Skip to main content
banner image
venafi logo

Why We Need a Whole New Paradigm for Securing the IoT Ecosystem

Why We Need a Whole New Paradigm for Securing the IoT Ecosystem

securing IOT
March 30, 2020 | Guest Blogger: Anastasios Arampatzis


Connected homes, self-driving cars and automated industry—just a few of the things that come to mind when you think of the Internet of Things (IoT). Behind the scenes, however, there’s still plenty of work to be done before many IoT devices can truly become a cost-effective and efficient reality.
 

In fact, only recently did a hacker disclose a massive list of more than 500,000 Telnet credentials for servers, home routers, and IoT "smart" devices. According to ZDNet, the list includes each device's IP address, along with a username and password for the Telnet service, and it was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker then tried using either factory-set default usernames and passwords, or custom, but easy-to-guess, password combinations. These types of lists—called "bot lists"—are a common component of an IoT botnet operation. Hackers scan the internet to build bot lists and then use them to connect to the devices and install malware.
 

What Will the New IoT Security Require?

The paradigm above highlights the importance of understanding the security issues posed by increasingly complex networks of connected IoT devices, and the need for new security solutions supporting constrained device deployments, which include embedded devices with very restricted RAM, ROM, or power budget. These security solutions should support:
 

  • End-to-end security, across multiple intermediary devices and protocols
  • Group communication with individual responses securely bound to the request
  • Authentication, authorization and access control with granular and rich permission set configured by the application
     

The purpose of this blog is to present three recent advancements in the field of IoT security. It is important to highlight that all three solutions are the result of cooperation, either between businesses and academia (OSCORE) or between businesses (BroadKey and KeyScaler).
 

 

 

How Can OSCORE Help?

As part of the Horizon 2020 European project for the certification and security of IoT devices, Ericsson in partnership with RISE Research Institutes of Sweden have developed OSCORE (Object Security for Constrained RESTful Environments), which is a new lightweight IoT security protocol designed specifically for constrained nodes.
 

In July 2019, the Internet Engineering Task Force (IETF) published RFC 8613 standard which standardizes this new communication security protocol. OSCORE is defined as an extension to the Constrained Application Protocol (CoAP) and reuses CoAP's serialization of messages. According to RFC 7252, CoAP is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.
 

TLS Security in CoAP

CoAP specifies the use of proxies for scalability and efficiency and references TLS for security. However, CoAP-to-CoAP, HTTP-to-CoAP, and CoAP-to-HTTP proxies require TLS to be terminated at the proxy. Therefore, the proxy not only has access to the data required for performing the intended proxy functionality, but is also able to eavesdrop on, or manipulate any part of the message payload and metadata in transit between the endpoints. The proxy can also inject, delete, or reorder packets since they are no longer protected by TLS.
 

The trust model where all intermediary nodes are considered trustworthy is problematic, not only from a privacy perspective, but also from a security perspective, as the intermediaries are free to delete resources on sensors and falsify commands to actuators (such as "unlock door", "start fire alarm", "raise bridge"). Even in the rare cases where all the owners of the intermediary nodes are fully trusted, attacks and data breaches make such an architecture brittle.

Figure 1: Abstract Layering of CoAP with OSCORE. Source: Ericsson/RISE Research Institutes of Sweden


How Does It Work?

OSCORE (RFC 8613) provides end-to-end protection between endpoints communicating using CoAP. OSCORE is used together with TLS to protect the application layer request and response messages between the endpoints. Therefore, OSCORE protects not only the payload containing the value associated to an indicated resource, but also the request method, the identifier of the resource, and the content format of the payload. In this way, the application relevant data and semantics of the request/response can be protected in a way which is decoupled from the transport of the messages, and it is also lightweight in terms of overhead.
 

Figure 2: Protecting CoAP Messages with OSCORE. Source: Ericsson/RISE Research Institutes of Sweden


OSCORE Security

OSCORE is specified to offer end-to-end encryption, integrity, replay protection, and binding of response to request. The latter is important to prevent attacks involving forwarding of a response intended for one request to another request. OSCORE requires a pre-shared master secret to derive a security context with which the communication is protected. The security context may be used for the lifetime of the device provided it is securely updated. As an alternative procedure, the master secret may be used multiple times with an initiation protocol to derive different security contexts between the same or different endpoints. The master secret may have been established out-of-band or with a key establishment protocol.
 

