TWiTIoT: This Week in The Internet of Things – Better Security for IoT Devices. For Users? Not So Much

IoT device security, cybersecurity, IoT device, IoT cybersecurity, IoT Security Spending, security for IoT devices

Greetings, and welcome. This week, a promising new approach to more interoperability and security for IoT devices, and yet more proof users need help with passwords. Lots of help. Soon. And often.

As always, your thoughts, reactions, and suggestions welcome. Just send a quick email to And for more on the IoT and IIoT, check out “DortchOnIT’s Industrial Internet of Things (IIoT) Weekly.” Thanks.

Start-Up Aims to Enable Easy, Standardized Security for IoT Devices

What Happened:A new company announced plans to deliver a standard software platform to enable greater security and easier software updates for IoT devices.

  • As TechCrunch reported, intends to offer “a standard way to secure devices and deliver updates over the air.” The goal is to provide “a long-term solution to the device update problem by providing a way to deliver updates over the air in an automated manner on any device from tiny sensors to smart thermostats to autonomous cars.”
  • The company offers two different solutions. “The Zephyr RTOS microPlatform is designed for smaller, less complex devices. For those that are more complex, Foundries offers a version of Linux called the Linux OE microPlatform.”
  • The company is offering three pricing tiers for access to its platform and related resources. A hobbyist and education package is $10 per month. Zephyr RTOS is $10,000 per year, while Linux OE is $25,000 per year. “These are one-time prices and apply by the product, regardless of how many units get sold and there is no lock-in,” according to the company’s CEO.

What It Means: Anything that makes it easy and affordable for IoT device developers to improve the security of those devices is good for them, good for users, and good for the entire IoT market.

What You Should Do: If you manufacture IoT devices or services, you should already be looking at what is doing. There will likely be competitors, but there is a lot to be said for a fixed-price, security-minded solution that lets you focus on quality and competitive differentiation. If you are pursuing or considering an IoT device deployment, you should ask every actual and potential provider if they are considering or planning to support the platform. Any who are not should be scrutinized closely regarding current and planned support for security and update features. (See “Patch Management: Why It Matters, Why It’s Likely Broken at Your Business, and What to Do Now” and “TWiTIoT: This Week in The Internet of Things – Every IoT Device A Security Risk?”)

This Just In, Again/Still: Users Still Don’t Get Passwords

What Happened: A security audit revealed that more than a quarter of officials in the Western Australian government had inadequate passwords.

  • As The Washington Post reported, “A security audit of the Western Australian government released by the state’s auditor general this week found that 26 percent of its officials had weak, common passwords – including more than 5,000 including the word “password” out of 234,000 in 17 government agencies.”
  • The most popular password? “Password123,” used by 1,464 of the accounts audited. Another favorite was “password1,” with 813 users. “Almost 13,000 used variations of the date and season, and almost 7,000 included versions of ‘123.’” “In one case, the auditors were able to access an agency’s network – with full system administrator privileges – by guessing the password: “Summer123.”

“In the wake of the report, the government has agreed to step up its security game. It’s in the process of developing new practices to help employees store their password information more securely. The new Office of Digital Government will house a cyber security team dedicated to improving security practices government-wide.”

What It Means: The Western Australian government has discovered what too many other organizations either already know or haven’t yet figured out. Left to their own devices, users cannot be depended upon to create or manage consistently secure passwords.

What You Should Do: Implement a password management solution, and enforce its use by everyone, whether that’s just you or an entire team, department, or company. Forbid connection by users who don’t create adequate passwords and update them regularly. Wherever possible, implement and enforce two-factor authentication (TFA) as well. In other words, treat every user and device exactly the way you should be treating every attempted IoT device connection to your network. If you can’t secure it and can’t update that security whenever you want or need to, ban it from your environment.


Share on facebook
Share on twitter
Share on linkedin
Share on email
Michael Dortch

Michael Dortch

Michael Dortch has been translating "bits and bytes" and "speeds and feeds" into "dollars and sense" for technology decision-makers for more than four decades. He has helped to launch new products, enable sales teams, influence influencers, and grow website traffic, prospects, leads, and positive perceptions for companies large and small. Learn more at