IoT
Coding for IoT —
Securing Software at Scale
Chuck Gehman, Perforce Software
Making sure that safety-critical connected products
(such as driverless cars and medical devices) are
secure and compliant is obvious. That’s why there’s
been growing focus on software development processes over
the past few years. Teams need to ensure that the processes
involved in the creation of safety-critical connected products
are safe, secure, and reliable. This has led to greater regulation
and the use of coding standards.
Attention is turning to the development of more general
consumer IoT devices and the challenges that are presented to
the teams behind the creation of these
software-dependent products. European
CE and US LU certification applies to
connected devices — not just those that
are standalone.
Today, the scale of the IoT market,
the pace at which software has to be developed,
and the complexity that is often
involved has created a tough IoT design
environment. The development process
is where the majority of software defects
and vulnerabilities are introduced. Those
vulnerabilities could potentially cause
performance issues, product failure, or
even be maliciously exploited at a later
date.
Security is a growing concern —
particularly since the Mirai botnet attack. The attack involved
hackers taking over a large number of IoT devices and routers
by using the passwords that were hard-coded in the factory. In
addition, it was recently discovered by a ‘whitehat hacker’ that
a popular lightbulb could be easily hacked to gain access to the
Wi-Fi password for the user’s home.
What a hacker or criminal could do with that kind of information
ranges from the lightbulb example — which could enable
them to unlock the doors of a house or turn off the security
system — to crippling denial-of-service (DoS) attacks, such as
the Mirai incident.
In the Mirai incident, hackers used IoT devices to launch
distributed denial of service attacks (DDoS) and disrupted
internet access for millions of companies and people globally.
Modern consumer electronics are smart: plug them in and they
will automatically find the Wi-Fi and connect to it, which is great
functionality for the consumer, but also very useful for someone
with malicious intent.
Programming Languages
The user interfaces for IoT tasks (such as remotely turning on
lights or surveillance cameras) are typically developed using
programming languages that have become popular for internet
apps, including Node.js, Java, Python, and Go. Even though
those programming languages are all relatively simple, they are
secure. However, when it comes to the code in the actual IoT
device, the most commonly used programming languages are
Python and C.
The benefit of C is that it gives the developer far more control
over the hardware along with far greater performance, flexibility,
and scope for innovation. As a side note, the Linux operating
system is written in C, which is why it is so much faster than
Windows on comparable hardware.
However, unless a developer is familiar with it, C is very hard
to understand. What’s more, C relies on developers to make the
right decision and not inadvertently introduce errors, such as
accidentally over-writing memory. Unfortunately, human error is
a common hazard in coding.
Market Pressures
While teams tasked with developing IoT devices are aware of
the potential security risks, they are also under pressure to get
products out to market fast. As so often happens in software
development, corners may be cut. A common solution is to add
more people to a project. While that may sound like an effective
way to meet a deadline, it can also introduce new problems,
such as relying on people who are less experienced, and placing
more stress and responsibility on senior developers.
Of course, this is not always the case, and within organisations
like Google and Amazon, there are highly efficient, welldefined
software development processes. However, not every
organisation has those kinds of resources. Plus, more traditional
hardware-based companies moving to IoT development also
have to adapt to accommodate a far more software-centric
world. Generally kept separate, hardware and software teams
now need to collaborate far more closely on the same projects,
www.eenewsembedded.com September 2019 Embedded 17 News eeNews Europe
/
/www.eenewsembedded.com
