Ironically, Security is Easy

I thought I was pretty good when it came to cyber security at home, until I saw the measures my brother-in-law takes. He’s a software developer for a financial technology company here in New York, and I can’t tell if he’s flat-out paranoid, extremely smart, or maybe he’s just smart to be paranoid.

Security is tricky. In fact, it’s a lot like driving: everyone thinks they’re a good at it, until they hit something. My friend is at his wits end because his daughter just got two speeding tickets – in two months. She’s 21 and a student and everyone tells her she drives too fast, even her sister, but she won’t listen. It’s a classic case of the youthful invincibility syndrome. “I’ll be fine,” she says.

As techies, we’re in a particularly precarious position. We think we’re good at security, and maybe we are, compared to “normies.” We have all changed our passwords from what came with our routers, we’ve installed advanced firewalls, probably use Tor browser (most of the time), use two-factor authentication for everything, have our own VPNs, and have insanely long passwords. That’s great, and it’s right, and it’s easy to spend time on it because it’s our home, our family, and potentially our savings.

When we get to work, we have corporate security measures, which are probably decent. IT is doing its job, they can fiddle ad infinitum with their network settings and securing your laptops.

But what about our own designs? How dedicated are we to ensuring maximum security measures have been taken for the products we design and push out to unassuming clients and end users, the average consumer? Not very, apparently.

Michael Barr, president of the Barr Group, puts out an annual study on embedded systems. He’s a big proponent of maximum security and safety in coding, and he kicks off the 2018 infographic with the statement “The Internet of Insecure Things” (Figure 1).

Figure 1: The IoT is a great opportunity, for hackers. (Image source: The Barr Group)

Now, the topic of security is discussed everywhere, but Barr puts some numbers on the problem at the design level. As shown in the graphic, 22% of designers say they don’t even have security on their to-do list and many design best practices aren’t followed.

I’ve spoken with Barr about this, and to a lot of people at shows or at corporate media events, and the reasons are just as Barr outlines. There’s only so much that can be done: the product has to ship.

Compounding the problem is that taking the right security measures is only part of it: the product has to be tested, thoroughly. That takes time. A lot of time. With corporate breathing down your supervisor’s neck, the temptation is to ship and fix it later, with over-the-air (OTA) updates.

That philosophy may well work, for a while. Then the team moves on to another project, or the original product is a bust and no more updates are needed. That leaves a number of “orphan” IoT devices deployed in the field, in homes, in retail stores, in corporate environments, all with dubious security in place. Remember the casino IT system that got hacked through an IoT-connected fish tank? That’s not alarmist, it’s reality.

What to do about it: Push back or get pushed out

From a designer or developer point of view, the first line of defense is to push back. If it isn’t secure, get a deadline extension. Explain that if a product fails due to a security leak, it’s the corporate brand that’s at stake. No one wants to compromise that or be responsible for the consequences. Raise a red flag and explain, as Barr points out, that depending on the network to which a product is connected, the consequences of a hack could be serious: up to 25% of IoT devices could kill or injure people if hacked, according to Barr. Remember too, that it’s your own job security that’s at stake here, too. Don’t be an orphaned designer.

Now that you’ve bought some time, there is a lot that can be done to ensure sufficient security. Keep in mind that it often doesn’t have to be bulletproof: it just has to not be easy. Hackers are opportunists – all you have to do is show a decent wall, and they’ll look somewhere else for an open gate. There are plenty of those.

To start, close the JTAG ports on the MCUs, use secure boot, ensure your memory is protected, and that encryption keys are stored where they can’t be accessed easily. There are lots of things you can do, but the good news is that many IC vendors and cloud software providers have done much of the work for you already.

Just look here and you’ll find how to use the tools that Microchip, Amazon, Texas Instruments, and others have provided to help close those security loopholes to get you to market, very likely on time!

For example, see:

These guides will put you on the right track, but dig deeper – and ask questions. Start by examining where you tend to get stuck, what issues you face, and what you’d like to learn more about.

The irony is that with all the help from suppliers and partners, and with some effort, security is easy. It’s doing it that’s the hard part.

In the meantime, do the simple things, like changing your passwords at home this weekend. Again. It may drive your family nuts, but they’ll thank you when their friends get hacked.

关于此作者

Image of Patrick Mannion 开始工程领域的工作后,Patrick Mannion 在超过 25 年时间里一直在从事电子行业分析,专注于知情评论,以帮助工程师管理风险、控制成本并优化设计。Patrick Mannion 曾为 UBM Tech 电子集团的品牌总监和副总裁,现提供定制内容服务。
More posts by Patrick Mannion
 TechForum

Have questions or comments? Continue the conversation on TechForum, Digi-Key's online community and technical resource.

Visit TechForum