Editor's Pick

9 essential IoT security trends: safeguarding the future of connected devices

By Anthony Wall, Embedded Systems Engineer, ByteSnap Design.

The Internet of Things (IoT) has changed the way we live and work, connecting devices across industries and homes.

However, with this expanding connectivity comes an equally expanding risk of cyber threats and data vulnerabilities. For embedded electronics engineers, it is imperative to prioritise security to safeguard both individual privacy and critical infrastructure.

This article explores nine IoT security trends shaping the future of connected devices.

From identifying vulnerabilities to the new technologies being used for security in IoT, these insights will better equip engineers to design and maintain secure, resilient IoT solutions.

1. Identifying device vulnerabilities

The biggest threat facing IoT devices is when they are used by malicious actors to gain access to personal home networks. Even with regulations such as UK PSTI, many IoT devices are still being shipped with sub-par security. When users put these IoT devices directly onto their home network, there is a danger that private data and systems can be accessed.

Some common attack vectors include:

The use of generic admin passwords
Not properly verifying update packages
Using HTTP instead of HTTPS for web connections

2. New advanced encryption technologies

High end IoT products, for instance smart home audio systems, like Sonos, CCTV cameras (Axis, Bosch), and Smart Vehicles such as the Tesla Model S are also starting to take security more seriously. For example, we’re seeing certificate-based authentication on more devices as standard, ensuring that only software and updates from the official manufacturer are allowed to run on the device.

For smart home security systems, Google’s Nest Secure alarm system uses advanced encryption to protect your home network and connected devices. It employs end-to-end encryption for all communications between the Nest Guard (the main hub), Nest Detect sensors, and the Nest app. While the Ring Alarm Pro by Amazon integrates a built-in eero Wi-Fi 6 router with advanced encryption. It uses WPA3 encryption, the latest standard in Wi-Fi security, to protect your home network and connected IoT devices.

Devices that are becoming more commonplace are using HTTPS rather than HTTP to encrypt data in transit. They are also making use of least-privileged access principles to prevent devices from accessing more data than they need to, particularly in cloud-based environments.

3. Biometric integration in IoT

Biometrics, such as fingerprints or retinal scanners, are a tricky area when it comes to IoT security. Manufacturers must be extremely careful with how they store any biometric data taken by their products due to its personal nature and high levels of regulation.

The addition of biometrics to IoT products is often seen in access control devices such as smart door locks. While this does, in theory, offer improved security over the traditional key lock, in reality they are usually fitted with a key lock for redundancy anyway. This in itself calls into question the security benefit of adding biometrics at all.

4. Zero Trust architecture

Traditional security systems work at the perimeter, such as when a user signs into their company laptop and they are authenticated to access the entire company network. Zero Trust goes beyond that and applies explicit authentication to every file, service or email individually.

IoT devices themselves might implement Zero Trust by enforcing end-to-end encryption of all data transmitted. Zero Trust architecture will do this by requiring authentication at the point where it is sending data and by not being allowed to talk to other IoT devices on the network unless explicitly required.

A simple example of this might be a temperature sensor that talks to the cloud, traditionally this might not have any security, sending readings over HTTP to a cloud API. In Zero Trust, the sensor would send data over HTTPS, be required to authenticate to the specific API it is calling and, through provisioning, be unable to impersonate any other temperature sensor.

5. AI-powered protection

AI comes in many shapes and sizes within the IoT world, from cameras that can remember your face to smart watches that are able to accurately detect if the wearer has fallen. While AI is often talked about with respect to robotics, the term has become somewhat of a catchall for what we really used to call algorithmic systems, where our devices appear to think and react to data.

In the security world, we have already seen significant practical benefits of applying AI concepts, most notably in pattern recognition. Security cameras in particular have documented this well, from the early days of simple video to progressing to very basic motion detection. Now, our cameras can not only determine whether it’s a vehicle, animal or person that’s visible but oftentimes who it is.

6. Blockchain for data integrity

The blockchain represents a specialised datastore that cannot be altered once it is written to. Depending on the sensitivity of the data, the blockchain may be accessible only to specific users or publicly verifiable.

When implementing blockchain technologies, the primary benefit is where multiple parties need access to historic data records. Use of a blockchain ensures no single party can tamper with the data after it is recorded, a large benefit over traditional systems where one party would typically own the datastore.

Within IoT, the blockchain is starting to see more use, especially in freight and safety critical applications where transport information or operational logs must be recorded for compliance. Companies such as Renault and Home Depot have already begun integrating IBM’s Blockchain for IoT technology in their supply chain process.

