MHz, each with its own floating-point unit (FPU), and each with more memory than you than throw a stick at!...
More from Max's Cool Beans...

featured video

Silicon-Proven Automotive-Grade DesignWare IP

Sponsored by Synopsys

Get the latest on Synopsys' automotive IP portfolio supporting ISO 26262 functional safety, reliability, and quality management standards, with an available architecture for SoC development and safety management.

Click here for more information

featured paper

Get more from your GaN-based digital power designs with a C2000™ real-time MCU

Sponsored by Texas Instruments

Designers in the power electronics industry need new technologies and methods to increase performance in GaN systems. C2000™ real-time microcontrollers (MCUs) can help address design challenges when developing modern power-conversion systems using GaN technology.

Click here to download the whitepaper

featured chalk talk

Using the Graphical PMSM FOC Component in Harmony3

Sponsored by Microchip and Mouser Electronics

Developing embedded software, and particularly configuring your embedded system can be a major pain for development engineers. Getting all the drivers, middleware, and libraries you need set up and in the right place and working is a constant source of frustration. In this episode of Chak Talk, Amelia Dalton chats with Brett Novak of Microchip about Microchip’s MPLAB Harmony 3, with the MPLAB Harmony Configurator - an embedded development framework with a drag-and-drop GUI that makes configuration a snap.

Click here for more information about Microchip Technology MPLAB® X Integrated Development Environment (IDE)