As we increase our dependence upon Internet connected Things to simplify, optimize and improve our businesses and our lives, we simultaneously increase our exposure to new security issues created by these very “Things”. A quick google search on ‘IoT security’ brings up numerous results about IoT vulnerabilities such as hacking of baby monitors that invades the privacy of families, hacking of internet connected cars which allows hackers to gain remote control of the car, threats to internet connected pace-makers or simply the theft of user information stored on such devices. Some IoT device manufacturers and service companies now realize the threats that can be caused by connected devices and have increased security measures. For example on July 13, 2016 Fiat Chrysler started offering hackers cash to find car software flaws. However, the IoT eco-system is so fragmented that the manufactures of IoT end products are not necessarily experts in security, and this leaves the potential for security vulnerabilities. Lack of security standards and 3rd party security quality control means it is often too late to discover security vulnerabilities, and some are discovered after they have caused irreparable damage to large numbers of users and significant financial loss to manufacturers.
The foundation of IoT security lies in properly authenticating and authorizing the device - upon this foundation secure communication layers can be built to fully secure these IoT devices. Since IoT devices vary in size, use, communication protocols and connectivity, it is challenging to have a universal standard for authenticating and authorizing devices.
The IoT network architectures are layered which requires devices to authenticate with multiple layers independently – devices need to authenticate with the network to prove they are allowed to connect and the devices then need to authenticate with remote application servers to prove they are allowed to exchange information. Different layers use different mechanisms for authentication. Eg a device connecting over a 3GPP cellular network to a cloud hosted application server will use a SIM card for authenticating with the network and may then use a shared key to authenticate with the remote application. A non-3GPP device may just connect to the network using a Wifi shared key, and then username/password credentials to an application. One would think this two layered authentication – first with network and then with application - would be good enough for strong security but on a closer look one can see that there is no coordination between the network authentication and application authentication. It is not that there is no desire to link the two, but the mechanisms to link the two are lacking. This lack of linking network authentication with application authentication creates a systemic vulnerability which allows hackers to hack and impersonate devices or servers using remote networks. If the two were linked the hacker would have to impersonate the device on the same network as the IoT device under attack, which creates a new level of security.
In addition to linking network security with application security, it is also important to use strong authentication at network level. While SIM based network authentication on 3GPP networks is very strong, network authentication on non-3GPP access is close to weak. Use of shared keys or passwords on Wifi networks means network authentication can be easily compromised if the shared keys or passwords are compromised thus creating a weak link. A strong certificate based authentication is recommended for non-3GPP network access, which can also be extended to application authentication.
The Openwave Mobility SmartidM solution provides a unique and novel way to share network authentication with applications to create strong end to end authenticated communications between devices (Things) and application servers. Openwave Mobility’s SmartidM has inbuilt client certificate management and authentication that helps service providers and/or IoT application vendors authenticate devices connecting using non-3GPP access. SmartidM authentication mechanisms, such as sharing network authentication with applications, and certificate-based authentication for non-3GPP access, protects IoT devices against several attacks eg:
- Attacks to discover passwords use social engineering, brute force, or reuse guesses as passwords are not involved
- Hash dumps and offline cracking of shared key database (or password database) as shared keys or passwords are not involved
- Authentication sniffing using Man In The Middle (MITM) attacks
IoT security must begin with strong authentication. By using strong authentication mechanisms as provided by SmartidM, encrypting the traffic between Things and Application servers, and by physically securing the Things and Applications themselves, we can secure this emerging new world that, like it or not, will be dominated by Things.