As the Internet of Things (IOT) becomes more and more viable there is an underlying issue that needs to be addressed by developers. That issue is to define what ‘Things’ should be internet-connected and what value-add can be provided by creating connectivity to those ‘Things’. Whether talking about home security or traffic control or even the convenience of having your home set to a comfortable temperature before you get there, the key to developing these solutions is to define what each ‘Thing’ does and determine the advantages that can be gained by making the ‘Thing’ a smart thing.
Black Hat Target – IoT Adoption
This is pretty standard development practice, but if the internet has taught us anything, it is that “Standard” in the real world differs radically from “Standard” on the internet. Contending with traffic spikes, internet-based attacks and the problems caused by applications that don’t work quite as intended are some of the many facets of developing for the internet that are anything but “Standard”. Ordinary consumers will make mistakes or try to use applications in ways they were never intended to be used and these actions can create unforeseen problems for developers as they try to enhance applications to fix those problems. On top of that, attackers can target these new IoT devices trying to disable or take control of them. Whether the attack is intended to create havoc or to provide a blackmail opportunity, IoT applications are going to be a prime target for the black hat community worldwide.
The job of the developer, then, is to:
- Define what service each ‘Thing’ on the internet will be providing.
- Determine what Applications must do to interact with the ‘Thing’.
- Define APIs that Applications and ‘Things’ will use to send information or commands and
- Create any new protocols necessary to facilitate information transfer between IoT ‘Things’ and the controlling application.
Developers Must Break & Secure IoT
The creative requirement behind the development will be to look at every device we currently use: heating/cooling systems, household appliances, city water systems, traffic control and the like, and define each thing that they do. Then developers will have to break down the steps it takes to make them do those things and create the decision-making logic it will take to have an application take over. Finally, developers will have to try to ‘break’ the application to see what happens when an IoT device either misses some incoming information or the information received doesn’t follow the process (for example, a User may use IoT to have the SmartHeater in their home turn on and maintain a 78-degree temperature. If the command fails to reach the heater, the User will be unhappy when they get home and the house is cold. If the User mistakenly enters 178 degrees instead of 78, the IoT device may not know how to handle the request because the temperature is outside its operating range). In either of the examples, there will have to be a part of the IoT application that can respond (either to acknowledge the request so the User knows the task is being done or to indicate that the temperature is outside its range). The developer is also going to have to put security checks in the Application code to validate that the request is coming from a legitimate location.
It’s Crucial to Test IoT Applications
This points out the necessity for developers to have a testing tool that will allow them to exercise their applications in a real-world setting. A tool that can emulate tens of thousands of users trying to access an IoT device. A tool that will allow for scripting of tests to create legitimate and ‘not-so-legitimate’ exchanges with the IoT device that can emulate someone trying to hack into the application or device. A tool that can, through simple scripted transactions, exercise an application embedded in a smart device to the edge of its specifications and beyond. This type of testing is crucial to ensure that the public has faith in the technology and adopts it willingly. To deploy an IoT device or application without this type of testing leaves the future of IoT technology in the same precarious position as financial institutions and the stock market were at the dawn of the Internet, or as those businesses that, even today, are finding their information and websites being held for bitcoin ransom.