Are PKIs the key to securing the IoT?
June 2018 by Mike Nelson, VP of IoT Security, DigiCert
If the Internet of Things is the gold rush, then its security landscape is the Wild West. This unbelievable demand - from businesses who want to ride the wave of innovation brought on by a connected world and home consumers who crave shiny new things - threatens to plunge many into a state of insecurity that the excitement of innovation has blinded them to.
Gartner has predicted that there will 20.4 billion IoT devices by 2020 and if current security standards continue, there will be very little to bolster their security.
The great demand for these connected devices has largely driven manufacturers to rush cheap devices to market without a thought for their security.
In recent years we’ve seen the illicit power made possible by that demand. Aside from the information theft that IoT devices so easily enable, the IoT gives cybercriminals dangerous new functionality.
In 2016, the world was reminded of that when Mirai botnets took down large parts of the internet with an army of baby monitors, cameras and routers. Those botnets were built using an attack which guessed devices’ passwords from a small library of the most common default credentials.
On a daily basis, researchers find vulnerabilities in IoT toys and home devices which enable attackers to spy on the device’s owners, and even more sinister, their children.
The proliferation of IoT in business and Industrial settings pose yet more troubling possibilities. A spate of ransomware attacks on hospitals in the last few years - while not explicitly IoT attacks - have given us a flavour of what an attack on an IoT rich environment might look like, locking up critical systems and then extorting their owners to return those potentially lifesaving services to full functionality.
Nation states don’t yet seem to have fully grasped the size of this development. Governments and regulators find it hard to keep up with this massive demand and any attempts to bring wide ranging state power behind IoT security are still in their nascent stages.
Late last year, Germany banned children’s smartwatches after it was revealed they could be used to remotely spy on the owners. The US Congress has also passed legislation to ensure that US government offices use secure IoT equipment. Most recently, The UK government released provisional rules for best practice in the use and manufacture of IoT.
Ultimately, these are all piecemeal solutions - relegated to specific devices or localities which will ultimately have a hard time in challenging a globalised market. Furthermore, the cheap deluge of “things” often stems from areas valued for their light-touch regulation and low costs.
This not only means that any regulation on manufacturers will have to reach inside the borders of those territories but highlights that making secure devices must often be seen as an unwanted and unnecessary cost.
The fact is, manufacturers often deal with security as an afterthought. IoT devices are infamously replete with routine security failures such as hardcoded passwords, poor to no authentication, and the inability to securely patch.
When security is added, it’s often done after the fact and retrofitted into devices, a solution which is often ineffective and ironically less economical.
Until security becomes enforced by law or widely employed as part of the design process, IoT security is in the hands of users.
Public Key Infrastructure (PKI), using digital certificates, offers a way for both manufacturers and consumers to secure the IoT. It’s been securing the connections between machines for several decades now and developing a trusted standard for just as long. It could do the same for this next generation of innovation.
Those rolling out large networks of IoT devices for use in their office or industrial environment, may have to police networks of thousands, or perhaps millions of devices, all collecting information and talking to each other.
The digital certificates issued by PKIs allow secure exchanges and mutual authentication between devices as well as between devices and users. By issuing certificates which effectively act as identity, PKIs can establish trust across vast networks of devices and users.
It also largely relieves users of the need to use eminently exploitable authentication methods like passwords, which are too often shared around.
Moreover, PKI can encrypt the data flows throughout a network of devices, so that even if attackers can steal data, their prize becomes worthless.
Still, it’s the scalability of PKIs which makes them a good option for enterprises who are attempting to roll out large IoT initiatives. Establishing trusted connections between users, network infrastructure and untold numbers of endpoints provides a lot of security considerations to reinforce. While PKI use is still in early stages in its use on such a scale, wide-spanning payment systems have already reaped the benefits of such a scalable security solution. So, has streaming media company, Plex, and international airport WiFi protocol AeroMACS. Major medical device and connected car manufacturers also have PKI in deployment for IoT use cases, with a large ramp-up to come.
For IoT manufacturers, who often make devices which cannot even patch their already poor security, PKI infrastructure can provide device and system integrity which includes secure patch management and over air updates.
But perhaps most importantly PKIs, hosted by a public certificate authority use current cryptography and live up to industry standards, refined over years of reliable use.
Those that are interested in PKIs will have to choose between a hosted solution and the considerable task of managing their own PKI framework.
Some say that enterprises are more secure with a framework they manage themselves as opposed to one they hand off to someone else to manage. At the very least, the second option - while cumbersome - lends users a greater degree of trust, and the agility that is so critical in the event of a security event.
The public is starting to wake up to the vulnerabilities within the IoT, increasingly people are calling for more secure devices and responsible manufacturers are making devices designed with security by design.
In the longer term - manufacturers and designers will have to get in shape. State powers around the world are starting to take notice and although their movement might be slow - If IoT producers don’t start to make their devices secure, the government will make them do it. The UK government’s new draft code of practice on IoT states clearly that, “the Government’s preference would be for the market to solve this problem - the clear security guidelines we set out will be expected by consumers and delivered by IoT producers. But if this does not happen, and quickly, then we will look to make these guidelines compulsory through law.” When government realises that this is a problem of public security, they will bring the hammer down.
Until good security is standardised across all manufacturers, through culture, industry norms or the law, it’s going to be up to users to protect themselves against the threats that the IoT brings. In the meantime - PKI provides a way to do just that, ensuring that enterprises can ride the train of innovation, instead of lying down on the tracks in front of it.