Auto-Provisioning for IoT Devices Tackles Security Gaps

Written by

As the number of connected devices rises toward an estimated 50 billion by 2020, security continues to lag behind—a lack of encryption, easy default passwords and a dearth of proper, automated user authentication plague the space. But the reason is simple—tools for doing this at scale are few and far between. DigiCert is tackling the issue with an Auto-Provisioning tool, powered by Device Authority.

IoT devices often lack the compute power required for strong encryption and do not have the ability to securely generate and store keys required for strong device security. Similarly, when credentials need to be revoked or rotated because of device authorization changes, the process is typically manual, time-consuming and vulnerable to human error.

Unveiled at the DigiCert Security Summit in Las Vegas, Auto-Provisioning is aimed at internet of things (IoT) connected device manufacturers and owners, allowing them to, as the name suggests, provision digital certificates at scale. It supports devices that use open standards such as SCEP or EST, as well as propriety device enrollment protocols.

“Device authentication and encryption are critical to securing connected devices and the information they share, but many software implementations lack standard protocols for provisioning devices,” said DigiCert CTO Dan Timpson. “DigiCert Auto-Provisioning helps companies get certificates on a much wider range of IoT devices in a scalable, secure and automated way.”

Evidence of a growing security gap is mounting: A July 2016 study published by HP Fortify estimated that three-quarters of connected devices failed to encrypt communications to the internet and local networks. Last year, researchers found that Nissan Leaf smartphone app APIs were not authenticating users on the server. And numerous flaws, discovered in everything from smart fridges to connected lightbulbs to connected cameras—can be exploited by attackers to carry out man-in-the-middle attacks to access a homeowner's credentials.

Public key infrastructure (PKI) can be used for secure boot, patch management, machine-to-machine mutual authentication, user authentication and data integrity to help prevent unauthorized intrusions and data manipulation. DigiCert Auto-Provisioning leverages this, combining scalable certificate issuance with automated provisioning to simplify large-volume device enrollment and credentialing. It also provides secure key generation and storage to prevent the use of stolen credentials and unauthorized devices.

“Companies now have the ability to assert owner-controlled PKI on a much wider spectrum of connected devices to strengthen security controls,” said Timpson. “Using this solution, companies can take a major step forward in securing their IoT investments, becoming less dependent on manufacturer security.”

What’s hot on Infosecurity Magazine?