IoT Device Security + How to Get Started

IoT devices hold so much potential for positive change — their ability to connect objects, share information, and perform actions — also makes them intensely vulnerable. That’s because every point of connection that exists carries the risk of being hacked.

Unfortunately, there’s no shortage of examples to illustrate how IoT devices are vulnerable. Some of the most notable examples in recent years include:

• A hacked baby monitor, which allowed the hacker to see the baby and speak to the parents with a threat to kidnap
• Compromised medical devices, including:
  • Hackers who gained access to implanted cardiac devices and could deplete the battery or issue incorrect pacing
  • Hackers who gained access to insulin pumps and could deliver incorrect doses of insulin to diabetic users
• Flawed connections for consumer vehicles that allowed hackers to take control remotely and take actions like cutting the brakes, shutting off the engine, and even driving the car off the road

These examples are just a few of many that illustrate the importance of IoT device security. They also highlight how easy it was for hackers to accomplish these activities. For instance, in the case of a 2015 Chrysler hacking, researchers found they could easily access any Chrysler vehicle in the United States on the Sprint mobile network due to a flaw in the wireless connection system.

Critically, as IoT devices become even more commonplace, particularly in industries like automotive, medical devices, and original equipment manufacturing, the risks associated with hacks increase tremendously to the point where people’s lives are in danger.

Over the past several years, we’ve seen far too many hackers exploiting IoT device security weaknesses. Beyond the many points of connection that inherently create risk, one of the reasons for this multitude of attacks is that many companies were quick to get this new technology to market and focused more on the competitive innovation than they did on the security aspect.

However, as IoT devices continue to become more commonplace, security will be an absolute must to achieve any traction. That said, new legislation has come about to help speed the adoption of new security standards.

Legislation passed into law thus far includes:

• California’s IoT Security Regulation Law (SB-327): Put into effect on January 1, 2020, this law requires that all connected device manufacturers use unique credentials for each device. This legislation covers both consumer devices and business devices.
• Oregon’s IoT Security Regulation Law (HB-2395): Put into effect on January 1, 2020, this law is similar to California’s. It requires unique credentials for each connected device, but it applies primarily to consumer devices.

Several other bills have been proposed and received varying levels of traction, including:

• Federal Cyber Shield Act (S-2020): Proposed in the Senate in 2017, this bill would require the Department of Commerce to establish a Cyber Shield Advisory Committee to recommend the format and content of Cyber Shield labels for internet-connected consumer devices and introduce standards for compliance with data security benchmarks to protect data better.
• Protecting Privacy in Our Homes Act (S-2432): Proposed in the Senate in 2019, this bill would require the Federal Trade Commission to introduce regulations around how manufacturers communicate cameras and microphones in consumer-facing internet-enabled devices.
• Automatic Listening Exploitation Act (HR-4048): Proposed in the House of Representatives in 2019, this bill would limit the use of (including recording or transmitting) any sound or video captured by a smart speaker or video doorbell and prohibit any kind of service without the express consent of the consumer.
• Internet of Things Cybersecurity Improvement Act of 2019 (S-734): Proposed in the Senate in 2019, this bill would give the federal government broad powers to increase cybersecurity standards around the Internet of Things devices.

Beyond formal legislation, the FDA, Industrial Internet Consortium (IIC), and the IoT Security Foundation (ISF) have introduced guidance for security frameworks to protect IoT devices that govern everything from medical devices to consumer-facing products.

Notably, both guidance and legislation around IoT device security are snowballing, making it essential for manufacturers to ensure they implement the highest possible security levels to protect consumers and businesses who use the devices and meet current and future security regulations.

Despite the ever-growing importance of strengthening IoT device security, particularly as new legislation comes about, many challenges exist. The top IoT security challenges include:

At the highest level, there is a lack of standards governing IoT device security. While this situation is undoubtedly changing, in most cases today, device manufacturers and their security teams still have no clear standard for which to aim. As a result, a lot of ambiguity exists in the market. In turn, this ambiguity has created a breeding ground for other challenges in areas like authentication practices, ongoing security updates, and communications between connected devices.

Many manufacturers have retrofitted legacy devices with smart sensors to make them internet-enabled and achieve the IoT benefits without as high a cost. This approach can prove both time and cost-efficient, but it creates serious security risks.

Specifically, legacy devices that do not connect to the internet typically have little-to-no security. As a result, even if the added sensors offer some type of security type, the device itself creates additional opportunities for malicious parties to infiltrate the sensor and potentially the broader network.

Many devices fail to offer advanced security features or even the ability to attain them over time through updates. Manufacturers’ inability to issue patches for any discovered risks or security updates to keep devices aligned to the newest standards creates numerous challenges. It leaves many IoT devices with security issues in the field. This challenge will grow exponentially over the coming years as the IoT ecosystem continues to age, and new security standards get developed.

Even in cases where manufacturers do push updates, challenges exist. For example, as developers build new code and move it into production, they need a way to verify its authenticity, which they do by signing the code with a trusted public/private cryptographic key pair. However, the way many manufacturers bring IoT devices to market is different from what they do for other solutions. Many have not traditionally verified that the new code correctly signs with a trusted key. This lack of a security check opens the door for risk by allowing anyone who gains access to the system to push new code to IoT devices, resulting in any number of safety, financial and reputational risks.

It’s become commonplace for manufacturers to hardcode passwords or encryption keys into IoT devices to streamline deployment. This practice is risky, but it becomes even more so if developers embed this information in plain text for easy access — which happens often. That’s because if anyone finds this information, they can easily access the device and control it in whatever way.

Many IoT devices get programmed with static or default passwords that can’t easily be changed by users along the same lines. This weak level of authentication creates serious risks by making it easy for hackers to access the devices and deploy malware. This typically happens with lower-cost IoT devices, such as security cameras. However, it’s important to note that even these devices obtain sensitive information that, when hacked, can put people in harm’s way and violate their privacy — leading to a severe financial and reputational risk for manufacturers.

Many IoT devices use symmetric encryption, in which a single key gets used to encrypt and decrypt data. The fact that the data gets encrypted offers a secure layer of security, particularly compared to using hardcoded or default passwords, but sharing and storing the encryption key creates risk. That’s because if a malicious party intercepts the key, it can use it to encrypt and decrypt data. This means they can access the entire system and share data, and they can even act as a “man in the middle” by manipulating data without the manufacturer or end-users knowing. As a result of this risk, manufacturers must take extra precautions to secure the encryption key, which can become costly and difficult to maintain at scale.

Using asymmetric encryption, a unique public and private key pair get generated. Each one serves a different purpose (the public key decrypts data and can be shared openly, while the private key encrypts data, and must be protected), helps resolve the challenges with symmetric encryption. However, even with asymmetric encryption, the private key must be secured appropriately — otherwise, the same risks apply. Unfortunately, many development teams fail to take the proper precautions in storing these private keys.

Encryption offers nearly impenetrable security, but only when done correctly. Specifically, the encryption strength depends on the algorithm used to generate the public/private keys. Ideally, the public key should be relatively easy to compute from the private key, but the reverse should be impossible.

Many standards, such as RSA 2048 and Diffie-Hellman, exist today to govern encryption keys’ strength. Unfortunately, many IoT devices use weak algorithms that don’t adhere to these standards to generate encryption keys. When this is the case, it becomes easier for malicious parties to determine the private key, giving them access to compromise the device.

All of the security challenges around IoT devices make them particularly vulnerable to distributed denial of service (DDoS) attacks. These attacks occur when hackers use multiple devices to flood a system with requests for data to overwhelm the system so that it stops working entirely.

IoT devices are vulnerable to DDoS attacks due to the many security challenges listed here. As a result, hackers can quickly gain access to these connected devices to form a botnet (aka “zombie army”) so that all devices can simultaneously flood a single system with requests. DDoS attacks are particularly frequent among IoT devices because the devices are relatively easier to hack, given the generally lax security standards and because DDoS toolkits tend to be easy to purchase and launch.

