IoT security has been in news lately due to various security breaches and device data being stolen. The common excuse given in such cases is that IoT devices are generally low powered, have limited capabilities and usually run without a human-interface out in the field making it harder to use many of the protocols and procedures used to secure communication of our computers and phones. However, with the rise of technologies like JWT and first class support for them in major cloud platforms shows that if the right methodology is chosen, secure communication in IoT is not out of reach for most applications.

Device Security Highlights
The main areas to focus on when considering device security in IoT are as following:
– Unauthorized agents shouldn’t be able to snoop on data being sent between the IoT devices and server
– Server should be able to uniquely identify each device to avoid an outsider sending spurious data
– If security of a single device is compromised, it should not have any effect on security of other devices in the group

Each of these areas of concern are possible to deal with the solutions available today. A brief discussion of possible solutions for each topic follows in next section.

Unauthorized snooping over network
Use TLS for all communication. Along with using TLS, ensure to only allow use of root certificate authorities to avoid the case where an adversary may try to use spurious self-signed certificates to masquerade as the real server. If using HTTPS is too resource intensive for your IoT use case, protocols like MQTT provide a low power alternative that still supports TLS 1.2 (and hopefully soon TLS 1.3 as well). Using MQTT over is considerably lighter weight because the TLS handshake is only required at beginning of the session and then rest of session can continue without any other additional round trip messages.

Uniquely identifying each device
Since IoT devices usually run in “headless” mode without any direct human interaction, we can’t use traditional username-password approach to uniquely identify them in most cases. As a result serial numbers and self-identification are used by many manufacturers which can be easily spoofed and guessed. Using cryptographic public-private key pairs is a much better approach for device identification. The attached diagram shows the workflow for registering an IoT device with Google Cloud IoT Core. The provisioner generates a key pair while provisioning the device for first time. The private key is then securely saved on the device along with the device code and data and the public key is registered with the IoT Core’s device manager.

Now the server can uniquely identify each device for any future communication. When the device sends data, it can attach a cryptographically signed token with the data to verify that the data is indeed sent by the device identified by the key-pair generated for the device. Since the key pair is generated by provisioner the IoT device itself doesn’t need to implement key-generation algorithms and as the private key can be stored on the device at the same time as rest of code and data is stored, there is minimal overhead in terms of device provisioning. The second diagram shows the process of using JWT with MQTT for Google Cloud IoT core.

During subsequent communication between the device and server, we can use JWT signed with the private key of device. This provides a good balance between security and extra overhead since only the token is signed by the device. In case of MQTT the JWT is sent in the password field of connect message. Once the JWT is verified, an MQTT session is started and the session is ended when the JWT expires. This way the token generation needs to be done only once per session at the device, reducing the overhead.

Limiting impact of a compromised device
Many IoT devices that can support secure communication still use default username-password combinations or serially generated identifiers. This means that if any one of the devices is compromised, the attacker can very easily get access to all the other devices in the same group. This issue can be easily avoided by using cryptographic key pairs. Each key pair is unique and totally randomly generated. If a decently secure algorithm like RSA-256 with a 2048-bit key size is used, it is next to impossible to guess the keys with technologies available today and in foreseeable future. Similarly for the signed tokens, if JWT is used along with RS256 or ES256 algorithms, the tokens are proven to be secure for any potential attack possible today. This means that even if an attacker gains full access to one of your devices, they will neither be able to masquerade as other devices, nor they will be able to snoop on the data sent by other devices.

Security in IoT can provide its own unique challenges, but if the right tools, methodology and providers like Google Cloud Platform with great security record are used it can be very attainable goal without too much overhead in provisioning or functioning of the devices.

About the author:

Sumit Tada, System Developer & System Designer at  Avalon Innovation