Search
  • IPG

Credential Management for IoT Devices: Rethinking Access Control and Authentication


The Internet of Things (IoT) provides countless opportunities for businesses by increasing their market competency, helping build robust and long-lasting consumer relationships, and discovering new market opportunities. But, IoT security has been a significant challenge worldwide. Gartner predicted that by 2020, about 25% of all security breaches would involve IoT.


The security challenges become more gruesome in industries where handling configuration and device authentication credentials are inconvenient. Companies need to develop strong authentication communication protocols that provide integrity and confidentiality protection. Otherwise, hackers can modify the messages that are in transit or steal critical data by eavesdropping.


Simply put, strong authentication protocols ensure that all the devices in the IoT network achieve their intended objective. Each device requires a unique identity that is authenticated when it tries to connect to the central server or the gateway. This unique ID allows system administrators to monitor each device throughout its life cycle, constantly communicate with it, and revoke its privileges, if it acts with an evil intention.


Top 5 IoT Security Challenges

IoT networks allow disparate devices to connect, share critical information, and perform collective actions that positively impact the health of a business. They increase efficiency, improve profitability, reduce operational expenditure and help build better customer relations.


But there are numerous vantage points that hackers can exploit to hack into IoT networks. The top five IoT security challenges are mentioned below:


1. Remote Attacks

A few years back, Vectra Networks publicly announced that IoT devices, such as Wi-Fi security web cameras, can be hacked to steal a company’s private data.


Hackers can reprogram such devices as permanent backdoors that traditional security methods and procedures cannot detect. Hackers don’t have to worry about intrusion prevention systems, firewalls, and antivirus software because IoT devices neither have the memory nor the required processing power to run any security software.


Statistics show that a cyberattack takes place every 39 seconds and with the proliferation of IoT systems, it’s only going to increase.


2. Issuing Bug Fixes and Other Updates

Manufacturers often fail to install automated bug reporting systems in IoT devices. These systems log and report data to the product development team to resolve problems even before they know about them.


For example, consider a washing machine experiencing unusual levels of vibration after two years of purchase. Suppose a washing machine with a built-in low-cost accelerometer and thermometer is connected with the company’s servers.


In that case, a bug report will be created and sent to technicians who can rework the design and offer replacement motors to customers who haven’t yet experienced any fault.


3. Unauthorized Production

Zscaler’s annual IoT report shows that unauthorized devices, called shadow IoT devices, are on the rise. The major challenge associated with them is that IT experts are often unaware of the devices that aren’t a part of the corporate IoT network and their impact on overall security architecture.


Unauthorized in-car multimedia systems, IP cameras, and smartwatches fall under this category.


As IoT is closing the gap between the virtual and real world, the former protective walls are falling, which means that cyberattacks will only increase in the coming years.


4. No Regularity around Patches or Updates

IoT devices are secure when they hit the shelf. But, in an era where the cybersecurity landscape is changing every second, companies need to develop and release patches and updates periodically to keep them safe forever. The consequences of IoT attacks can prove life-threatening for companies.


The following list provides the name of devices that have already been proven vulnerable to IoT attacks:


Security cameras

Smart refrigerators

Smart thermostats

Baby monitors

Drug infusion pumps

To boost consumers’ trust levels, companies need to develop new patches and updates so that issues are fixed on time.


5. Weak Authentication

Weak authentication is another example of inefficient credential management for IoT devices. Several devices, such as security cameras, are programmed with default passwords that are relatively easy to hack and deploy malware.


Companies often neglect taking security measures for low-cost IoT devices, which can cause severe damage to their reputation and financial health if hacked.


Businesses can manage credentials for IoT devices in the following ways:

Companies need to consider IoT device security as their topmost priority. It entails ensuring data confidentiality, creating trusted device identities, and maintaining data integrity at each step.


Manufacturing teams can achieve these objectives by employing elements for encryption, authentication, and code signing.


The following points will explain this further:


Create Unique Credentials for Each Device

There needs to be mutual trust between the user and the manufacturer that the information they receive is authentic. One of the best ways to do so is by issuing unique identities through digital certificates for each IoT device. This method is better than using default passwords because they are simple to break open.


Moreover, it’s also more reliable than shared keys for symmetric encryption because they fail to distinguish between various devices. Digital certificates, on the other hand, provide a unique authentication method for each IoT device that offers two benefits.


Firstly, manufacturers can share critical data and updates with a specific device. And secondly, they can confirm the authenticity of the information sent by the same device.


Take Extra Precautions for Private Key Storage

Asymmetric cryptography is used to create unique digital certificates for IoT devices that generate private and public key pairs. These private keys need to be stored securely by manufacturers.


Trusted Platform Module (TPM) technology provides a hardware-based secure crypto-processor that protects digital certificates and cryptographic keys.


Companies dealing with IoT devices should invest in this technology as it eliminates data encryption-based redundancies and provides 360-degree protection to private keys.


Always Verify Firmware and Software Updates with Code Signing

There is always a threat of hackers pushing malicious software updates into IoT devices. Manufacturers can eliminate this threat by requiring devices to verify any new software or firmware authenticity before installation. For this, manufacturers have to sign their code using a digital signature obtained through a public/private key pair.


The process is relatively simple. The IoT device would require a public key that must match the manufacturer’s private key. It has dual benefits.


Firstly, the device will verify that the update/data has been sent from the manufacturer. And secondly, the update/data hasn’t been modified during the transit.


Thus, code signing protects IoT devices from installing malicious software from unverified third parties.


Establish an Organization-Specific Root of Trust (RoT)

Encryption keys are held inside Root of Trust (RoT). RoT helps perform initial identity validation while issuing digital certificates and new keys.


A company-specific RoT enables manufacturers to monitor the identity validation process for any person or device they issue an encryption key.


It also allows them to set the parameters for identity verification that significantly increases trust.


IoT security is a must and businesses should start working on it now

The use of IoT devices is increasing substantially. Gartner forecasts suggested that the IoT market would grow to 5.8 billion endpoints in 2020, which is 21% higher than 2019. When the world is embracing IoT, manufacturers must develop and implement top-notch security solutions.


Today, almost all companies are investing in building innovative devices and competing to increase their market share. But at the same time, cyber-attacks are also growing rapidly and can significantly lower customers’ trust and cause damages worth millions of dollars.


Therefore, companies must invest more in developing security solutions to stop security breaches.


Conclusion

We live in a world dominated by smart devices. Intelligent machines have become part and parcel of every industry. But it has also significantly increased the presence of hackers who try to steal critical business information.


Companies should employ a Public Key Infrastructure (PKI) program to strengthen IoT security through code signing, authentication, and encryption that will allow them to introduce new products in the market speedily, while maintaining top-notch security standards.


https://www.business2community.com/cybersecurity/credential-management-for-iot-devices-rethinking-access-control-and-authentication-02395986

1 view0 comments