The list of Internet of Things (IoT) is growing quickly, and so are the security concerns. As more devices get connected to the internet, the network expands and volumes of data increase, putting more sensitive information at risk.
Currently, most IoT devices have poor security in place. In fact, most IoT device manufacturers ship devices with a default password and don’t give the customers an option to change it. According to the 2019 Internet Security Threat Report, targeted attack groups are increasingly focused on IoT as a soft entry point, where they can destroy or wipe a device and steal credentials and data. Although routers and connected cameras make up 90% of infected devices, almost every IoT device from smart light bulbs to voice assistants is vulnerable, according to the report.
Today, many companies are using home brew passwords and “tricks” in their software, both of which make them inherently insecure. Some are using symmetric encryption, but then the “password” is the same across all devices. Hack one, you can hack them all.
Many organizations are using Public Key Infrastructure (PKI), but doing so without thinking beyond the next couple of years. While others aren’t thinking about changing crypto needs and lifetime issues down the road.
Why Consider PKI?
The rise of the IoT is driving the deployment of applications using PKI, with 43% of IoT devices expected to rely primarily on digital certificates in the next two years, according to the 2018 Global PKI Trends Study. A well-designed PKI combines roles, policies, software, and hardware elements to enable secure electronic transfer of information—far more securely than what is possible with simple password authentication.
Why is PKI a good choice for IoT? PKI is a disconnected verification system; there is no need for a centralized server. Devices that are participating in the same PKI can valid each other’s identities and encrypt information just from exchanging their certificates. These certificates can have cryptographic keys that have validity periods that far exceed the usable lifetime of any other authentication systems.
Security is Not One Size Fits All
Security needs for devices are different. I recently spoke with Jeff Stapleton, co-author of Security without Obscurity: A Guide to PKI Operations about the importance of a holistic approach to PKI. Stapleton explains that the sensitivity of the data, the longevity of the information, and now privacy all need to be considered and addressed by the PKI in its design, operations, and management.
This applies to IoT devices at all levels. When factoring in security, developers of IoT devices need to consider the longevity of the key exchange and consider the lifetime of the device: for example if a device has a 10-year lifecycle, a 50-year lifecycle (and cannot be updated), etc.
Securing devices over their lifetimes is critical to the safety and use of these devices, regardless of how they are used. The lifetime of an IoT device can range from short-lived devices (temperature sensor) to a device with a long lifespan, designed to last 100 years (water pump), which makes creating and managing a security infrastructure for IoT systems incredibly complex.
It also cannot just be what works for today’s customer. IoT manufacturers need to take a holistic approach and look at how long these devices will be in the field and how they can expect to find a security process that will stand the test of time or allow them to field upgrade. In addition, manufacturers have to think 10-15 years down the road and think about how their devices today will interoperate with their device security for things they haven’t even developed yet.
A single approach to security and device lifetime can’t work for all devices. Many commercial solutions and cloud providers that provide cloud-based identities consider 40 years to be “long enough.” In fact, I had to chase AWS down as the company was reporting “lifetime identities.” This is impossible, it turned out it was 42 years maximum. Long-life devices need to be built to withstand cryptographic changes – what is secure today won’t be ten years from now, let alone in 50 years.
Five Security Goals Companies Need
Devices need to be built to interoperate with each other. A device sold today that is expected to be used for ten years is likely to encounter a newer release from the manufacturer, and that older and newer model may need to interoperate cohesively during the supported lifetime. Here are the top five security goals that I recommend that companies put into practice:
- Cryptography must be not just secure enough for today, but companies need to think through the device lifecycle across the current generation and interacting with future generations. At PKI Solutions, one thing that we have done is pre-create a future CA that has cryptography keys we expect to be common 20 years from now. We bake that identity into the trusted list of devices today, so when new devices come out they are already trusted.
- Devices using RSA keys should expect those keys to be renewed on a regular basis. Best practice is to renew every two-three years. Computationally, they can be used for longer periods of time in controlled environments. Elliptic curve cryptography (ECC)-based encryption can provide longer period of expected validity.
- Devices that will be used and deployed in isolated environments (heavy machinery, industrial controls, secure environments) must have enough intelligence to roll keys and validate identities from other compatible devices. Manufacturers need to make sure firmware and other updates have a method to trigger changes to new cryptography and trust chains
- Hardware protection is critical to IoT. Long lived keys will always be vulnerable. They are in use too long not to be examined and the potential for exploit is huge. Using Trusted Platform Module (TPM)-embedded silicon to secure identities is the best method. Storing identities and keys in firmware or software will never be secure enough.
- Avoid self-signed certificates to authenticate devices. It is inherently insecure and provides little to authenticate a valid host to a user or another device. It also trains users to ignore certificate and identities errors. Manufacturers should strive to ensure their identities are trusted from the first use of their device.