Many of us have spent this week resetting passwords and upgrading some software as a result of the recently discovered Heartbleed security bug. I didn’t really have such a fundamental issue that impacted so many systems all of us work with on a daily basis in mind when we scheduled our panel discussion on Security Strategies for Internet of Things (IoT) Systems. The bug did however reinforce to me that security of the IoT ecosystem is about the entire chain of devices and systems involved. The topic of “security” can be overwhelming at times. For example, when considering wireless connectivity options, should somebody use Bluetooth or Bluetooth low energy? Apart from the memory and power requirements there are many other security implications. Then there’s the data on the device itself – how do we know the data is stored securely? How do we even know if the software that was intended to run on the device is what’s running on it now?
Devices (end nodes or gateways) in IoT systems tend to then have to connect to an application or web service. These might be hosted in the cloud but devices need to be authenticated to access the services. These services then store the data, process it and provide us with visual views from browsers, phones and tablets. It’s not quite the same as user authentication but device access control is another area of security concern, raising questions such as what to do if a device has been tampered with. Then there’s the final element of security for the web service itself. What development approaches can we use to make the web services that aggregate all this information from connected devices more secure?
All of these questions are what we at Mentor Embedded think about regularly and are the ones I’ll pose to our panel on April 29th. If you have any other questions for them please let me know by commenting on this post. My goal is to have a relatively slide light and discussion heavy session so any input you have on relevant topics to include in the discussion will be appreciated.