Is it necessary to update the software on the device?
The last blog in this series was about restricting access to a device. This one provides some high level principles about software updates. If a device is running out-of-date software, it may contain unpatched security vulnerabilities. Such vulnerabilities may allow exploitation of the device and its data by attackers.
Developers should ensure:
- The vendor update and management process follows best security practice.
- Security patches/updates should be applied in a timely fashion without impacting the functioning of the device.
- Only authenticated sources are able to provide security updates or patches.
- Allowing unauthenticated updates could allow attackers a way to run malicious code on the device.
- Users and managers are easily able to see a device’s patching update status.
- This allows verification that devices are adherent to a specified security policy and ensures remedial action can be taken if required.
The next part of the blog series will look at managing and transferring ownership of devices.
Edited by David Rogers, CEO Copper Horse Solutions Ltd., Member of the Executive Steering Board IoTSF.