7. Regulatory Landscape for IoT Security

The UK’s Public Safety and Telecommunications Infrastructure Act 2022 (PSTI) introduces measures to enhance the security of connected devices. The legislation applies to “relevant connectable products,” a term defined in Chapter 1, Section 5 of the Act, which broadly encompasses any device that connects to the internet, either directly or through a gateway, as well as devices that link to two or more other devices simultaneously.

By addressing the vulnerabilities inherent in connected technologies, the PSTI seeks to establish robust standards that mitigate cybersecurity risks and safeguard user data. This focus on connected devices reflects the growing reliance on the Internet of Things (IoT) and aims to ensure that manufacturers prioritise security features to protect consumers and critical digital infrastructure.

For manufacturers in the EU the EU Cyber Resilience Act is set to come into force before 2025, with product compliance mandated by 2027. The Act imposes stringent cybersecurity requirements on manufacturers, distributors, and importers of hardware and software products, to protect consumers and businesses from ever-growing cyber threats.

The CRA mandates a “secure-by-design” approach, requiring manufacturers to embed cybersecurity measures into every stage of the product lifecycle. This includes conducting thorough risk assessments, implementing robust security updates, and providing clear documentation to users. Manufacturers must also address vulnerabilities promptly and ensure that products meet strict cybersecurity standards before entering the market.

The CRA also places a strong emphasis on ongoing security support. Manufacturers are obligated to provide security updates and patches throughout a defined product lifecycle, ensuring that devices remain protected against emerging threats. This proactive approach aims to minimise the risk of cyberattacks and data breaches.

Based on the CRA, some advice for how to ensure security in IoT devices:

Passwords must be unique per product or be capable of being defined by the user of the product.
Manufacturers must provide without prior request, free of charge and in English, information on how to report security issues with their products and acknowledge these reports with a suitable response.
Security updates must have a clearly defined minimum update period as well as a documented end of life.

8. Future-proofing & emerging security trends

The cloud has quickly shaped the design and functionality of IoT devices by enabling manufacturers to integrate enhanced security features more efficiently.

Cloud-based provisioning mechanisms are increasingly being adopted, reducing the risk of rogue devices infiltrating networks by ensuring that only authenticated devices are granted access. Additionally, the cloud streamlines the update process, allowing for timely and reliable deployment of security patches and firmware updates to counteract potential vulnerabilities and malicious code.

This has also aided in the rollout of AI backed systems. Most notably, in risk-prioritised prevention, cloud systems can identify a normally acceptable security risk in a critical system as an unacceptable risk. Pooling knowledge from previous attacks across the entire network can also help AI systems identify threats earlier, before they can cause significant harm.

In the next five years, I suspect we’ll struggle to find any IoT products that don’t claim to be AI backed in one way or another. With increasing regulation, the days of simple IoT products are likely behind us. With every smart light or plug requiring much stricter security by law, IoT products will need a plethora of technologies to stay compliant
Ultimately this means we shouldn’t have to see news articles about smart fridges being compromised to mine crypto currency anymore, and feel more confident that our smart devices are secure.

9. Best practices for IoT Security

When designing and manufacturing connected IoT products, it is essential to make security a critical pillar of the product. Incorporating security features early in the product development lifecycle is often more efficient and cost-effective than attempting to retrofit compliance measures at the end of the production pipeline.

For those looking to learn more about general cyber security as well as IoT specifics, some of the best resources can be found in courses offered by the large cloud providers: Microsoft, Amazon and Google. Many of these are free of charge and available to anybody, not just those working professionally in the sector.

When collaborating with a design partner, don’t hesitate to inquire about IoT security expertise and ensure they are prepared to incorporate robust security measures into the design process. At ByteSnap Design, we have worked on both existing and emergent IoT security technology and know how important open communication about security expectations are when creating a secure and reliable product.

Conclusion

By staying informed about the latest trends and best practices, embedded engineers have a unique opportunity and responsibility to protect connected devices. From implementing advanced encryption to zero-trust architecture, these tools will help mitigate cyber risks, and safeguard critical and sensitive data.

As the IoT technology landscape evolves, engineers must integrate security considerations from the outset of the design process. By collaborating with security experts and staying updated on emerging threats, engineers can build IoT systems and devices that are not only cutting-edge but also resilient to cyberattacks.

The post 9 essential IoT security trends: safeguarding the future of connected devices appeared first on IoT Business News.