Mobile devices have evolved significantly in terms of power in the last few years, but other devices emerging as part of the IoT ecosystem can still be extremely limited by computing power and battery life. With the predicted growth of the IoT and the subsequent increase of connected devices with a wide range of power and memory, security is more essential than ever before.
In standard IoT devices, proper authentication and encryption of data can ensure a safe connection between a network and a device; this connection is established through the Secure Socket Layer (SSL) or Transport Layer Security (TLS) protocol. TLS Certificates in the web PKI ensure that, when logging in to a website and exchanging information, an individual is doing so over a secure connection. TLS Certificates in IoT perform similar functions, but are typically focused on ensuring mutual authentication in an automated fashion.
According to ECN magazine, “Many IoT devices are based on low-end microcontrollers (MCUs) that have low processing power and memory”—a notion that has birthed the myth of TLS being “too heavy” to protect these low-powered devices. This concept is furthered because some lower-memory devices even lack a user interface while others are designed by OEMs with little to no experience in Internet security.
Enabling robust security for low-end devices can be a challenge, but creative and modern implementations of established PKI practices, despite what some might think, can efficiently and effectively secure modern connected devices.
Network security capabilities are a constant uncertainty considering the selection of IoT devices, large and small, connecting to that network. From wearables to small appliances to mobile devices, there remains a question of whether or not devices that are low-power and low-memory can be sustained by security protocols such as TLS.
Today, there are many commercial and open-source TLS libraries available. ENC states “These libraries typically consume more than 100 KB of code and data memory, which is not a lot for a smartphone, but can be quite significant for a thermostat or a smoke detector.” Some of the commercially available TLS stacks require developers to have knowledge of the TLS protocol to properly use their API. Integrating these TLS stacks into a simple embedded product can be quite challenging.
In a study by the Aalto University, researchers attempted to find the total energy overhead of TLS. The energy transactions were studied over both a wireless local area network (WLAN) and a 3G network, and “the TLS energy overhead for 3G [was] as much as the energy consumed by the entire transaction over WLAN up to 1MB size.” The results surmised that once the TLS transaction size exceeds 500KB, the overhead becomes much less important regardless of whether WLAN or 3G is used as the access network.
Therefore, while there may not be solid enough information to determine how constrained a low-powered device would have to be to not be able to use certificate security, we do know that those devices would need to be very constrained. Additionally, messaging technologies, such as MQTT, require much less bandwidth than traditional HTTP connections and can more efficiently utilize x.509 certificates to authenticate and encrypt their payloads.
Public Key Infrastructure (PKI) provides the building blocks for authentication and trust through a digital certificate standard and trusted Certificate Authorities, such as DigiCert. PKI relies on proven technology that is widely deployed and tested. There is a plethora of research that suggests that many deployed IoT devices have not implemented adequate security measures. These connected devices represent an enormous attack surface that is actively being exploited by legitimate security researchers and malicious attackers alike.
While some believe that security measures like TLS would have no use on low-powered or low-memory devices, such as a lightbulb connected to Wi-Fi, the lessons learned over the last few years of the web PKI have established an absolute need to secure connections. DigiCert can help make secure connections a reality for any organization.