The Number One IoT Security Leak

The security of a network is only as good as the weakest aspect. For many applications, it isn’t an algorithm or protocol that poses the greatest vulnerability. More often than not, the weakest aspect in terms of security is the end user.

In general, users don’t intend to create problems or expose the network to outside hackers. However, they’re prone to do so accidentally. In this sense, it means that a user has done something that unintentionally defeats the security measures that are in place. For example, a deadbolt doesn’t stop anyone from coming through the door if the user forgets to lock it.

There’s a good rule of thumb to use with people and security: if there’s a way people can mess things up, they will. Also, the more users there are, the greater the chance—and frequency—that one or more of them will do so.

Consider the slew of network hacks that start with a closed circuit camera. While some of the hacks exploit design flaws (e.g., if you implement a backdoor in your security, you might not be the only one to use it), most are user-based. Which leads us to the next rule of thumb: don’t give users a way to mess things up.

This is especially important for IoT, where billions of new devices are coming online. There’s no way everyone who is installing them can be an expert. So the best designers assume that the average people using their equipment are not experts. In fact, if you design your system so that it’s secure even if the person installing it is trying to mess things up, then you have a secure system. Some developers might even say this is the only way to ensure that you’ll have a secure system.

For IoT designers, this means implementing security at a fundamental level where the user is involved as little as possible. This starts with connectivity. For example, “Locking Down the IoT with LoRaWAN” explores how the low power LoRaWAN protocol secures data as a key part of establishing and managing wireless communications. It looks at several tools—the STMicroelectronics STM32 LoRaWAN Discovery Board, Microchip’s SAM R34 Xplained Pro Evaluation Kit, and the Renesas IoT Fast Prototyping Kit. All are designed to aid developers in making IoT security seamless.

Image of STMicroelectronics’ STM32 LoRaWAN Discovery BoardSTMicroelectronics’ STM32 LoRaWAN Discovery Board (Image source: STMicroelectronics)

Consider a simple sensor node. An installer might have to deploy hundreds of these sensors in a particular location. To ensure security of the IoT network, the installation process must be bulletproof. After all, it only takes one vulnerable node to expose the entire network. Using a protocol like LoRaWAN can completely remove the user from the installation process. For example, nodes can be factory programmed with the authentication information they need to join a specific network. That’s one less thing an installer can mess up.

Certainly, as data reaches out into the cloud, security gets more complicated. However, security builds from the lowest levels of the network with the nodes that don’t do much but collect a little data and send it up the line. Clamping down on vulnerabilities at the sensor node level by getting users out of the way as much as possible lets you increase not only the overall security, but the robustness of your IoT system.

About this author

Image of Nicholas Cravotta

Nicholas Cravotta has been technical editor for EDN, Embedded Systems Programming, and Communications Systems Design, and was the founding editor-in-chief of Multimedia Systems Design. With seventeen years of experience as a practicing engineer, he understands the issues behind designing complex systems firsthand. He has worked with hard real-time embedded systems, written application software for PCs and workstations, built an operating system from the ground up, developed in-house software and hardware development and test tools, and ported software across platforms, among other projects. He has written over 800 published articles, taught programming and technical writing at UC Berkeley, and is an award-winning game designer in his spare time.

More posts by Nicholas Cravotta