1469  Secure Data and Software

1469.1 Overview

Secure data and software means protecting IoT systems from vulnerabilities in code (software security) and ensuring data remains confidential and unmodified throughout its lifecycle (data security). This comprehensive topic is covered across four focused chapters:

TipChapter Navigation

This material is organized into four focused chapters for easier learning:

Chapter	Topics	Time
Software Vulnerabilities	OWASP Top 10, XSS, SQL Injection, Local/Remote Exploits	~25 min
IoT Protocol Security	MQTT Security, CoAP/DTLS, Protocol Comparison	~20 min
Authentication and Credentials	Password Attacks, MFA, STRIDE, Risk Assessment	~20 min
Firmware Security	Secure Boot, Code Signing, OTA Updates, Rollback Protection	~30 min

Recommended order: Start with Software Vulnerabilities, then Protocol Security, Authentication, and finally Firmware Security.

1469.2 Learning Objectives

Across these chapters, you will be able to:

• Identify Software Vulnerabilities: Recognize OWASP Top IoT vulnerabilities including authentication, access control, and injection flaws
• Apply Secure Coding Practices: Implement input validation, output encoding, and secure memory management in IoT firmware
• Protect Stored Data: Use encryption, secure storage, and proper key management for data at rest on IoT devices
• Secure Data in Transit: Implement TLS/DTLS and application-layer encryption for IoT communications
• Manage Firmware Security: Design secure update mechanisms with code signing and rollback protection
• Audit and Test Security: Apply static analysis, dynamic testing, and penetration testing to IoT software

1469.3 Prerequisites

Before diving into these chapters, you should be familiar with:

• Security and Privacy Overview: Understanding of the CIA triad, basic security principles, and common attack vectors
• Encryption Principles and Crypto Basics: Knowledge of encryption algorithms, digital signatures, and secure key management
• Threat Modelling and Mitigation: Familiarity with STRIDE, attack trees, and vulnerability assessment
• Networking Basics: Understanding of network protocols and communication layers

1469.4 The Three Places Data Needs Protection

Data exists in three states—each needs different protection:

State	What It Means	Real Example	Protection
At Rest	Stored on device	Wi-Fi password in flash memory	Encryption
In Transit	Moving over network	Sensor data going to cloud	TLS/HTTPS
In Use	Being processed	Password being checked	Secure memory

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#E67E22', 'secondaryColor': '#16A085', 'tertiaryColor': '#E67E22', 'fontSize': '13px'}}}%%
flowchart LR
    subgraph AR["Data at Rest"]
    F[Flash Memory<br/>Database Storage]
    E1[AES-256 Encryption]
    end

    subgraph IT["Data in Transit"]
    N[Network Transfer<br/>Wi-Fi/Cellular]
    E2[TLS/DTLS Encryption]
    end

    subgraph IU["Data in Use"]
    P[Processing<br/>Authentication Check]
    E3[Secure Memory]
    end

    AR -.->|Move to| IT
    IT -.->|Arrive at| AR
    AR -.->|Load for| IU

    style AR fill:#f8f9fa,stroke:#2C3E50,stroke-width:2px
    style IT fill:#f8f9fa,stroke:#E67E22,stroke-width:2px
    style IU fill:#f8f9fa,stroke:#16A085,stroke-width:2px
    style F fill:#2C3E50,stroke:#16A085,color:#fff
    style E1 fill:#16A085,stroke:#0e6655,color:#fff
    style N fill:#E67E22,stroke:#d35400,color:#fff
    style E2 fill:#16A085,stroke:#0e6655,color:#fff
    style P fill:#16A085,stroke:#0e6655,color:#fff
    style E3 fill:#2C3E50,stroke:#16A085,color:#fff

Figure 1469.1: Three Data States: At Rest, In Transit, and In Use Protection Mechanisms

1469.5 Key Security Concepts

1469.5.1 Defense in Depth

Security requires 7 layers of protection:

1. Network Security: TLS/DTLS encryption (confidentiality)
2. Authentication: Username/password or certificates (identity)
3. Authorization: Topic/resource-level access control (permissions)
4. Input Validation: Whitelist approach (prevent injection)
5. Secure Coding: Parameterized queries, output encoding (prevent exploitation)
6. Updates: Regular patching (remediate discovered vulnerabilities)
7. Monitoring: Audit logs and anomaly detection (detect breaches)

1469.5.2 Common Misconception: “Encryption Alone Makes My IoT System Secure”

Encryption protects confidentiality (data in transit) but doesn’t address authentication (who is connecting?) or authorization (what can they access?). The 2016 Mirai botnet compromised 600,000+ IoT devices using default passwords—many of which supported encrypted protocols but didn’t enforce authentication.

1469.6 Chapter Summaries

1469.6.1 1. Software Vulnerabilities and Web Security

• OWASP Top 10 IoT vulnerabilities and prioritization
• Cross-Site Scripting (XSS) attack mechanisms and prevention
• SQL Injection and parameterized query defenses
• Local vs remote exploit categories
• Defense-in-depth layered security model

1469.6.2 2. IoT Protocol Security

• MQTT publish-subscribe architecture and security configuration
• UTF-8 validation DoS attacks and mitigation
• CoAP/DTLS for constrained devices
• Amplification attack prevention
• Protocol selection guide (MQTT vs CoAP vs HTTP)

1469.6.3 3. Authentication and Credential Security

• Password attack methods: brute force, dictionary, rainbow tables
• Secure password storage with bcrypt/Argon2 and salting
• Multi-factor authentication implementation
• Default credential elimination strategies
• STRIDE threat modeling and risk assessment

1469.6.4 4. Firmware Security and Secure Updates

• Secure boot chain design with hardware root of trust
• Code signing with certificate hierarchies
• Anti-rollback protection using OTP fuses
• A/B partition schemes for atomic updates
• Automatic rollback on boot failure
• Hands-on ESP32 secure boot lab

1469.7 Quick Reference: Secure Coding Checklist

WarningEssential Security Controls

Application Security: - [ ] Whitelist input validation (reject everything not explicitly allowed) - [ ] Parameterized queries for ALL database operations - [ ] Content Security Policy (CSP) headers blocking inline scripts

Authentication: - [ ] NEVER use default credentials (admin/admin, root/12345) - [ ] Unique per-device credentials generated at manufacturing - [ ] Multi-factor authentication for administrative access

Data Protection: - [ ] TLS 1.3 for all network communications - [ ] AES-256 encryption for data at rest - [ ] Secure key storage in TPM/Secure Enclave

Firmware: - [ ] Code signing with HSM-protected private keys - [ ] Anti-rollback counters in OTP memory - [ ] Automatic rollback on boot failure (3 attempts)

1469.8 What’s Next

Start with the first chapter in this series:

Software Vulnerabilities and Web Security - Learn about OWASP Top 10, XSS, SQL Injection, and defense-in-depth strategies.

After completing all four chapters, continue to User Experience Design to explore human factors in IoT systems.

1469.9 Related Resources

Security Deep Dives: - Security Overview - Comprehensive introduction - Encryption Principles - Cryptographic fundamentals - Device Security - Securing devices

Data Management: - Data Storage - Database security - Edge Compute - Edge data security - Data in Cloud - Cloud data protection

Learning Hubs: - Quiz Navigator - Security quizzes - Simulations - Interactive security labs