Is it necessary to update the software on the device?
The last blog in this series was about restricting access to a device. This one provides some high level principles about software updates. If a device is running out-of-date software, it may contain unpatched security vulnerabilities. Such vulnerabilities may allow exploitation of the device and its data by attackers.
Developers should ensure:
- The vendor update and management process follows best security practice.
- Security patches/updates should be applied in a timely fashion without impacting the functioning of the device.
- Only authenticated sources are able to provide security updates or patches.
- Allowing unauthenticated updates could allow attackers a way to run malicious code on the device.
- Users and managers are easily able to see a device’s patching update status.
- This allows verification that devices are adherent to a specified security policy and ensures remedial action can be taken if required.
The next part of the blog series will look at managing and transferring ownership of devices.
There are 7 elements to the IoTSF security principles blog:
- Part 1. Establishing Principles for Internet of Things Security
- Part 2. Does the data need to be trusted?
- Part 3. Is the safe and/or timely arrival of data important?
- Part 4. Is it necessary to restrict access to or control of the device?
- Part 5. Is it necessary to update the software on the device? [this blog posting]
- Part 6. Will ownership of the device need to be managed or transferred in a secure manner?
- Part 7. Does the data need to be audited?
Edited by David Rogers, CEO Copper Horse Solutions Ltd., Member of the Executive Steering Board IoTSF.