PKI: Helping IoT device makers trust their supply chain
We already know that public key infrastructure is going to be the future of securing IoT devices; this is because PKI can be implemented in a relatively lightweight fashion on different classes of devices. It will help to identify and secure devices by limiting the number of opportunities for bad actors to hack them.
PKI can also be used to secure IoT devices during the manufacturing process, its supply chain as well as the distribution and delivery process. Every vertical market will be disrupted by IoT, and these will find PKI especially beneficial. Some such examples are healthcare and the smart electric grid.
How implementing PKI during the manufacturing process protects IoT device makers
With the IoT market being relatively new, it’s not uncommon for some device makers to be unfamiliar with the manufacturing process. Seldom does a device designer also manufacture their own product. In most cases, they usually end up working with an original design manufacturer (ODM), such as Flextronics, or an electronic manufacturing services (EMS) provider, like Foxconn or Celestica.
Once an IoT device is built, usually it is shipped by the manufacturer to the device maker or directly to customers. But, some shady things can occur along the way because in the process of building all these devices the ODM or EMS now has all the plans, blueprints and design specifications. That is a huge risk for a device maker. It would be relatively easy for a nefarious company or employee to take these plans and sell them on the black market for a much lower price than the device maker. In addition, certain geographies have looser or stricter controls on ownership of these design specifications, potentially creating more problems for the device maker. Making matters worse, it could be years before a device maker realizes something illegal has occurred. While there are checks and safeguards in place to protect IP, this is a real problem that smaller device makers need to contend with.
Fortunately, there are a number of ways an IoT device maker can mitigate such problems. For instance, you could incorporate a certificate into every device, enabling you to carefully control the number of them being manufactured by having your certificate authority (CA) provide only as many certificates as the number of devices you want to manufacture. Another step is to verify the source of a certificate request, i.e., a specific location, so the assigned ODM or EMS must present certain credentials to verify who is requesting the certificate. You can even gate access to these certificates based on user authentication and IP address.
In addition, using PKI enables you to verify, either during or after the manufacturing process, who is actually using the certificate. Ideally, that “who” should only be the device. This can be determined by having the device contact a trusted third-party server also called a registration authority. This can be managed by CAs, who will verify that the certificate issued and in use by the device is chained to the correct PKI hierarchy, which belongs to the specific device maker. In addition, a CA can take the extra step of revoking the previous certificate on the IoT device and issue a new certificate. This process is called re-enrollment. Alternatively, there can be two types of certificates used: a “birth” certificate that forms devices’ identity, and an “operational” certificate that can be used to perform certain actions.
By taking these steps, PKI enables IoT device makers to prevent over-production and counterfeiting, ensuring only the right device gets the right certificate. Even if it is discovered at a later date that the manufacturer turned out to be untrustworthy and more devices were manufactured than the original order called for, the devices would be unusable because the birth certificates have now been revoked, and the device is no longer able to get operational certificates.
Concerns like the ones mentioned above are a regular occurrence. In fact, in March, iPhone supplier Wistron was accused of using unauthorized components in its production of the iPhone 8 in China. Scenarios like this are exactly why it is a smart idea to implement PKI for IoT devices during the manufacturing process.
PKI for the supply chain
PKI turns out to be one of the best technologies for assuring authenticity of devices within the supply chain, including the verification of all the components within an IoT device. For example, when an IoT device maker designs a device, she uses components from different manufacturers. These components are sourced from all over the world, carried by distributors and assembled together with other components by an EMS or ODM.
Once these components arrive at a distributor, in reality they could then sit in a warehouse for an extended period. Finally the device is manufactured and then tested, after which sellers can provide it to the customer. Often times, these are installed by third-party installers and deployed in remote locations. The end customer or buyer may not even physically see these devices.
The average IoT device has a very complex route, changing ownership multiple times. Naturally, the seller wants to ensure the device is authentic and that through the various stages of its supply chain, this authenticity was maintained. This real-world problem is very hard to solve. Increasingly, we are hearing stories about breaches within supply chains, such as with Wistron. You have manufacturers from different countries whose suppliers are not necessarily following best practices for security and privacy, therefore it is difficult to trust a component’s source. As a result, some companies could end up with an IoT device that has both authentic and fake (or modified) components. But if a device functions as intended, it may be difficult to know the truth. However, it’s a possibility that a nefarious actor embedded extra code within the device software that tracks and intercepts data. This could have been injected during the manufacturing process of the device, or one of its components. This is yet another reason PKI can help eliminate or at least significantly reduce these scenarios.
Identity is the foundation of security
In today’s hyper-consumerism era, the thirst for new and innovative technology is insatiable. There has been a sharp rise in hardware-focused technology startups that are providing a real-world solution by integrating networking and smarts into a device. This is especially common on crowdfunding sites like Kickstarter and Indiegogo. However, the focus for these device designers and makers is on functionality, and security is seldom part of the plan. This is dangerous and can lead to problems later down the line, as seen with recent IoT botnet attacks.
Starting on the right foot is important, and if we can get security integrated into a device right at its starting point, the manufacturing plant and the associated supply chain, then we have a strong foundation to build upon. Starting with a strong identity, we can bootstrap into other security functions like authentication and authorization. This shouldn’t be hard — and PKI makes this especially easy.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.