Securing the Internet of Things – Time for Another Look at Public Key Infrastructure (PKI)?

Written by

The Internet of Things (IoT) is a broad area that is attracting much discussion. Wikipedia starts its IoT definition as follows: ‘the network of physical objects or "things" embedded with electronics, software, sensors, and connectivity to enable objects to exchange data with the manufacturer, operator and/or other connected devices….’ Such capabilities are nothing new. However, three things are happening that drive the current discussion:

  • The increasing tendency to open previously closed networks of things to the public internet for ease of management and increased value through greater connectivity.
  • The ever decreasing cost and size of embedded chip sets makes it easy to IP-enable all sorts of devices, from consumer gadgets to industrial probes and sensors, and attach them to standardised networks.
  • This connectivity leaves IoT deployments open to attack, and the volume of devices makes the resulting attack surface potentially huge. It is here that the renewed case for Public Key Infrastructure (PKI) is being made.

PKI vendors provide management capabilities for the issuing and revoking of digital certificates that ensure secure communications across public networks.  This is not the same as publicly trusted certificate authorities (CAs) which issue SSL certificates, for example, to secure online retail and banking, although some PKI vendors do this too.

When the widespread use of the internet took-off in the mid-90s, rich pickings were expected from PKI. However, PKI adoption was slower than expected as many found the complexity and cost hard to justify. The main PKI platform providers that are still around today include Entrust Datacard, EMC’s RSA and Verizon (that ended up with the PKI assets of Baltimore, which reached stellar levels on the FTSE in 2000).

So what’s new, why might PKI help today’s businesses reap the benefits of the IoT whilst minimising this risk? First it is necessary to understand why the IoT is vulnerable and why it might be targeted. Network connectivity is of course a prime reason; although closed networks are not immune (the initial STUXNET attack on the Iranian centrifuges was on a closed system).

Second, as it stands, many things such as probes, sensors, cameras and medical devices  are more vulnerable than traditional computing end-points such as servers, PCs and smartphones because they run with embedded software (firmware) that has been developed without online security in mind. As well as software flaws, this can include really basic stuff such as back-end management interfaces with default credentials and non-encrypted communications. Worse still, regimes for updating the firmware are often non-existent, and the software on devices can quickly become out of date. This is a particular problem as older things become connected, since their firmware may have been left unchanged for years.

Third, the identity of things and the entities trying to communicate with them is often not authenticated to the same level as would be the case for traditional users and their devices. Solving this third problem would go some way to solving to first two. One of the challenges with identity is that things often communicate directly with other things or back end servers (machine-to-machine or M2M), so traditional methods for authentication, such as passwords, biometrics and tokens cannot be used; hello again PKI!

So, why would the bad guys seek to exploit these weaknesses? Hackers are always seeking weak points for initial entry to networks; enabling them to pose as trusted insiders and move sideways (the well publicised 2014 attack on Target Corporation’s payments systems was initiated via a cooling system maintenance application). IoT deployments may also be targeted in their own right to cause damage to a business processes for some reason. Furthermore, the very volume of things makes them attractive for recruitment to botnets that can be used to perpetrate other sorts of attacks. This has already happened; for example in 2014 Akamai reported a malware kit named Spike that enabled ‘routers, smart thermostats, smart dryers and other devices to be recruited to botnets and used to launch DDoS attacks.

Whatever the vulnerabilities and motives for attack, the risks can be minimised by authenticating the identity of any given entity trying to communicate with a thing. An entity can be another thing or a computer with or without a human operator. Once machines start communicating directly with each other, there is no human latency to slow things down, which can create huge amounts of network chatter. This is a problem in its own right and, when it comes to security, it makes it hard to find potential attack traffic. A single human-controlled attack among a high volume of legitimate M2M traffic could easily go unnoticed—all the more reason to authenticate each and every communication.

In principal that is easy through the use of digital certificates. Equip all things with a private key and issue public keys to any other device that has a valid reason to access it. In practice, there are three related problems to overcome:

  • Volume: the number of individual things has the potential to be so vast that issuing public keys to each and every one becomes impractical. This issue can be dealt with by using a layered approach to the way things are deployed, providing private keys to hubs that control subnets of things.
  • Key life-cycle management: even if volume is kept under control, a management structure is still needed to understand what public and private keys have been issued, when they need renewing, and revoking them when necessary. PKI is a way of managing this.
  • Cost: the keys and the PKI infrastructure have a cost that should be affordable within the overall value proposition for any set of IoT applications a given organisation intends to roll out.

The security risks associated with the IoT are worth overcoming in order to reap the benefits. PKI was first developed to secure communications between user devices and servers over public networks, so the IoT seems an obvious extension of this use case. The options for deploying IoT applications, using PKI and the viability of vendors such as Entrust Datacard, EMC/RSA and Verizon to achieve this will be the subject of a second article. 

What’s hot on Infosecurity Magazine?