RTFM: How hard are IoT platform providers making it for their developers?

TL;DR

This paper evaluates how well IoT platform providers support developers in implementing essential security features, revealing significant gaps that hinder security adoption amid upcoming legislation.

Contribution

It provides a detailed survey of documentation and guidance from nine IoT manufacturers regarding security feature support for developers.

Findings

Many IoT providers lack comprehensive guidance on security features.

Support for secure boot, device identity keys, and unique passwords is inconsistent.

Enhanced developer support is needed to meet security standards and legislation.

Abstract

Internet of Things (IoT) devices routinely have security issues, but are the platform designers providing enough support to IoT developers for them to easily implement security features for their platforms? We surveyed the documentation, code and guidance from nine IoT manufacturers to look at what guidance they provided for implementing three security features required by several security standards (secure boot, device identity keys and unique per device passwords). We find that more needs to be done to support developers if we want them to adopt security features -- especially in the face of incoming legislation that will require developers to implement them.