With more than 80 different schemes for authenticating devices either proposed or implemented, best practices and reference architectures are sorely needed, experts say.
The explosion in connected devices has led to a security nightmare for many businesses and providers, as the companies cope with securing a network that no longer connects together just workstations, servers, laptops, and smartphones, but also a growing variety of devices such as printers, door locks, lights, and vehicles.
A key problem is authenticating the devices, especially as companies shift security to zero-trust models and continuous monitoring. An academic survey of authentication mechanisms used in IoT devices, for example, found more than 80 different schemes had been proposed or implemented. Security experts worry that the plethora of devices continue to expose a massive attack surface area into corporate networks.
The Fast Identity Online (FIDO) Alliance kicked of its first working group meeting on internet-of-things (IoT) authentication last week, according to Nick Steele, research and development technical leader for authentication provider Duo Security.
"IoT is still very young in this space, in how it operates — there are really no standards at this point," he says. "For now, it's still really insular. A lot of these devices and how they operated are really specific to their product lines. Google Home devices operated differently than Apple Home devices, which operated differently than Amazon Alexa."
Securing networks of connected devices is a complicated problem. Within five years, an estimated 41.6 billion IoT devices will be producing nearly 80 billion terabytes of data annually, according to International Data Corp. Any authentication framework that produces a significant amount of data per device will overwhelm many networks.
In addition, authentication has to be able to work on small devices. The demonstration device that Nok Nok Labs uses to demonstrate its technology uses a 64Mhz ARM chip and 1 MB of flash RAM — too small to run Linux. "That's a typical IoT device," says Rolf Lindemann, co-chair of the security requirements working group at the FIDO Alliance and vice president of products at Nok Nok Labs.
The major cloud providers all have software development kits (SDKs) for integrating internet-of-things (IoT) devices with their cloud services. Microsoft includes a number of authentication options in its Azure IoT Hub services, and Amazon has a well-defined process for issuing certificates to IoT devices for authentication. Google announced a year ago that its Google Cloud IoT SDK would include the ability to connect to third-party authentication libraries.
Others are jumping into the arena as well: This week, authentication provider Nok Nok Labs touted a software development kit (SDK) aimed at giving developers the tools to authenticate IoT devices.
"IoT security is still problematic, but people now understand that it is problematic, and they are looking for solutions," Lindemann says. "We need to make it simple for developers to plug building blocks together and have a secure solution."
In a paper published last year, researchers from the University of Sciences and Arts in Lebanon and Telecom ParisTech identified at least 84 different authentication mechanisms that had either been proposed or put into production. Among the most critical facets of IoT authentication are security, low processor requirements, and low bandwidth, the researchers said.
"The communication overhead of authentication protocols is a key factor, especially when dealing with power-limited devices; the number of messages exchanged between authentication parties should be kept as low as possible," the researchers stated in the paper. "In the same context, the size of the messages should be as small as possible due to the restricted bandwidth of the wireless communication protocols used."
Allowing secure updates is a critical piece of the puzzle as well. In 2017, the US Food & Drug Administration required Abbott Laboratories to update the firmware on 465,000 pacemakers identified with a software vulnerability.
The ability to authenticate to the device allows companies to extend a continuous monitoring and authentication framework — also known as a zero-trust model — to their connected devices. As workers bring more devices into offices, the perimeter security model has become outdated.
Companies cannot "rely on a secure netwok perimeter anymore," he says. Instead, they have to take their cue from the consumer space, where there is no trusted boundaries. "In a consumer situation, it's all zero trust. ... The enterprise is finally accepting that it is the only reality."