Scaling Identity for the Internet of Things

Thousands of connected devices use default settings, making them vulnerable to attack. You may not think much of this when you’re hurrying to set up a new router without customizing the network or password—after all, we just want to start using our new gadgets. But imagine what happens when hundreds of these internet-connected devices, including security cameras, DVRS, and printers, are remotely taken over and then programmed to maliciously attack popular websites and online services. This is not a hypothetical. It’s the real-life Mirai botnet attacks which caused major havoc in September and October 2016.

The plausibility of these attacks shouldn’t have come as much of a surprise. For years manufacturers have focused on going to market faster and making products easier to use over security best practices for millions of devices that connect to the internet.

This has left the internet full of vulnerable devices which are easily compromised by malware and simple automated scanning. Researcher Rob Graham demonstrated how broken the current state of IoT is when he connected a consumer security camera to the internet and showed that it took just 98 seconds for a botnet, like Mirai, to find and infect it.

It’s time to move past this strategy, which focuses only on cost cutting and quick release cycles, and start focusing on what truly matters for the Internet of Things: authentication and identity.

For the Internet of Things (IoT), establishing identity is crucial in order for us to be able to trust communications. But as the IoT grows from billions of devices to hundreds of billions, finding a way to scale identity is also a growing challenge—one that needs to be solved.

“The Internet of Things (IoT) has an identity problem, namely: a lack of authentication and encryption solutions that can scale to meet the unique demands of IoT deployments,” says Dan Timpson in the Security Ledger.

In his article Identity at Scale: How the Internet of Things Will Revolutionize Online Identity, DigiCert CTO Dan Timpson discusses the problems IoT faces as we move into a new age where nearly every device is connected in some way. Timpson says strong identity provided by Public Key Infrastructure (PKI) certificates is the core of online identity and security.

Security Challenges for IoT Devices

There are several inherent challenges for connected devices, which necessitates a well-rounded security solution.

For one, IoT devices are often constrained for resources. This means that its common that they lack computing power for strong encryption. Without encryption, endpoints are open to eavesdropping compromise using brute-force attacks or man-in-the-middle attacks.

However, TLS, an internet-standard capable of providing both encryption and authentication, can be used by a wide array of devices and is rarely too heavy for low-powered devices.

Scale is another challenge for the IoT. With tens of thousands of devices coming online every day, a security solution needs to be able to scale up seamlessly to accommodate management for all devices. Experts estimate there will be anywhere from 20 billion to 200 billion connected devices by the end of 2020. Do you have an efficient way to ensure a secure deployment for your devices?

Incorporating Security in the IoT

These challenges may seem overwhelming. But there is a solution that can address all of them: PKI.

In PKI, encryption keys are bound to devices with a certificate. These certificates can be customized to your needs to provide identity for your devices – for example, identifying them by serial number of another unique ID. These certificates are issued by a trusted authority known as a CA, which can easily scale to issuing millions of certificates.

PKI certificates play an important role in a complete security solution for IoT. PKI addresses the needs for encryption, authentication, and identity-proofing for every device. DevOps groups are adopting orchestration and automation tools, so certificates can be seamlessly deployed and managed, allowing for agility and maintained trust in certificates.

The demand for encryption for the IoT is growing. Read more about identity for the IoT, digital certificates, and tools for automation in Timpson’s article.