SparkFun posted a blog post on IoT Security. While posting to a blog isn’t newsworthy (unless it’s the one you are currently reading 🙂 ), I’m very encouraged to see this post at SparkFun. The makers/engineers building projects/products are the front line–a systems security engineer like me is combat support.
I had a small excerpt from the article:
When I talk about this I consider three entities:
- How does the maker secure their projects?
- How does the consumer buy secure products?
- How does the professional engineer build secure products?
For all of them, the answer is to think about what’s called in security jargon a “threat model” – basically, a risk analysis. So I’d say to the maker, if she is trying to blink an LED over WiFi for a demo, the security needs are probably pretty low. BUT, what happens with that ESP32 when you are done? Did she wipe the WiFi creds before throwing it away?
The answer to #2 is a bit harder. Right now, we don’t have a good way for consumers to know things are secure. But what I say is, “Do you need that connectivity feature?” For example, take smart door locks. I would never buy a smart door lock; I don’t want it connected because, to me, the risk of electronic attack is greater than the risk of physical lock picking.
However, UL is making a good effort here. There is a new standard, UL 2900 (full disclosure, Josh is on the technical panel), where vendors can get a UL certification for their product. It’s a pretty comprehensive certification.
I do think certifications will help the industry here. It puts the onus on the OEM, where it belongs. UL 2900 isn’t a silver bullet, as you point out, but it is progress.
Finally, #3 is harder still. It’s the same answer as to the joke, “How do you get to Carnegie Hall? Practice.” Building secure stuff takes study and practice.
There was one comment that made me smile:
throwing it away? That is HORRIBLY WASTEFUL! Things like the ESP32 Thing should be REUSED – put it “in the junk box” for future use.
Touché. 🙂