Six months or so ago, a report was published pointing to the potential for the IoT to be compromised through weak security in 'edge devices' – the components that collect data and transmit it for further processing in 'the cloud'. The report also suggested that engineers should assume their device will be compromised at some point and should therefore design their systems so that rogue elements can be isolated.
Now, IoT security is all the rage – at least amongst vendors – and the focus is spreading to other sectors. But there are a number of issues: one is the assumption that just because a system is embedded, it's secure; another is the requirement for designers to think of every possible threat. Between those two extremes lies a sensible approach, along with another – designing from the start with security in mind.
In the last few months, companies have started to offer devices which feature high levels of security. If you want AES128, it's available; if you want more, then some vendors have secure authentication microcontrollers that offer 'banking level' security.
And yet, while vendors have got the message, not all users have. A leading semiconductor executive told a briefing that 'security is not getting the attention it needs; security needs to be understood broadly'.
But perhaps it's not quite as bad as it looks. New Electronics surveyed its readers in 2014 and found increasing concern about security – designs, as well as data. Almost all of those who said their designs accessed the internet also said they implemented access control. Half were aware of defensive programming and half were implementing tamper resistance.
Nevertheless, there's a large number of engineers who believe their system is more secure than it is.
