Skip to content
Search our site  
    May 29, 2024

    Secure SW development for IoT devices

    Internet of Things is a term for devices that interact with the physical world and often are “smart” to become more useful. For example, a dishwasher that starts when power prices are at their lowest or a smart speaker being used to turn on the lights. Developing these devices however presents a challenge as they have to work together with products from other vendors and are also often resource constrained.

    Security of a device is still important even though the devices themselves doesn’t have much resources and there are numerous examples where a poorly secured device have been used in bot-networks (large collection of machines that work together to perform tasks such as DDoS attacks) or used as a route into the main network. The challenges include:

    • Resource constraints: Many IoT devices have limited processing power and memory.
    • Device diversity: IoT devices comes in many different types, each with its own set of challenges.
    • Updates: Many devices are just set up and left to do their job, which is a challenge if the device must be actively updated.


    Tools and Best Practices for Secure IoT Software Development

    OS and platform selection forms the basis of the software being developed. It sets the features available as well as the limitations. It is important to consider what benefits and restrictions an OS have, some might place large restrictions on security features.

    There are requirements to keep track of vulnerabilities in a product. Since products often use third party libraries, it is important to have a Software Bill of Materials or a SBOM. This is needed to keep track of not only what components are use, but also the version used.

    Many standards and regulations have now started to come with requirements regarding passwords and encryption, usually requiring it to be “best practice”. It is therefore important to think about these things early in the development process. This applies especially to encryption, as this can put additional demands on the hardware and the system around it. It is recommended to use libraries and well-established methods for encryption, as it is an area where it is easy to make mistakes.

    Using a Static or Dynamic Application Security Testing (SAST & DAST) tool will help greatly in the development of software. SAST will analyze source code during development to detect possible security vulnerabilities while the DAST tool will try to run the code and simulate attacks against the application. This makes it easier to catch many vulnerabilities earlier in the development process.

    Secure key management is an important factor to consider early in the development process. The secure storage and management of security keys is important to the security of the device. Theft or manipulation of certain keys can compromise the IoT device or its data.


    Securing IoT

    Integrating the product with others is the cornerstone of IoT products. However, it is important to consider how to accomplish this. The safest way is to have a limited API that is tailored to only respond to specific requests and discard all requests that is not formatted correctly. If this is not an option, properly sanitation of the requests is necessary. This is because there are many vulnerabilities where an improperly formatted request leads to undesirable response. For example, what would an application that receives a request like “Respond with this 5000 character word, BIRD“ respond? Without any verification of the input the application would simply have responded with BIRD and then insert 4996 characters from the memory which can contain usernames and passwords.

    Secure software and firmware updates are recommended and even required by some regulations and standards. Setting up a system to securely deliver, verify the integrity and automatically update a device will greatly improve the security of a device. This is because many IoT devices are set up and then left to do their job. Many users do not know or bother with regularly updating their devices unless they get constant reminders to do it. When did you last update the router at home?

    Proper usage of HTTPS will protect data from being stolen and against a well-known attacks like “man-in-the-middle”. This is accomplished by encrypting all data with a robust protocol (TLS) and by verifying that the destination is who they say they are. Requiring the software to verify the destination and protecting the certificates where used, is very important to the security of this protocol.

    If a central server is chosen to handle communications, it is very important to secure it against attacks, keep it up to date and to monitor it for unauthorized changes.

    Read more: Cybersecurity and the Internet of Things



    As IoT devices are increasing in number, complexity and variety, regulations have finally caught up, making the security of IoT devices more important than ever. The unique challenges posed by resource constraints, device diversity, and the necessity for security requires developers to consider security in a larger degree during software development. By selecting the appropriate OS, platform, maintaining a detailed SBOM, adhering to best practices for security and encryption, and utilizing SAST & DAST tools, developers can significantly mitigate potential vulnerabilities. Moreover, secure key management, limited API exposure, proper request sanitation, secure update mechanisms, and the usage of HTTPS is critical in safeguarding IoT devices. As IoT continues to integrate into the fabric of daily life, robust security can ensure that this integration will be a safer one.


    Want to know more?
    Book a free online meeting with a senior penetration tester.



    Geir Hørthe

    Geir Hørthe is responsible for the Nemko cyber security initiative. He has worked at Nemko for more than 30 years, in the capacity of test services, lab manager of safety, ATEX and medical departments. He has also been Managing Director at the Nemko office in London for two years. After he returned to Norway, he held...

    Other posts you might be interested in