Securing open source in IoT

from Securing open source in IoT
by Anasia D’mello

There are now 7 billion IoT devices in use across the world. This number is expected to triple by 2025, reaching an unprecedented 21.5 billion devices, says Lev Lesokhin of CAST. The market for Internet of Things (IoT) devices has exploded — now, IoT device makers wanting to cash in on the race to implement IoT are desperate to get their products to market. In the continual breakneck race to sell products, not all software for IoT devices is being made to the highest standard.

To bring new products and features to market quickly, there’s little time to write custom code, especially when pre-designed packages and frameworks can be downloaded for free from open source communities like GitHub and Apache. However, with IoT code as with everything in life, you get back what you put into it. The 2018 Software Intelligence Report from CAST found many open source projects fare poorly on compliance with security rules.

Free open source code does not come with watertight security built in. In the race to market, many companies sacrifice security for speed, foregoing rigorous security checks that consider the structure and inner-workings of such code. Each IoT device, all seven billion of them, must also be run with secure software that’s robust enough to ward off hacker activity.

Open source can be written by anybody. Much of the code in software written for IoT devices is also written by engineers from the embedded software world of standalone devices. This contrasts starkly with the software built to handle the data of large enterprise-wide transactions IoT devices are a part of. Protecting data in this latter context requires a different kind of expertise and skill that far from all developers have.

With the reality that anyone, regardless of development background, can contribute to OSS, it’s much harder to ensure that security and quality standards are upheld. Inefficient, sloppy, or even malicious code can potentially slip in unnoticed.

So many flaws, yet buyers are unlikely to notice. Many see IoT devices through the lens of business – a means to a strategic end such as improved production efficiency. The irony is that while IoT devices are sophisticated enough to be turned against their owners, they are often not considered sophisticated enough to be protected from attack.

The eyes of the world are on your code

Flaws in proprietary, in-house code do occur, but only the developers contracted to write the code may ever know about them. The source code would be private and inaccessible from any prying eyes. However, just as open source is easy for businesses to access, it is just the same for everyone else. Code may have been looked at by many developers and possibly hackers before it is incorporated into the codebase an IoT device depends on.

Lev Lesokhin

American retail chain Target found itself the victim to the tune of US$220 million (€194 million) via credit card detail theft all the way back in 2013 when attackers found a weakness in the climate control system the chain used.

Credentials were stolen from the supplier of the climate control system and were unchanged on deployment […]

The post Securing open source in IoT appeared first on IoT Now – How to run an IoT enabled business.

Original article: Securing open source in IoT