IoT security: Trust is a must
IoT vulnerabilities continue to surface, causing confidence in the ability of manufacturers to deliver products that are secured by design to continue to erode. Already this year, several vulnerabilities have been exposed, including:
- Security flaws in smart cameras — Researchers discovered vulnerabilities with Hanwha Techwin surveillance cameras. The flaws existed not only in Hanwha Techwin cameras, but all smart cameras manufactured by Hanwha Techwin.
- Vulnerable medical devices — Medical imaging devices, such as MRI or CT systems, are becoming increasingly vulnerable to cyberattacks, according to researchers from Ben-Gurion University.
- Hackable smart home hubs — Security flaws were discovered in a smart hub used to manage all the connected modules and sensors installed in the home, putting smart home owners at risk.
IoT vulnerabilities are being discovered and exposed across all industries, and hackers are certainly not discriminatory when it comes to who they will target. Throughout countless examples, security flaws are regularly being found in IoT devices, putting sensitive data and even personal safety at risk.
The fundamental issue is that IoT devices are not being built with security in mind. As adoption of these technologies continues to rise, this has created a growing attack surface that does not take a particularly high level of expertise to exploit. Everyone is eager to jump on the IoT innovation train, but in doing so, the critical element of securing these devices is often neglected.
However, despite the risks, organizations are continuing to gather sensitive data from IoT devices. The “2018 Global Data Threat Report” found that nearly three-fourths (71%) of organizations are aggregating data from the millions of IoT devices already in use.
While IoT security as a whole remains lacking, we are nonetheless seeing more organizations starting to apply measures to protect IoT data. The “2018 Ponemon Global Encryption Trends Report” found that 49% of enterprises are either partially or extensively deploying encryption of IoT data on IoT devices.
Organizations are taking a step in the right direction by recognizing that encryption of IoT device data — done correctly — can effectively protect privacy and confidentiality, but challenges remain. At the end of the day, it comes down to trust. If trust is not established regarding the identity and overall integrity of the device, then encrypting untrusted data is not accomplishing the desired goal. And if the device and the data it collects cannot be trusted, there’s no point in going to all the trouble of collecting it, analyzing it and, worst of all, making business decisions based on it.
How to build trust in IoT
Here is what is required to enable trust:
1. A root of trust to enable device authentication
To securely participate in the internet of things, every connected device needs a unique identification. There are various methods used today to prove an identity, from passwords to biometrics to digital certificates and more. However, when it comes to proving the identity of an IoT device, the choices available for authentication depend on the capabilities of the device.
In environments where security and safety are paramount, a hardware-based root of trust provides the strongest means to establish and maintain an authenticated device identity. Digital certificates issued from a trusted public key infrastructure provide a proven mechanism for this, however the storage and processing demands of traditional RSA keys have driven some to favor elliptic curve cryptography (ECC). ECC provides equivalent protection to RSA with much smaller key sizes, and its operations require significantly less processing, making it appropriate for devices with less storage space, processing power and battery life.
Unfortunately, many IoT devices aren’t being designed with even the most basic of security protections, such as requiring default administrative credentials to be changed upon installation. A reasonable level of trust cannot be established in a device until there is a solid means of device authentication in place, and that that the integrity of the device can be assured over time through mechanisms such as secure boot protection and code signing. These are important to prevent introduction of malware especially during firmware updates.
2. Encryption to protect data
With a proper root of trust in place, it is increasingly important to have means in place to protect IoT data which is sensitive, personally identifiable or proprietary. In IoT, this means protection on the device itself, when the data is being transmitted to intermediate points, such as IoT gateways, and when it is en route to final destinations, such as the cloud or a data center for storage and analysis.
This requires not only process steps to identify the specific data to be encrypted, but also a key management scheme to distribute and manage the keys that are used to encrypt the data. Secure storage and access control for keys requires planning — they must be available to permissioned people/entities to enable data access, but properly segregated from the data and stored securely. It might sound easy, but IoT scale and speed is a game changer. Keys have a finite lifetime based on their length and the algorithm being used, and therefore must be rotated at regular intervals. Lose a key that is used to encrypt data and you lose the data. Key management is a crucial capability for IoT deployments with sensitive data.
The adoption of IoT technology is not expected to slow down anytime soon. In fact, Gartner predicts the number of connected devices will rise to 20.4 billion by 2020. Trust is recognized as a key enabler for IoT to deliver the intended results, and authentication and encryption are two critical capabilities in the IoT trust playbook.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.