Connected devices are hitting the market in droves. Gartner estimates there will be 25 billion connected devices by 2020. This means there will be billions of connected devices that are potentially transmitting unencrypted data. When these devices include high-value targets, such as medical devices, high energy devices, and devices containing personal data, the risk of a data leak is astronomical.
PKI is the best solution. It is established and can provide authentication and encryption for securing the expanding universe of the Internet of Things (IoT). However, implementing PKI for IoT has issues that need to be considered to make it work.
Managing millions of certificates is one of the first obstacles for securing IoT. Most organizations are capable and accustomed to managing hundreds, even thousands of certificates, but with IoT we’re not talking about hundreds, thousands, or even ten thousand; we’re talking millions, which is significantly more than what most organizations have had to manage.
In the automobile industry alone, there are currently 23 million connected cars, and nearly 100% of all new cars on the market are not secure. With millions of connected devices, certificate management is a huge factor.
Manufacturers need to be working alongside Certificate Authorities (CAs) and security researchers so their connected devices can be provisioned with certificates. Provisioning is only the beginning of securing IoT. Manufacturers need to develop devices so their security can be updated with better security as it becomes available. Security is always evolving and becoming better. The same security that worked 20, 10, or even five years ago, is obsolete today.
New threats to security are always emerging. A decade ago 512-bit keys were considered secure. However, if you used a 512-bit key today, your site would be vulnerable to brute force attacks. Validity periods for digital certificates exist because what is considered secure today may not be secure in three years. Validity periods ensure that sites keep up with emerging threats.
As with SSL Certificates, there needs to be a cap on how long certificates for these devices are good. Regulations securing IoT certificates may mimic the same regulations (not only for validity periods) that govern validity periods for SSL Certificates.
Lastly, there is the key problem. What some companies may do is provision their devices with a static key. Although this is better than no security, millions of devices with the same static key is a problem. You wouldn’t give millions of copies of keys to your home to millions of people.
In the same way, if a malicious hacker were able to gain access to the key of one device’s static key, then all the other devices with that same key would be compromised.
DigiCert’s IoT solution is ready to secure connected devices and is already being used (most recently by Plex, a leader in personal media streaming). DigiCert will be providing Plex with tens of millions of IoT certificates for their servers and connected devices.
DigiCert’s intuitive and scaleable IoT platform makes it possible to manage the lifecycle of millions of certificates in real time. Our robust tools automate the process of deploying and installing certificates on connected devices. Because of the automated deployment process, organizations can change their keys often, making difficulties of deployment a non-issue.