IoT (Internet of Things) is a technological revolution that has brought myriad benefits and positive impact to our daily lives, by connecting devices and systems to help us live and work more efficiently. The growth of IoT naturally comes with risks, especially regarding security and privacy – and as you may know these are topics Resillion is quite passionate about! 

What is the IoT and why do we need to upskill?

The Internet of Things, or IoT, is a term used to describe a collective network of connected devices, the technology that enables communications between those devices and the cloud, and the devices – often called ‘smart devices’ themselves.  

IoT devices can include sensors – such as temperature and passive infrared – actuators (including HVAC and domestic heating controls), appliances and gadgets. What distinguishes these devices is their ability to transmit data over the internet or other networks.  

What risks do IoT devices face?  

The proliferation and popularity of IoT devices does bring with it risks, especially in terms of security and privacy, and addressing these problems is something that Resillion is passionate about. The pace of change in IoT and smart device development is high, and so are the attempts by hostile cyber forces to control them. That’s why we always need to ensure we not only keep up with the technology but also continually upskill our development teams.  

This is one of the reasons why ensuring the security of devices demands our full attention. In the field of education, this is apparent through the intensive cooperation with various educational institutions, such as the Amsterdam University of Applied Sciences. Increasing relevant knowledge and skills in the field of ‘smart’ devices is an important theme in this. 

One of the most fun outputs of this collaboration are group projects: a small group of students form a project team and get to work on a topic proposed by Resillion. As they work on the projects the  students get a chance to take a look behind our scenes and learn a lot about device security at the same time. 

Vulnerable-by-Design environments: a safe haven for learning

Our work with the Amsterdam University of Applied Sciences takes many forms. This is inevitable as the threat to IoT and smart devices is itself complex. It is important that students are exposed to complex situations and we do this using ‘vulnerable-by-design’ simulation projects. .  

What is a vulnerable by design environment?

A vulnerable-by-design system is an IT system (application, server or device) in which, security vulnerabilities are deliberately included. This creates an environment where vulnerabilities can be investigated in practice. In fact, a kind of practice environment where ethical hackers can discover vulnerabilities first-hand, get to the bottom of them and test the effectiveness of protective measures. 

Why is a vulnerable by design environment important?

Vulnerable-by-design environments are also used for developers and administrators of IT systems. These are also interesting for this group because it provides an opportunity to ‘step into the shoes’ of a hacker and experience a cyber attack in a secure environment. In practice, this appears to have a stimulating effect on awareness around information security. A vulnerable-by-design environment is not only instructive, but also just plain fun. It gives participants a huge kick the moment they manage to breach a security breach.  

The vulnerable-by-design environment for IoT currently uses the ESP32 microcontroller. Due to its simplicity of use, features, and compatibility, this is currently one of the most popular microcontrollers on the market for use in devices. Examples of vulnerabilities in the environment are based on vulnerabilities Resillion encounters in practice: hard-coded keys, poor authorisation, weak encryption, firmware extraction, insecure protocols and unnecessary (debug) interfaces. But also requirements such as those of ETSI EN 303 645 and the EU Radio Equipment Directive (RED). 

Collaboration with the Hogeschool of Amsterdam

Our collaboration with the student project of the Hogeschool van Amsterdam typically consists of two phases, the first of which is detecting vulnerabilities in the device. Usually, students’ practical knowledge on this subject is still quite limited. This phase therefore provides an opportunity to brush up on that knowledge. The second phase of the project is about improving the environment, for instance by adding new vulnerabilities, removing unintentional vulnerabilities or extending documentation.  

This is also valuable for Resillion because it allows us to continuously improve the environment and keep it up to date. Vulnerable-by-design environments sometimes tend to become outdated, reducing relevance. We therefore carry out these kinds of student projects on a regular basis and each time we update the criteria to reflect the current status of cyber security. 

Conclusion

The security of IoT devices will remain a hot topic in the coming years. It is relevant for all parties involved: users, manufacturers, to have sufficient knowledge and skills regarding the security aspects of this product group. Do you have further questions about IoT security, training in this area or our collaboration with the Hogeschool van Amsterdam? We are always ready to answer your questions and help you in your journey towards a more secure IoT environment. Please feel free to contact us.