Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > Embedded

3 key lessons in IoT security

Posted: 24 Jun 2015 ?? ?Print Version ?Bookmark and Share

Keywords:Internet of Things? IoT? SSL? security certificate? home automation?

Designers of Internet of Things devices can learn three important lessons from a recent security lapse of an IoT vendor.

Wink Inc. is a home automation company with its Wink Hub at the heart of its connected home business. One of the claims to fame of the Wink Hub is it can coordinate devices from other manufacturers that support the Wink network such as Nest thermostats, Philips Hue light bulbs, Chamberlain garage door openers and DropCam cameras.

As an IoT device, everything is done automatically including software updates from the manufacturer. Unfortunately for Wink, automated updates came to a crashing halt recently. In fact, the crash was so bad that the Wink hubs were effectively brickedthe hardware was made inoperable.

Based on what I read, the communications between the company's hub and cloud service were protected by SSL-based encryption. SSL uses an X.509 certificate and asymmetric cryptography to authenticate users. X.509 certificates almost always have an expiry date built into them, including the one Wink used.

The expired certificates affected almost all Wink's users, causing all the hubs to go offline and show a dreaded solid yellow light. Wink had done its customers a favour by including a security certificate in the hubs, but that certificate expired exactly one year after the hubs shipped.

Here are some lessons learned from Wink:

  • An outside review or validation of your procedures, algorithms and design is mandatory. It's not that you don't have smart employees working on your productclearly Wink did. I'm betting the certificate expiration was a simple oversight, one that may have been caught by an outside firm with fresh eyes.
  • Be transparent with security, your IoT device, related applications and data. Simply writing a white paper to explain the security behind Wink updates may have uncovered the certificate expiration problem. In any case, end users deserve to know how you are protecting them and their networks. Don't forget to clearly indicate why you are storing data in your cloud, too.
  • Don't forget about privacy. I like to know what data is being stored about me because it helps me to understand my risk if there's a data breach. I might not care that much if Mr. IoT Vendor suffers a data breach if all that he has stored about me is my home thermostat settings and readings for the last year and not my credit card information.

With the number of IoT devices expanding, it's increasingly important that we understand how we are being protected by the IoT vendors. Transparency is not only a necessity but also a requirement.

Here are some of the most important IoT security requirements, and examples of the capabilities and existing industry standards required to meet them.

- Jackson Shaw
??EE Times U.S./senior director of product management

Article Comments - 3 key lessons in IoT security
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top