How to Keep Hello Barbie from Becoming a Hacker

By Special Guest
Malcolm Harkins, Chief Security and Trust Officer at Cylance
  |  May 05, 2017

What a time to be alive! Computers are talking to cars, and Barbies can connect to your phone. Even connected shirts are getting some skin in the IoT game. Some of these devices can make our lives easier by creating a world in which you can get freshly brewed coffee right when you wake up, and you can check your fridge from the grocery store to ensure there’s milk for breakfast.

But we also know that the Internet of Things gives us some unique security and privacy risks and challenges. There is still a lot of unknown territory with how consumers are using connected devices in their homes and businesses. The IoT significantly expands the attack surface of devices that can be compromised, and it also greatly increases the variation in the type of devices, platforms, vulnerabilities, and communications that are available and, at the same time, at risk. What’s more is that there is a dearth of applicable security technology that either fits or can be effectively architected to prevent compromise.

Because of these issues, improperly secured devices leave both businesses and consumers vulnerable to risk. A device as seemingly innocuous as a pacemaker could potentially get hacked and have a life or death effect on the recipient. It’s up to the developers and manufacturers of these devices to ensure they are creating a more secure world, before their products hit the hands of consumers.

How to Keep Your Device in Check

So what should manufacturers do to secure these devices before they go to market? Here are five precautions you should take when developing your device.

  1. See the big picture. To ensure you’re releasing secure devices, take a step back and consider all of the security implications of your device. This shouldn’t be an afterthought. Think about the vulnerability access. What would be the risk to consumers if their data were stolen? What is your liability if a device gets stolen or hacked? What is the amount, type, sensitivity, and frequency of the data communication with your device?
  2. Use a privacy by design approach. Unauthorized access to data can allow nefarious hackers to use the information they glean to harm individuals. Sometimes the best way to minimize that risk may be to not collect the data at all in the first place. While gathering large sets of data is valuable, societal norms or interests may argue against collection of certain kinds of information, if the risks outweigh the potential benefits. To best protect your users’ privacy, you should only gather the information you need and integrate a privacy by design approach into your product lifecycles.
  3. Conduct code audits. Once you have looked at the big picture of security considerations, perform code audits to assess the quality of your code structure. This should be done before your device is generally available. Now is not the time to favor usability and performance over security.
  4. Assess your security quality assurance programs. Next modify your security quality assurance programs so they are part of the development process for your device. If you’re using third-party service providers, look into those security practices and quality checks for your provider. For example, if your Nest thermostat got hacked, it could end up affecting the safety and privacy of your family by letting the attacker receive data from other devices, like baby monitors, iPads, and computers, that are connected to the home Wi-Fi network.
  5. Streamline and automate. Find ways to automate some best practices in security as part of the features of the product. For example, program requirements for regular password changes, encryption of data transfer, and pushed software updates are critical.  

Corporate Responsibility Should Trump Speed to Market

Of course it’s a delicate balance of time and cost for anyone who is developing a connected device. Smaller companies have the benefit of being able to nimbly adapt to changes in their go-to-market plan. However, especially for these smaller companies, it is imperative they enter the market as early as possible, and with as little cost and complication as possible. On the other hand, larger companies may be less nimble, but they probably won’t be shut down if there are weaknesses in their systems. However, they also have a greater duty to act as a responsible corporate citizen.

There are many examples of mobile apps and other systems being accessed by hackers and causing brand or legal harm to these organizations. At the end of the day, however, the responsibility to do no harm should trump time and cost considerations where security is concerned. But if you are keeping security in mind the whole time, this shouldn’t delay you or be prohibitively expensive.

In today’s world, nothing is sacred. Attackers have more money, more resources, more skill, and more time than all the good guys combined. Because of this, it takes a village to protect every endpoint – and as manufacturers and security veterans, we all have a responsibility to protect consumers from risk. Without conscious attention, the convenience that the IoT brings can jeopardize both social and economic stability.

Malcolm Harkins is chief security and trust officer at Cylance.

Edited by Alicia Young