IoT security has been in news lately due to various security breaches and device data being stolen. The common excuse given in such cases is that IoT devices are generally low powered, have limited capabilities and usually run without a human-interface out in the field making it harder to use many of the protocols and procedures used to secure communication of our computers and phones. However, with the rise of technologies like JWT and first class support for them in major cloud platforms shows that if the right methodology is chosen, secure communication in IoT is not out of reach for most applications.
Device Security Highlights
The main areas to focus on when considering device security in IoT are as following:
– Unauthorized agents shouldn’t be able to snoop on data being sent between the IoT devices and server
– Server should be able to uniquely identify each device to avoid an outsider sending spurious data
– If security of a single device is compromised, it should not have any effect on security of other devices in the group
Each of these areas of concern are possible to deal with the solutions available today. A brief discussion of possible solutions for each topic follows in next section.
Unauthorized snooping over network
Use TLS for all communication. Along with using TLS, ensure to only allow use of root certificate authorities to avoid the case where an adversary may try to use spurious self-signed certificates to masquerade as the real server. If using HTTPS is too resource intensive for your IoT use case, protocols like MQTT provide a low power alternative that still supports TLS 1.2 (and hopefully soon TLS 1.3 as well). Using MQTT over is considerably lighter weight because the TLS handshake is only required at beginning of the session and then rest of session can continue without any other additional round trip messages.
Uniquely identifying each device
Since IoT devices usually run in “headless” mode without any direct human interaction, we can’t use traditional username-password approach to uniquely identify them in most cases. As a result serial numbers and self-identification are used by many manufacturers which can be easily spoofed and guessed. Using cryptographic public-private key pairs is a much better approach for device identification. The attached diagram shows the workflow for registering an IoT device with Google Cloud IoT Core. The provisioner generates a key pair while provisioning the device for first time. The private key is then securely saved on the device along with the device code and data and the public key is registered with the IoT Core’s device manager.