IoT Machine Identity Lifecycle Automation

The growing number of endpoints require strong identities as the foundation of trust to establish and scale robust security. Intrinsic ID’s BroadKey is a secure root key generation and management software solution for IoT security that allows device manufacturers to secure their products with an internally generated, unique identity without the need for adding a costly, security-dedicated silicon.

This solution, funded by Venafi’s Machine Identity Management Development Fund, is fully integrated with the Venafi platform, and will enable Venafi customers to ensure device authenticity through acquisition, deployment and use.
 

How does BroadKey Implement a Root of Trust?

To solve security problems in IoT systems, such as authentication, product lifecycle management, reverse engineering and cloning, every device needs an unclonable identity. This consists of a secret key, a public key and a certificate. The biggest challenge is to get these credentials into the device. The figure below illustrates how this can be achieved by using BroadKey.

BroadKey creates the secret key of the unclonable identity from within, using the intrinsic randomness in uninitialized SRAM. This secret key is not stored but is dynamically regenerated from the SRAM PUF.
 

Figure 3: BroadKey in Action. Source: Intrinsic ID


At power-up, SRAM bits settle in the one or zero state in a non-deterministic way that not even the manufacturer can predict or duplicate. That’s what makes it a physical unclonable function, or PUF, which can be used as a unique “silicon fingerprint.” An SRAM PUF response is a noisy fingerprint and turning it into a high-quality and secure key vault requires further processing.
 

This is done with the BroadKey software IP. BroadKey reliably reconstructs the same cryptographic key under all environmental circumstances. Upon first use, called the enrollment, it generates an activation code (AC) which, in combination with the SRAM startup behavior, is used to reconstruct on demand, in real time, an intrinsic PUF key. This PUF key is never stored in flash or OTP. When it is needed later it can be reconstructed.
 

Completing the unclonable identity requires that a public key be generated from the secret key. And this public key can be turned into a certificate by signing it at a certificate authority. At that point the device is ready to prove its identity and set up a secure channel with another device, a server or a cloud.
 

Code Signing for IoT

Device Authority KeyScaler delivers full end-to-end code signing and update delivery for IoT use cases, so organizations do not need to design and build their own home-grown solutions to fulfill their requirements. Again, this solution is funded by Venafi’s Machine Identity Management Development Fund and is fully integrated with the Venafi platform. Additionally, KeyScaler customers can use the Venafi Trust Protection Platform as a source for certificate issuance to fully manage and protect their machine identities.
 

KeyScaler IoT Security Platform

Device Authority has introduced a new paradigm of IoT security automation that accelerates and simplifies the deployment of strong IoT security. KeyScaler helps customers simplify the process of establishing a robust, end-to-end security architecture within the IoT and deliver efficiencies at scale through security automation. Therefore, KeyScaler provides a critical foundation for establishing and maintaining trust and security for IoT devices, applications, and data generated by them to securely enable data collection, analytics, decision-making, process automation, and control systems.
 

Figure 4: KeyScaler IoT Security Platform. Source: Device Authority


KeyScaler is an innovative platform that delivers comprehensive IoT security automation at scale through secure device registration and provisioning, policy-driven credential delivery and management, secure updates, and end-to-end device derived cryptography for data in transit and at rest across networks and cloud services.
 

What is more, KeyScaler has been designed for rapid integration and interoperability. Device Authority has developed a flexible device interface protocol that interoperates with KeyScaler for delivering automated PKI for IoT devices. Extensive REST API integration enables an abstracted interface for leveraging the security engine and system controls. The platform is highly suitable for Secure by Design architectures and follows the white listing approach for device registration.
 

Conclusion

Businesses and academia supported either by governmental organizations, such as the EU, or by private funds, such as Venafi’s Development Fund, are moving towards developing solutions for securing the IoT ecosystem. Venafi is proud to be part of this effort, because we strongly believe that “united we stand, divided we fall.” Such collaborations will help us develop secure-by-design and privacy-by-design IoT devices that will eliminate the attack surface and offer an added value to our society.

 

To date, there is no regulated protocol for machine to machine communication - in a world where Industry 4.0 and IoT are operating on even more networks and creating an ever larger attack surface. Find out what Venafi and Accessec are doing to improve IoT standards in the industry.

 

 

 

 

 

Related posts

 

Like this blog? We think you will love this.
unclonable machine identities
Featured Blog

Unclonable Machine Identities for Industrial IoT Devices

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Guest Blogger: Anastasios Arampatzis
Guest Blogger: Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat