The forgotten half of IoT security – and how to fix it

Inadequate internet of things (IoT) security has gotten a lot of attention lately, and most experts say that providing all entities with PKI-based certificates is the way to go. “They are right. But what is all too often forgotten is that you have to secure the people part of IoT too,” says Daniel Hjort, director for Smart ID management at identity and security company Nexus Group.

New so-called certificate enrollment protocols now make it possible to use the security method public key infrastructure (PKI) to give all entities in an IoT system trusted identities by providing them with certificates.

The forgotten part of IoT: the people

“This makes it possible to avoid hijacking and eaves-dropping by securing the communications between the things and the central system. The news has spread to many IoT providers, and a quickly increasing number are adopting PKI. That’s great – but it’s not enough,” says Hjort.

There are always people administering and/or using the IoT systems, and their communications with the central system also have to be protected.

Passwords are not secure

“Sadly, most IoT systems let users and administrators log in with only a username and static password – even though it’s common knowledge that passwords are not secure. Some kind of two-factor authentication (2FA) is the only reasonable option – but it’s shockingly under-utilized,” says Hjort.

While it has not been possible to secure resource-constrained devices with PKI until recently, 2FA for humans has been around for many years.

User-friendly 2FA methods are now available

“But the development has actually been fast within this area too. Earlier, 2FA methods were hard to implement and maintain, and they were not user friendly. But that has changed,” says Hjort.

One example of a smooth solution is the Nexus Smart ID solution, which lets users log in securely with, for example, a mobile app and facial recognition, or with a PKI card and a PIN.

“With the technology available today, there are no excuses for endangering IoT users – or the public at large,” says Hjort.

The dangers of IoT are very real

The dangers range from sensitive information being stolen or someone recording you naked via your burglar alarm video camera, to someone hijacking and crashing your connected car or causing a serious incident in a factory.

“IoT is super cool and will make everybody’s lives better – if it’s properly secured. The dangers of improperly secured IoT systems are very real, and I really hope that the IoT providers will step up and take responsibility,” says Hjort.