Numerous challenges exist today regarding IoT device security, but it is possible to overcome these challenges.

Teams need to prioritize IoT device security at every step of the way. This prioritization involves making more investments in security and working it into development processes as early as possible.

Along the way, IoT device security must center around creating a trusted device identity, ensuring data confidentiality, and maintaining the integrity of data and firmware running on each device. Achieving these goals requires critical security elements for authentication, encryption, and code signing. Manufacturing teams can embrace several best practices to meet these needs, including:

Sending protected data is an essential function of any IoT device. For this function to be effective, both users and manufacturers need to trust that the data they receive is authentic and intended for them. The best way to achieve this goal is to issue unique credentials in the form of digital certificates for every IoT device.

Giving each device a unique digital certificate helps improve authentication and offers enormous protection over the common practices today of using default passwords or even shared keys for symmetric encryption. That’s because passwords carry a high risk of compromise, and symmetric encryption keys, which offer more protection than default passwords, don’t provide any kind of differentiation between devices. This lack of differentiation makes it impossible to share unique information with a specific connected device or determine the particular device from which individual data originated.

In contrast, digital certificates can create a highly secure, unique authentication method for each device, which offers significantly more security. For example, this approach enables manufacturers to share updates and data with specific devices securely and helps better validate the authenticity of incoming information from the devices themselves.

Creating unique digital certificates for each IoT device requires asymmetric cryptography, which generates a public and private key pair. As a result, manufacturers need to take extra precautions for storing those private keys.

The best way to do so is with Trusted Platform Module (TPM) technology or Secure Storage hardware, which provides hardware-based security. For example, a TPM chip offers a hardware-enabled secure crypto-processor to protect cryptographic keys and digital certificates. This type of investment is well worthwhile for achieving the highest levels of IoT security. It offers strong protection against the private keys used for device authentication and data encryption being compromised.

One significant IoT security risk is the ability of hackers to push malicious software updates to connected devices. Manufacturers can protect against this risk by requiring that devices to verify the authenticity of any new firmware or software before installation. Doing so requires that manufacturers’ development teams sign their code with a digital signature, which can be achieved with a public/private key pair.

In this case, each connected device would require a public key that matches a private key held by the manufacturer’s development team. If the developers use the private key to “sign their code,” any device with the public key can (a) verify that the update was indeed sent from the manufacturer (or anyone who has the private key) and (b) confirm that the update was not modified in transit. As a result, requiring code signing helps protect against connected devices installing corrupted software sent by a malicious third party.

A Root of Trust (RoT) contains encryption keys and helps with initial identity validation when issuing new keys or digital certificates. Establishing an organization-specific RoT gives manufacturers total control over identity validation for any device or person they issue an encryption key. Keeping the RoT organization-specific allows manufacturers to set their standards for identity verification to create a strong chain of trust instead of using a shared root and trusting that third party’s trust model and operations.

Perhaps most importantly, the above best practices for IoT device security are not set-it-and-forget-it. Instead, all of these efforts require ongoing lifecycle management. That’s because any kind of static system is inherently insecure. The digital certificates, key pairs, and RoT in use will weaken over time without proper lifecycle management.

This lifecycle management should include:

• Mapping everything in use to have an exact inventory of what gets created
• Monitoring all of the certificates, keys, and the RoT to identify any potential threats and make adjustments accordingly quickly
• Maintaining the health of this security by updating certificates, keys, and the RoT as needed and revoking any certificates and keys when the relevant devices are no longer use

The security needs for IoT and the best practices to help address these needs point to a clear solution: Public Key Infrastructure (PKI).

PKI is a trust framework composed of hardware, software, policies, and procedures needed to manage trusted digital certificates and public-key encryption. It helps verify digital identities and secure data, which meets critical IoT security needs around authentication, encryption, and code signing. Importantly, it’s also scalable to accommodate millions of device identities with only a minimal footprint on each device.

PKI offers several critical advantages when it comes to strengthening IoT security, including:

• Unique Identities: PKI enables IoT device manufacturers to embed a cryptographically verifiable identity through a digital certificate into each device to ensure secure access and software delivery over time. Importantly, manufacturers can also update or revoke these certificates on individual devices as needed.
• Flexibility: PKI is a highly flexible approach that allows manufacturers to use a variety of options (including REST API, SCEP and EST) for trusted roots, revocations and certificate enrollment and deployment.
• Scalability: Manufacturers can issue digital certificates from a single, trusted Certificate Authority, which allows IoT devices to securely authenticate one another without any kind of centralized server.
• Robust Security: Assuming the PKI is well-managed, digital certificates provide significantly higher security than other authentication methods, including default passwords and symmetric cryptography.
• Minimal Footprint: The asymmetric keys used for PKI have a minimal footprint, which means it’s not a burden for connected devices with low computational power to house the necessary information.
• Proven Approach: PKI has long been used to provide a secure method for digital authentication and data communication and is recognized as a practical and scalable solution to protect against device hijacking and data theft.

PKI is a proven approach for security with a strong history in enterprise IT. However, PKI for IoT security is somewhat different from PKI for enterprise security. Notable differences include:

• Scalability and Availability: PKI for IoT requires higher scalability and availability levels on behalf of Certificate Authorities. These trusted entities issue digital certificates to devices that are required for enterprise PKI. That’s because, in the case of IoT, manufacturers will need to deliver a higher volume of certificates faster.
• Private Key Generation and Storage: In enterprise PKI, organizations typically use digital certificates to secure web servers, which live in protected data centers inaccessible to most people. Securing IoT devices is entirely different since these devices are physically accessible to the public. As a result, manufacturers should ideally generate and store private keys for IoT devices on a secure hardware component so that they never live outside the device.
• Certificate Policy: Manufacturers using PKI for IoT security must be more strict about adhering to certificate policy, which governs trust and assurance levels, compared to enterprise PKI. This strict adherence helps with security audits and establishes trust along the IoT supply chain.
• Lifecycle Management: The lifecycle of a digital certificate that lives on an IoT device is much different from a digital certificate used to secure a web server in enterprise PKI. In the case of IoT security, manufacturers must understand how identities will get provisioned and updated over time for a given device and put in place a clear response plan for any compromised certificates or trusted roots.

Importantly, realizing PKI’s full benefits for IoT security requires full lifecycle management covering everything from setting and maintaining program standards for trusted roots and code signing to issuing and revoking certificates.

Given the required scale of PKI for IoT, one of the best options to maintain high levels of availability and security without sacrificing efficiency is to rely on a SaaS model that offers PKI-as-a-Service. Additionally, consuming PKI through a managed service model eases the burden for manufacturers to properly maintain the system regarding functionality, performance, and security assurance levels. As a result, they can focus on continuing to bring innovative IoT devices to market quickly, all with the necessary level of security to build trust with customers.

IoT is no longer a futuristic concept — it has officially arrived, and the number of connected devices grows exponentially. As these smart devices become more commonplace and more mature, IoT security needs to catch up.

To date, IoT device security has been a bit relaxed. This situation has stemmed from many manufacturers pushing to get innovative devices to market faster and relatively unknown. But as the IoT ecosystem matures, severe security issues have cropped up that can wreak havoc on organizations and consumers alike. At best, breaches in IoT security can cost device manufacturers millions of dollars and a loss of trust. At worst, they can put lives at risk. In response, new regulations are cropping up that will put more guardrails around IoT security.

Faced with this situation, the time to get serious about IoT device security is now. And while severe challenges to improving IoT security do exist, they are by no means impossible for manufacturers. The best way to overcome these challenges is by introducing a PKI program that helps strengthen IoT security through authentication, encryption, and code signing. When done correctly, this approach can help manufacturers bring innovative new devices to the market while maintaining high-security levels, which will prove a competitive advantage going forward.