Challenge: How to ensure that our smart coffee machines and ConnectMe application were properly secured?
Solution: Vulnerability assessment for ConnectMe application, security review of coffee machines and evaluation of server configuration.
Result: Optimum security for the entire de Jong DUKE IoT application.
IoT is now commonplace and there are few devices that cannot be connected to the internet. De Jong DUKE, an international family business which designs and manufactures coffee machines and machines for other hot drinks, was at the forefront of this development. In 2010, it was one of the first in the industry to launch a coffee machine with network connectivity. Three years later, de Jong DUKE developed the ConnectMe application, which allows customers like coffee roasting companies, service companies and end users to log into the machines.
In order to ensure that data from the coffee machines and end users is safe, the company had Computest perform a vulnerability assessment vulnerability assessment on ConnectMe and review the security of the coffee machines.
"Customers can connect to our machines through the ConnectMe online portal and view how many drinks have been consumed, for example to help with restocking and invoicing", says Walter van Berkel, developer and project manager for the ConnectMe software at de Jong DUKE. "They can also see how many errors the machines have had. Moreover, through ConnectMe we can deliver error analysis to help customers understand the trends in that area. Another popular feature is the ability to display content on the machines' screens, so that they also become an internal communication tool."
The data from the ConnectMe portal is also used by some customers to actively monitor the devices and plan maintenance. Monique Klein, ConnectMe productmanager: "This is still in its infancy, mind you, but going forwards we see plenty of opportunities for organising maintenance more efficiently in this way."
Vulnerability has consequences for the entire organisation
A vulnerability in ConnectMe not only means that data from the coffee machine may be accessible. It can also affect the rest of the organisation, since ConnectMe is part of the network. Van Berkel: “Obviously you want to avoid that. Our development team, the management team and the executive board all expressed a strong desire to focus on security, in part because the demand for ConnectMe is growing very quickly. After all, as a supplier we have a responsibility to make sure we deliver safe products."
De Jong DUKE was looking for a party that had experience in testing IoT environments and applications and they chose Computest. Van Berkel: "The expertise and experience of their security specialists immediately made us feel that they would be a good partner for us. This was confirmed in practice. Computest not only got to work testing the application, they also looked at the server configuration and subjected the coffee machines to a thorough review. And it was no standard test; we could see that the knowledge of the security specialist is an important factor in the result delivered."
"Our security was good, but Computest has taken it to an even higher level."
Walter van Berkel, developer and project manager
Tips for reducing security risks
The vulnerability assessment revealed several areas where further optimisation was possible. “Our security was good, but Computest has taken it to an even higher level”, concludes Van Berkel. "For instance, the test report provided very specific tips and recommendations for reducing the risks. Moreover, it gave us valuable advice for our development team, which we can apply directly when developing ConnectMe further."
"We also really appreciated the fact that the security specialist came to present the report in person and provided a clear explanation of the findings. As a non-techie, that helped me understand what the test results actually meant", says Klein. "We also got some useful pointers for next steps that we could take. Given what they have delivered, the expectations we had of working with Computest have been more than met."
Third Party Memo earns customer confidence
Based on the security measures implemented by de Jong DUKE, the company has been awarded a Third Party Memo (TPM) for ConnectMe's security. "The TPM represents an important added value for us", says Klein. "The fact that we can demonstrate that our security has been tested and is at a high level makes the conversation a lot easier and provides confidence."