The Internet of Things (IoT) has become a term to describe the billions of smart connected devices. IoT includes everything from wearable devices, smart home appliances, roadside sensors, factory control devices, medical devices, automobiles, and more.
According to Gartner, 20.8 billion devices will be a part of the global IoT ecosystem by the end of 2020.
The sheer volume and diversity of devices and the sensitivity of the data that they gather make IoT security critical. Opportunist hackers constantly seek new, disruptive ways to access and exploit sensitive data and there have already been many IoT-related attacks. For instance, in 2016 the Mirai Botnet attack reprogrammed insecure IoT devices to perform a massive denial of service attack, taking out much of the US East Coast internet infrastructure.
IoT Brings Opportunities and Risk
The ability to capture and analyze data from distributed connected devices offers businesses the potential to optimize processes, create new revenue streams, and improve customer service. However, IoT also exposes organizations to new security vulnerabilities introduced by increased network connectivity and devices that are not secure by design. New threats arise on a near-daily basis. Experienced attackers are able to pivot to other systems by leveraging vulnerabilities in IoT devices, making them an increasingly targeted entry point. Over time, the result is irrecoverable losses, both tangible and intangible.
Protecting IoT Systems and Devices
IoT security methods or strategies largely depend on specific IoT applications and the role they play in the IoT ecosystem. IoT manufacturers must focus on building security from the get-go by ensuring the trusted identity of devices, making hardware tamper-proof, enabling secure upgrades, providing secured firmware updates, and performing all necessary testing.
Considering the current challenges facing IoT security, businesses must adopt IoT security protocols and specialized strategies to ensure the protection of sensitive data gathered and communicated by such devices.
Effective Security Measures for Safe Deployment of IoT Devices:
Trusted Device Identities Based on Public Key Infrastructure (PKI)
PKI is the foundation on which transactions online can be executed securely. It is an encryption framework based on cybersecurity best practices that facilitates secure communication between the server and the client device. PKI allows businesses to securely authenticate all stakeholders in any transactions associated with them.
The technology underpinning SSL/TLS, many corporate identity schemes, secure email, and other systems, PKI uses a cryptographic method that supports a linked pair of different keys, one public and one private. It provides the ability for both the client and the server to authenticate each other and to securely send data to one another.
PKI technology can be used to provision trusted device identities into IoT devices. Although a single cryptographic key or public key certificate can suffice for simple applications, most IoT applications require a more complex data structure that includes metadata, authorization statements, and cryptographic credentials.
- Metadata contains descriptive information on the device type, manufacturer, model, and version number, and can also include attributes describing its functionality. For example, a camera’s metadata might indicate whether it has the capability to shoot video, photos, or both.
- Authorization statements are permissions that describe what the device is allowed to do. Some multi-functional devices might use only a subset of their capabilities for certain use cases. For example, a camera’s video recording may be prohibited for legal reasons in some installations, but photography may be permitted.
- A device may need several types of cryptographic keys and certificates. For example, it might need keys to authenticate services, encrypt data, or verify code signatures. All certificates (cryptographic and authentication keys) will typically be tied to a unique root certificate issued by a certificate authority (CA). Some of the certificates in the associated certificate hierarchy might need to be included to verify the identity of the services the device interacts with.
To prevent tampering, the entire device identity should be protected with a digital signature. Since the device identity can contain sensitive information such as private keys and CA root certificates, it needs robust protection. This can be done by delivering the identity to the device over a secure, authenticated channel. Once on the device, the sensitive materials or the entire device identity will need to be stored securely; for example, in hardware-backed secure storage.
Certain security products like Intertrust’s whiteCryption® Secure Key Box™ (SKB) and Seacert® help eliminate these challenges and protect cryptographic keys and data by employing advanced technologies based on white-box cryptography. SKB is a software library that provides a suite of standard cryptographic functions to be performed, but in such a way that the keys are never unencrypted, even when in use. It eliminates the ability of hackers to gain access to keys from the memory of the device.
Seacert is a managed PKI service that specializes in delivering device identities at scale for trusted ecosystems. It is primarily meant for businesses that need security and control over all stakeholders associated with them. Seacert equips devices with the capability to receive additional secure data and ensures that they can provide mutual authentication for both endpoint and server n, as well as deliver secured data, applications, firmware, and more.
As billions of devices are connecting to the internet each day, it is critical to authenticate each device trying to connect to your business’s network. PKI is the most recognized and used method to provide these identities and to validate that they are genuine.
Encrypted Security Layers
Many IoT devices are not designed with security layers. Building in these encrypted security layers during the development process goes a long way toward boosting device security. The design should involve devices with the ability to securely update OSes and high performing hardware that keeps a check on data from the start to finish of communication, creating a safer environment for storing and transferring data.
Bad actors may seek opportunities to inject unauthorized code during the manufacturing process or when the device code is updated. For example, when you need to update the firmware to provide additional functionality or patch a vulnerability. Use preventive security measures to harden code infrastructure and perform regular tests to ensure it is secure at all times. Code can be signed before being delivered and should be authenticated by the device being installed—PKI mechanisms can be utilized here.
Baking in IoT Device Security
If your organization develops IoT devices it is critical to build in device security, applying the core principles of trusted identity, authentication, secure communication and update mechanisms, and code hardening. If you consider security early in the design phase, it will be easier to build an effective, protected device.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s application shielding and device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.