The Internet of Things has brought connective capabilities to many billions of devices worldwide. While many of these devices collect non-personal information, such as temperature and humidity, they are all capable of being used maliciously in attacks, including mass scale denial of service. But simple web attacks are not the only threats that lie in IoT devices. Here, we will look at what security certificates are and why they may be critical to security in the future of the Internet of Things!
Encryption is Not Enough
One of the biggest issues currently facing the Internet of Things is that many IoT devices suffer from some serious security flaws. These flaws creep into designs in a number of ways, including the use of widely available operating systems, common microcontrollers, or just outdated bad practices. One example of how integrating a common OS onto an IoT device can be disastrous was the Mirai worm that targeted IoT devices using Linux.
The worm would try to connect to an IoT device via telnet, then use a combination of commonly used usernames and passwords to gain entry into the device. Once in, the worm would then overwrite the firmware to include itself. Then the IoT device becomes a zombie –– ready to take orders in mass Distributed Denial of Service (DDoS) attacks. The result was major sites like Netflix and GitHub going offline. If manufacturers had disabled the default settings (such as enable telnet) and changed the default usernames/passwords to unique combinations the attack would never have happened.
However, using commonly available operating systems with unchanged security settings is considered good when compared to manufacturers who do not even use encryption using protocols such as plaintext HTTP. When accessing “boring” websites (such as news and weather) there is no real need for encryption since the data being sent between your computer and the website is not sensitive (an attacker does not care that you like to see what the weather is going to be like today).
When accessing websites such as online shops and banks, however, encryption is absolutely critical as it prevents attackers from being able to directly read your traffic, including usernames, passwords, and sensitive details. Many IoT devices on the market do not use encryption which can allow attackers to easily view data. This can include images from webcams, audio data from microphones, login information to accounts, and even potentially allow an attacker to control the device.
So, encryption allows a client and server to communicate with no one else knowing what has been transmitted. But, as it turns out, encryption is no longer enough to prevent attacks, and IoT devices may need to start thinking about integrating certification!
When two devices (a client and server for example) perform their key exchange and agree on how to encrypt their messages, both the client and server can be sure that no third party can snoop in on the conversation. However, neither party has no idea if the other party is authentic or if they’re who they say they are. For example, when you need to check your bank balance online, how do you know the website you have just logged into really is the bank? How do you know that the website you're on is not a fake pretending to be your bank and stealing your information? This is where security certificates come in!
A security certificate is a special digital certificate containing information similar to a driver’s license, such as the owner of the certificate, who authorized the certificate, a serial number, and expiration date. This certificate is generated and authenticated by an organization called a Certificate Authority (CA) and they are a company who can be trusted. In the example with online banking, when a user connects, the server will send their digital certificate to the user in which the user can check with the CA to confirm the authenticity of the server.
Implementing authentication into IoT devices could have a number of beneficial impacts on IoT security. Firstly, IoT devices are often hacked remotely, involving a hacker trying to enter the device using an internet connection. If an IoT device is only allowed to communicate with an authenticated server, any outside attempt to communicate will be ignored.
Digital certificates could also be applied to firmware updates, preventing the IoT device from installing untrusted software. Authentication also helps to prevent attackers from pretending to be IoT devices in the hope of accessing data on servers such as recorded conversations, images, and other potentially sensitive information.
One flaw with digital certificates is the reliance on a private business to be operational and use the latest security measures. An attack on a certificate authority could spell disaster for all users reliant on that authority, and should certification be compromised, that allows an attacker to look like any website registers with that CA.
Improving Authentication in Digital Security
Currently, IoT security certificates are a very new industry tool and there are few providers for them. This does not mean that engineers should shy away from researching such practices since the future could see digital certificates becoming mandatory in a world where almost all electronics are connected to the Internet of Things.