17 Mar The Risk of Using Third-Party Components in IoT Devices
The design and manufacture of Internet of Things (IoT) devices is a very complex process. To attain full functionality, IoT devices often need to be integrated with external software components. This can create a host of IoT security issues. Device manufactures should not merely assume that these external components are secure. In many cases, these software components come with weak, or non-existent, security protocols that can compromise IoT device security.
Examples of Common Third-Party Components
- Third-party open source or proprietary libraries
- Communication libraries and protocols (Zigbee, Bluetooth, Wi-Fi, NFC, MQTT)
- Chip/module manufacturer components (Broadcom, Qualcomm, Sierra)
- External Operating Systems
Typically, the main functionalities of an IoT device are not developed directly by the device OEM. In most cases, these functionalities are provided through use of previously developed and verified software. This approach reduces development time and shortens time to market for the new device.
The decision to include third-party software into an IoT device means that the device will inherit any security vulnerabilities and limitations that exist within that software. Therefore, it is imperative that these external software components be thoroughly tested to ensure that they comply with the latest cyber-security standards. It is prudent to assume that third-party components are not safe until protocols have been implemented that comply with your security requirements.
IoT Device Security Risks and Prevention
There are several potential IoT security issues that may be created via use of third-party components. A few of those risks would include the following:
- Using components with acknowledged vulnerabilities (CVE, etc.)
- Using components with new or untested features that may contain security vulnerabilities
- Using a third-party service with the objective of trying to pass the responsibility of security to that service.
- Using functionalities that offer remote interface into the IoT system (e.g., using a panel or admin mode for a web component, hardcoded credentials for system access, or a debugging interface.)
As a device manufacturer or a developer, there are two primary areas you should be monitoring to keep your IoT devices secure:
- Recent version releases for every component used. Doing so will allow you to update them as quickly as possible.
- Identification of new security threats (CWE, CVE, etc.). Staying current with new cyber-threats will enable you to take appropriate measures to protect your IoT devices.
New component versions and vulnerabilities can be difficult to track and monitor. In worst-case scenarios, third-party components could be obsolete and out-of-date, within no support, leaving your device exposed to cyber-security attacks.
Cyber-threats continue to evolve. In order to produce IoT devices that are secure from these threats it is critical to fully assess the security of all third-party components used within the IoT system. The IoT device development methodology should allow for sufficient time to fully evaluate the potential security impact of any new component being added.