State of IoT Security

Q: What is the current state of security in IoT products on the consumer scale, such as household appliances, wearables, smart-home systems, etc.?
ANSWER: There is plenty of room for improvement.

Smart watches: A recent HP study revealed security and privacy issues in all of the top 10 smart watch brands. Issues include lack of transport encryption, automatic connectivity to any Bluetooth device within range, and problems with lock down screens.

Smart home systems: These systems show many problems, including not encrypting data and having weak password policies.

Smart TVs: Some brands leave data vulnerable in transit. For example, in 2015, researchers discovered some Samsung smart TVs were sending unencrypted voice recognition data and text information.

All of these connected devices share data with mobile phones and tablets, and are often programmed to automatically connect to any Bluetooth or Wi-Fi network. And, anytime a device is connected to a "public" network, there are risks involved (e.g., data theft and sabotage). This automatic connection feature makes these devices vulnerable when connecting to any "public" network.
Q: Why are there such poor security practices in IoT products?
ANSWER: Lack of understanding and devotion to good security protocols.

Manufacturing engineers and developers are usually more interested in making sure the product works and is launched on schedule, rather than making sure these devices are secure.

In order to compete in the market, many of these products are designed with an emphasis on keeping the cost as low as possible. Stronger security implementation isn't prioritized properly, because it typically doesn't reduce the cost of producing a product.

Many IoT devices lack the computing power of a desktop or laptop computer, or other higher-end devices, which makes it difficult to implement strong security.

A cultural divide exists between InfoSec professionals (those concerned with keeping the communications between devices secure), and mechanical and electrical engineers (those concerned with the switches, motors, etc., making sure the devices operate). InfoSec as an industry needs to do a better job of reaching out to build relationships with the engineers, and better demonstrate the value of security more effectively to bridge that cultural divide.
Q: How do we best address the technical challenges impacting security for the IoT?
ANSWER: The security industry can do this in several ways, but it starts with recognizing the problems and then providing better education about the solutions.

In most cases, the technology is available and just needs to be implemented. For example, SSL/TLS provides strong and scalable encryption at the scale that the IoT demands. Sophisticated, managed PKI systems can handle strong identity vetting and provide reliable data encryption across all objects and devices within IoT deployments. A PKI solution should be the standard for IoT.

The security industry needs to help vendors understand the risks associate with poor IoT security. First, we need to present information from the point-of-view of an end-user. Second, organizations need to be made aware of the financial impact of poor security: lowered sales, diminished trust in their brand, or even health and safety risks when healthcare devices, critical infrastructure, and national defense are included in the conversation.

Simple protections can be put in place that notify end-users to set up controls over Wi-Fi and Bluetooth connectivity, enabling lock screens, and other basic security functions.
Q: How can an organization implement a trusted IoT security framework?
ANSWER: First, an organization needs to choose a Certificate Authority partner that is trusted and can scale effectively to meet their IoT requirements.

Second, manufacturers need to embed identity in devices during OEM rollout process. Third, they need to utilize regulated Attribute Authorities.

Finally, they shouldn't rely on established technology alone; they should integrate technology and tokens, adopt policies and procedures for accountability purposes, and review relationships and responsibilities regularly.

IoT Security Solutions

Q: What is DigiCert's Solution?
ANSWER: DigiCert's solution uses SSL/TLS, Certificates, and PKI to provide a strong and scalable encryption to meet IoT security needs. DigiCert's sophisticated PKI management system and high-availability certificate issuance provides strong identity vetting required coupled with reliable data encryption across devices within an IoT deployment.

DigiCert's PKI platform uses an organization's previously validated information to issue certificates on-demand based on device profiles to issue certificates extremely quickly and in high volume.
Q: What is unique about DigiCert's solution?
ANSWER: As a leading Certificate Authority, DigiCert understands the current SSL security landscape and has a laser-focus on the future of the industry. Our solution is market-ready and already deployed to meet the demands of high-volume certificate issuance with no lead time required.
Q: How is the DigiCert solution superior to other providers?
ANSWER: DigiCert is a Certificate Authority solely dedicated to advancing SSL security and making SSL Certificate management easier. We don't offer "extra" security software or hardware, which leaves us available to create desperately needed security solutions for emerging markets.
Q: What open standards and protocols are used?
ANSWER: DigiCert uses SCEP (Simple Certificate Enrollment Protocol), EST (Enrollment over Secure Transport), and RESTful API (representational state transfer application program interface).

Private Key

Q: How is the private key generated?
ANSWER: During manufacturing the private key is placed directly on the device by its own cryptographic library, or by a hub/controller as close to the device as possible.
Q: If the private key is generated "on-device", then how many lines of code need to be written by the developer (approximately)?
ANSWER: Scripting OpenSSL to create certificate signing requests (CSRs) based on a few pieces of input could be done with less than 10 lines of code.
Q: If the private key is generated "off-device", then how many lines code need to be written by the developer (approximately)?
ANSWER: It can range from 50 to 1,000 lines of code across the various devices that need encrypted communications.
Q: Does DigiCert support both "on-device" and "off-device" private key generation?
ANSWER: Yes, we just need the CSR/public key regardless of its origin.
Q: How is the private key stored and protected?
ANSWER: Typically, it is stored on the device using Operating System (OS) access controls; otherwise, it's stored in a FIPS-compliant HSM.
Q: Is storing the private key in hardware an option?
ANSWER: Yes, the private key can be stored in hardware.
Q: Does the private key ever have to be off-device?
ANSWER: No, the private key should be stored on-device.

Device

Q: What languages are supported?
ANSWER: SCEP, EST, RESTful API (JSON or XML).
Q: What operating systems are supported?
ANSWER: All major operating systems trust DigiCert certificates by default.
Q: How is the device seeded with a unique identifier?
ANSWER: The device is seeded during manufacturing or during the device enrollment process.
Q: Does DigiCert support a customer-specified unique identifier?
ANSWER: Yes, if the UID needs to be included in the certificate; this depends on the format of the UID and the certificate profile.
Q: Can DigiCert provide a unique identifier if needed?
ANSWER: Yes, in fact, some certificate profiles include generation of GUID in the Subject field by default.

Management

Q: How does an IoT provider initially seed the device?
ANSWER: Ideally, the IoT provider uses a crypto engine on device to create the private key, making sure to use a strong random number generator to create the private key.
Q: How does an IoT provider re-seed a device?
ANSWER: The IoT provider use the same process as was initially used to seed the device.
Q: How does an IoT provider revoke a certificate?
ANSWER: Revocations are managed through an online interface/API call. The revocation must be submitted for a specific serial number or certificate ID.
Q: How does an IoT provider manage which systems are trusted?
ANSWER: The device management console should set access rules and controls for systems, devices, certificates, and their connections.
Q: How does an IoT provider update the list of trusted systems securely?
ANSWER: The customer uses authenticated and/or signed messaging to and from devices based on the current trust status of certificates in use on those systems.

Certificate Authority

Q: What are the options for lengths of certificate expiration?
ANSWER: Certificate expiration lengths are based on the project needs.
Q: Can certificates be automatically provisioned and enrolled?
ANSWER: Yes, certificates can be automatically provisioned and enrolled.
Q: Is there a limit to the certificates that DigiCert's PKI platform can handle?
ANSWER: DigiCert's system can handle hundreds, thousands, millions or even billions certificates. There is no project too big or small.

Features

Q: Approximately how many lines of code need to be written by the developer for certificate-based platform communication?
ANSWER: If there is no crypto library support initially, DigiCert recommends importing a trusted library. If crypto libraries are already present, probably 50 to 250 lines of code would be sufficient for most tasks.
Q: Approximately how many lines of code need to be written by the developer to ensure software package integrity?
ANSWER: Signing verification is straightforward, so probably less than 200 lines of code (given necessary libraries are present).
Q: Approximately how many lines of code need to be written by the developer for device-to-application secured communication?
ANSWER: This would depend on the communication method and available libraries, but for something like MQTT, probably less than 200 lines of code.

Licensing

Q: Does DigiCert offer device- or certificate-based licensing?
ANSWER: DigiCert offers flexible pricing that is typically certificate-based. To get more information, see Request More Information or call an expert at 1-801-877-2119.
Q: Does DigiCert charge for other components of their solution?
ANSWER: DigiCert only charges for certificates.