IoT devices are everywhere today, from smart toothbrushes and doorbells to glucose monitors and connected inhalers. The breadth of existing and potential devices is staggering. And IDC predicts that by 2025 there will be 55.7 billion connected devices worldwide.
With this type of growth comes opportunity, not only for makers and users of devices but also for cybercriminals. Attacking IoT devices is not a new phenomenon. For example, in September 2016 the first widescale IoT attack happened with the help of the Mirai botnet. Because Mirai was self-propagating, more than 600,000 IoT devices were hacked by the botnet by November 2016. Since then, it’s only gotten worse as the number and kinds of connected devices has increased. The first six months of 2021 have seen a more than 100-percent growth in cyberattacks against IoT devices with 1.5 billion compromised devices, according to a recent Kaspersky report.
Hackers love to target smart devices as gateways to entire networks and systems. IoT devices are embedded with sensors, processing ability, software, and other technologies that allow the device to connect and exchange data with other devices and systems over the Internet or other communications networks. Attackers only need to exploit a single weak point in the device to gain access to the entire network and engage in malicious behavior like distributed denial-of-service attacks, malware distribution, spamming and phishing, click fraud, and more.
Fishing for Information
Case in point, cybercriminals hacked a casino through an IoT thermometer in a fish tank in the casino lobby. Hackers were able to exploit a vulnerability in the connected thermometer and gain access to the casino network. They accessed a high-roller database and were able to pull that back across the network, out the thermostat, and finally up to the cloud.
It’s easy to see how this attack might occur. Who would think to secure a fish tank thermometer? As manufacturers roll out newly connected devices, many lack the expertise in embedded device, firmware, and security protocols to identify and protect against potential security vulnerabilities. To be successful moving forward, IoT device manufacturers need to address known vulnerabilities in succeeding products and release patches for existing ones. IoT device manufacturers also need to consider security right from the design phase for any future product releases.
There are numerous ways to secure IoT devices to minimize threat exposure such as using strong passwords and changing them every 30-90 days, using multi-factor authentication where possible, securing your internet connection, utilizing network segmentation and more. But one of the most important ways to keep your devices secure is to deploy regular software updates to fix bugs, patch security vulnerabilities, and address emerging threats.
The sheer numbers and nature of these low-powered, inaccessible, and often remotely administered IoT devices make software updates a challenge. The traditional method of manually updating firmware is cost-prohibitive and impractical if not impossible when it comes to large fleets of connected devices. That’s where over-the-air (OTA) updates come in. OTA updates involve remotely updating the software on a connected device. The update is delivered wirelessly “over the air” and sent directly to the device.
Homegrown vs. OTA Solution Provider
Many organizations are showing an increased interest in OTA technologies, and this will bring them to ask ‘Should we build our won OTA solution, or should we leverage a proven SaaS-based solution?’ Although internally developing an OTA software and data management solution can provide more control, the trade-off comes with a significantly higher price tag and longer deployment timelines.
Contributing factors to the higher cost and longer deployment timeframe include:
- Software/firmware development
- Testing and validation
- Integration with legacy systems
- Long term support and maintenance
- Software update failure troubleshooting
- Emerging regulatory compliance
- Staffing and management of resources required to manage the platform
Building an in-house OTA update solution takes longer to develop because it requires an entire team dedicated to the research, design, implementation, and maintenance of the system, including extensive IT department involvement in setting up and maintaining a server(s) to handle the OTA traffic from potentially millions of devices.
If you don’t have unlimited time and resources, managed OTA update solutions can prove easier to integrate, more cost-effective, require fewer resources and can quickly scale to keep up with your company’s growth. A fully optimized end-to-end OTA update platform can also minimize risk, increase efficiency, and enhance security and uptime.
Before you choose a solution provider, here are some key questions to consider when thinking about OTA update solutions for IoT devices:
- Does the OTA update platform provide recovery from failed updates?
- Are updates authenticated and integrity protected from end-to-end?
- Can you customize the deployment of OTA updates to minimize risk and resources?
- Does the OTA update solution integrate seamlessly into diverse environments?
- Will the platform scale with your growth?
- Is it easy to get set up and started?
Another very important factor to consider is whether the platform’s security is flexible or is it one size fits all?
The range of IoT devices is incredibly diverse – from a simple Ph sensor in a water system to a more complex cardiac monitoring device. Some devices have extremely low capabilities or power, they might not have the compute capability to decrypt data or instantiate advanced protocols. That’s why OTA update strategies must be carefully designed to balance security requirements with processing power, bandwidth and speed while protecting the device’s battery life. It’s important to choose a solution provider that doesn’t enforce the level of security the end developers might use.
More and more IoT manufacturers are recognizing OTA updates as a critical pathway to secure and ensure the future viability of their products. Now companies must decide whether building their own OTA firmware system is worth the time and cost, or if using a commercial OTA update platform is a more efficient and effective way to update their IoT devices. If you decide to choose a managed OTA update solution, it’s important to select a robust and reliable platform that will scale with your company’s growth.