Establishing Principles for Internet of Things Security Part 5
Is it necessary to update the software on the device?
The last blog in this series was about restricting access to a device. This one provides some high level principles about software updates. If a device is running out-of-date software, it may contain unpatched security vulnerabilities. Such vulnerabilities may allow exploitation of the device and its data by attackers.
Developers should ensure:
The vendor update and management process follows best security practice.
Security patches/updates should be applied in a timely fashion without impacting the functioning of the device.
Only authenticated sources are able to provide security updates or patches.
Allowing unauthenticated updates could allow attackers a way to run malicious code on the device.
Users and managers are easily able to see a device’s patching update status.
This allows verification that devices are adherent to a specified security policy and ensures remedial action can be taken if required.
The next part of the blog series will look at managing and transferring ownership of devices.
There are 7 elements to the IoTSF security principles blog: