Risks of the Internet of Things (IoT) and its solutions

GUEST BLOG Every second, the Internet of Things grows by 129 newly connected devices. By 2020 alone, 90 percent of all newly delivered cars should be connected to the Internet. Whether smart medical devices, optimized production machines or automobiles – every IoT device has its own Internet access and can thus network with other participants.

Machines can be coordinated with each other, work together autonomously and process analyses are more detailed and informative than before. The degree of automation achieved also makes a significant contribution to further improvement of the quality and quantity of products. However, networking can also lead to major security weaknesses within companies. We will explain which risks companies might face using IoT solutions and will suggest solutions, focusing on the role of Digital Signatures.

In the Internet of Things at least two devices communicate with each other without human monitoring (Machine-to-Machine Communication or M2M) and thus fulfil the desired work order. The connection to the Internet requires security measures in several areas:

On the one hand, the IoT network should be secured, which can be achieved by a sensible zone architecture. Furthermore, sufficient Endpoint Security measures and a system for security analysis in the network are necessary in order to detect dangers and anomalies at an early stage. On the other hand, the devices in the network must be given adequate identities and access authorizations in order to manage them and contain unnecessary scope for action.

Secure communication between the devices is just as important as securing the infrastructure. This includes, for example, the encryption of messages and the secure authentication of the sender (and recipient). The credibility of the partner should be ensured at all times during the exchange of information, as this is the only way to guarantee the integrity and authenticity of the information sent. Trustworthy identities are therefore the basis of secure communication. Digital Signatures are used in IT to check whether a sender can be regarded as trustworthy. In the digital sector, these have the same function as handwritten signatures for paper documents.

Public Key Infrastructures (PKI) help to secure communication. They are based on verified identities of a certification authority and use an asymmetric key pair for signing and encrypting. Using a PKI, a unique signature can be created from the identity of the sender and his message and later verified by the recipient. During our PKI Workshop, we will discuss with you, how these architectures make sense and how the respective requirements can be mapped with available resources. In addition, we explain theoretical basics: certificate durations, revocation lists, hardware security modules, concrete processes and organizational measures when using a PKI in the company network. (Further information on the PKI Workshop.)

Implementing signatures in the IoT area presents a greater challenge than communication in a conventional IT infrastructure. The devices of the IoT are designed for various situations and tasks. They usually have no graphical user interface and only limited hardware resources available. A smart light bulb, for example, can communicate with and be controlled by an external app, but the computing power is not sufficient for more complex functions. The usual protocol standards for verifying identity are therefore too complicated for many small devices.

In order to close this security gap, Nexus, together with the Swedish research institute SICS, developed a new protocol to facilitate the certification process for a device: the Certificate Enrollment for Billions of Things (CEBOT). CEBOT supports the functions of a PKI on devices with low resources. It automatically connects to the Certificate Authority and only confirms a pre-installed certificate. The manual application for the certificate is therefore no longer necessary. This automates the authentication process and realizes the high security standard of a PKI also for the devices of the IoT.

CEBOT is currently still in the development process. Protocols specifically established for the needs of the IoT include Enrollment over Secure Transport (EST), the Constrained Application Protocol (CoAP) and Datagram Transport Layer Security (DTLS).