A cyber attack occurs every 11 seconds. That means that by the time you finish reading this article, dozens will have occurred.
Hackers are always in search of the path of least resistance. They don’t spend much time pursuing targets that exhibit robust, comprehensive security. They look out for just one tiny chink in the armor to slip through. And nothing provides a better chink than a fragmented Internet of Things network.
Poor device authentication is all a hacker needs to compromise a device, move laterally, and ultimately gain escalated privileges. All it takes is one compromised device identity before they’re able to gain full access to your network.
Fortunately, there is a way to secure trusted devices. Let’s dive into how an IoT device can provide vulnerabilities, and why device authentication is so crucial.
What Is the Internet of Things (IoT)?
The Internet of Things refers to a network of smart, interconnected devices. These devices all fulfill different purposes, but they have the capability to work together. They can provide better security, convenience, and productivity.
The most obvious example of this is the smart home. A smart home IoT may include a doorbell camera, intelligent lights, CCTV cameras, and more. These devices often all operate on the same network.
An IoT network allows the user to have complete control of operations. They can lock or unlock doors, control temperature, and much more from a single access point. They can do this while at home, or away from it.
Further, these devices can cooperate. If the security cameras detect motion, they can send a signal for the lights to turn on. Then they can send a picture of a potential intruder to the owner.
Compromising a device’s authenticity, its “identity,” presents an opportunity for hackers in the home, but that opportunity grows tenfold with a business. Modern businesses are, of necessity, built on the Internet of Things. These smart systems allow organizations to improve operations to remain competitive in the market.
Whatever the case, these smart systems provide a wealth of opportunities. And, as any IT expert knows, a wealth of vulnerabilities for hackers to exploit.
Why device authentication with IoT is problematic
Hackers rely on what are known as attack vectors. An attack vector is anything that provides a possible vulnerability. The more attack vectors you have, the more possible vulnerabilities that a hacker can exploit.
Therefore, the more systems you have, the more attack vectors you create. This is why most computers have strict firewalls and limit permissions to certain apps. Even seemingly benign software or hardware can present a point of unauthorized access.
This is the heart of why the Internet of Things can be tricky to secure. Without robust cryptographic device authentication of a physically immutable identity, spoofing and device compromise are easily achieved. Exploit kits are available on the dark web, and they are bought and sold in volume every day to serve a professional hacker community of millions. Hackers use these and other nefarious techniques to access lucrative systems to add to their botnet hordes, or to launch ransomware attacks, or take down critical infrastructure, like a natural gas pipeline in winter.
It’s not just that every additional IoT device authentication that you add has its own unique vulnerabilities. When there are many devices from different brands on the same network it creates protection problems.
You might have intelligent lights from one company, cameras from another, and RFID readers from another. These devices run on their own unique code base and require device-specific updates. Since these devices do not originate from the same ecosystem, they’re susceptible to all sorts of exploits. And without a common security standard that they all abide by, they tend to do things their own way. This complexity and variance is what contributes to a wider “attack surface.” The larger the attack surface, the more one has to defend, spreading limited infosec resources very thinly.
How a hacker can compromise the Internet of Things
Hacking platforms are sophisticated and automated. Active scans occur on any device exposed to the public internet. In fact, the metrics around time to scan and compromise a typical device is astonishing. It only takes a few seconds for a new device to be scanned, and compromise can happen very quickly as tools like Metasploit facilitate automated lookup and retrieval of just the right exploit payload to deliver to the specific hardware, software, and configuration of the targeted device.
Once one device in a network is compromised, or essentially “owned” by the attacker, it’s a trivial exercise to scan the internal network for additional victims. The attacker will move very quickly to compromise as many devices as possible, as fast as possible.
Once achieved, the attacker is able to sniff traffic and perform other surveillance activities to capture sensitive information and enable privilege escalation to fully own the network and its devices. Today’s attacks are not smash and grab affairs. They are conducted as advanced persistent threats (APTs) that stay resident for long periods of time. This patience approach aims to fully own nearly all devices on the network as well as the hubs, routers, and gateways. It is only then that the final trap is sprung – exfiltration of sensitive data followed by either wiping / destroying the devices or sending a ransomware notice.
Remember, IoT is all about interconnectivity. The lights talk to the air conditioner, which talks to the employee facial recognition time clock, which connects to the central data bank. Devices connect either to other devices, or they report home to the admin.
You might see the problem here already. All it takes is one weak link to compromise everything. For example, a hacker finds a known exploit to gain access to the lights. The security team hasn’t bothered to update these lights, since, well, they’re lights. They’re of seemingly minimal importance, and thus not worth the time.
But by using that exploit, the hacker has already entered the network. Then they can use the authentication they’ve gained from the lights to leapfrog to other devices or the central mainframe.
In essence, once a hacker is “in,” they have everything they need. They can spread their influence without the admin’s awareness and burrow deep into the system.
An IoT device needs to be, by design, accessible. Devices that cause headaches while trying to connect them are not desirable. Companies would not purchase them, meaning convenience is a key aspect of any IoT device.
To make convenience high, these devices need to provide relatively easy access. This leads companies to loosen security standards to “grease the wheels” of their products. Loose security means their products play better in a diverse ecosystem, leading to happy customers and fluid-functioning systems.
And, of course, terrible security.
How to improve poor device authentication
A key countermeasure is to improve PKI deployment and its associated managed services. PKI stands for private key infrastructure. There are several features enabled by a PKI, for example assuring integrity and authenticity of software, providing secrecy for private communications and providing strong, robust authentication of a device’s unique identity.
PKI is most commonly used to authenticate websites and encrypt data using transport layer security (TLS) certificates. The TLS network protocol ensures device encryption, integrity, and authentication, confirming that the parties exchanging information are who they claim to be. This industry standard protocol is used by web browsers, cloud software, and other applications that require data to be securely exchanged over a network. User authentication is achieved by signing in with a private key that is associated with a public key registered with the site. TLS ensures a secure connection and can also provide mutual authentication for both the client and the server. However, mutual authentication can only be trusted if the key on each end of the communication is protected.
Find the best industry device authentication
Device authentication allows disparate parts of your network to verify device identity. With IoT, trusted devices are essential to maintaining the highest security standards. Fail to create a strict protocol of device authentication, and you run the risk of opening attack vectors for hackers. Proper device authentication provides secure identity provisioning for IoT devices to allow trusted communications with servers for data exchanges and can help identify, isolate, and exclude compromised devices.
Intertrust PKI has provisioned over 2 billion device identities, and at times, upwards of 10 million devices per day. We offer a full range of PKI services, such as mutual authentication, access control, and secure over-the-air updates, at a cost savings of 50% to 85% over an in-house PKI solution.
Oh, and not all managed PKI solutions are created equal. Here is a checklist of the key elements a proper PKI managed service should offer:
- Comprehensive professional services
- Full infrastructure design assistance
- Complete integration with your offering
- Rich X.509 certificates including SAML assertions for authorized operation
- Integration with security architectures of embedded systems
- WebTrust certified: the gold standard for PKI systems ensures security operations and principles are adhered to
- Hyper scale and track record of serving millions and billions of devices
- Protection options for brownfield devices with no built-in hardware security
Creating a robust PKI network is no simple task. That’s why you can hand off this responsibility to the experts. Contact Intertrust to learn more. We will introduce you to one of our authentication experts, who can assess your device protection and suggest ways to bring robust authentication and protection to your product.