While the proliferation of connected devices has brought immense convenience to many consumers, it has also presented hackers with unprecedented opportunities to break into networks by exploiting the plethora of vulnerable IoT devices that are currently on the market. A recent report from security firm Bitdefender showed how a vulnerability in Amazon’s Ring Video Doorbell Pro IoT device could have allowed a nearby hacker to replicate the credentials of a disconnected device and gain entry into the wider wireless network when the user reconfigured the device. While this issue has been resolved, it highlights the power a single insecure IoT device can have on an organisation’s entire network.
Amid this rising threat level, how can we secure the IoT in a way that takes into account the intricate, and ever-growing web of relationships between devices, people, and services?
An incredibly complex environment:
When most people think about IoT, they think of smart products like toothbrushes, watches, doorbells and speakers. These connected devices can bring a new level of convenience and personalisation, but they are also potential security threats. Even a seemingly harmless device like a connected toothbrush or a smart thermostat could allow a hacker to gain access to your home network if it doesn't have the right security protocols in place.
In the smart city, with its high level of connectivity between everything from connected cars to buildings, this kind of vulnerability could clearly have major public consequences. The same is true for the industry as well. In smart factories, devices of varying abilities and responsibilities are becoming increasingly relied upon to perform business-critical tasks, many of which would not be possible without having access to the manufacturers’ central network, in turn opening up potential vulnerabilities.
With every device on the network having varying levels of responsibilities and authorisations, managing how each one is trusted, and who has access to it, becomes incredibly complex.
Furthermore, each device has its own level of processing power, some more limited than others, and this affects how it is authenticated and how much it can be trusted on the network. A constrained device, such as a smart door sensor, has limited bandwidth and processing power and therefore needs to communicate through a ‘gateway’ which handles the necessary processing, which in turn communicates with the cloud.
Faced with such complexity, how can IoT devices of all kinds be made secure in a way that ensures consumer’s privacy and protection from malicious actors?
The answer lies in a simple, unified approach, one that can ensure that connected devices are as secure as possible: they must be treated as first-class citizens. Similar to how human identity is verified through either a passport, a driver’s licence, or an ID card depending on the situation, treating a device as a first-class citizen means requiring the same level of identity authentication. These credentials can be baked into the device at the manufacturing stage, and used to ensure the device is who (or rather, what) it says it is.
Having secure credentials is a crucial element in handling the different authentication and security requirements of devices across four key considerations:
- Lifecycle management: Devices, similar to customers and employees, go through their own lifecycle, from introducing the device to the platform for the first time, to the ongoing authentication/authorisation of the device, all the way to when it’s decommissioned - each of these steps has its own identity requirements that need to be managed in a digital and secure way.
- Complex relationships: As the relationship between users, devices, and services become more complex, the need for a strong first-class digital identity becomes more important. For instance, a smart home security system will need to effectively manage a number of sensors, cameras, and devices while also sharing some data with an automated monitoring service for security purposes; all while ensuring that your data is only being shared to authorised users.
- Fine-grained authorisation and authentication: While authentication is important, there is increasing value to authorisation and consent. Users will always have different consent and authorisation requirements within IoT and these have to be taken into consideration - for example, you may want to share the data from your in-home flood sensor with your insurance company, but not the data from your in-home connected camera. The ability to know in a trusted way that your data stream is only going where it’s supposed to go (i.e. to the parties or companies you trust) is a very important part of consent in IoT and authorisation.
- Security at the edge: For smaller connected devices with less processing power, being able to support offline authentication for IoT ecosystems at the edge - where processing power is localised and managed by local gateways, which act as hubs for the cloud - between devices, users, and services is incredibly important. You need to ensure that any sensitive information stored locally, remains secure when the device is offline, while at the same time ensuring that the device doesn’t cease to function as soon as it loses connectivity.
Ultimately, it all comes down to each device having its own identity. It is this ‘Identity of Things’ that can allow a device to be authorised on a network in the same way a human would be authenticated when entering a secure area.
Getting identity right, for every device:
Identity and Access Management (IAM) and digital identity are critical to treating devices as first-class citizens and delivering contextual and continuous authorisation that can be applied to the complex arrays of devices, users, relationships, and data streams common in IoT.
In the connected car, for example, the vehicle must connect to the external infrastructure it’s operating within - incorporating many different cloud services, software providers, and hardware - creating a series of relationships that each requires varying levels of trust and security. This complexity also exists within the vehicle too, with each sensor in the network requiring a way of fitting into the wider hierarchy of devices. All of this must be done in a secure, tokenised ecosystem at the edge that also works in an offline environment since there will be many situations where edge devices will lose connectivity entirely.
A smart approach to digital identity will use the robust credentials baked into each device, and manage their access permissions, defining how they fit into the wider hierarchies of the device and the smart environment beyond. For example, a certain device may be easy to hack into, but its access to the network is limited, and so the threat stops there. The ultimate aim is for companies to be able to provide the best customer experience while delivering security and trust.
Once this system is in place, a manufacturer or service provider can then give users transparent controls for granting or restricting access to the information on those devices - in other words, providing fine-grain authorisation. This is crucial to ensuring the data sharing from the device is trustworthy and compliant.
Overcoming IoT’s flaws:
Like humans, devices are fallible. Hackers are getting wise to this, and see opportunities to take advantage of any vulnerabilities within the rapidly growing IoT. However, by respecting devices as entities in themselves, we can ensure that we give them the proper security and authentication required to ensure that all devices - and the users requesting access to them - are what, or who, they say they are.
By baking digital identity into connected devices from the very beginning, and ensuring you have an Identity and Access Management solution that has been designed with IoT in mind, it is possible to not only mitigate the security risks of IoT but also to maximise the potential benefits, helping to build trust with users and deliver richer, more personalised customer experiences across the entire device lifecycle.
Darryl Jones, product lead, ForgeRock