Internet of Things 101 – IoT Device Authentication Explained

October 02, 2018 Security and Compliance, MOVEit

Readers of previous posts are aware of my reservations on the current ubiquitous drive to connect absolutely everything (from the frivolous to the useful) to the internet but there is no denying that the trend will continue unabated. This will create security risks that need management. 

Just like the software industry, where security by design is encouraged in software development, the IoT needs to incorporate some sort of checking mechanism to ensure that any data created is sent and received by involved parties only. Is this necessary?

Without a doubt. Whether it’s a sensor-based device or used to perform a specific function, all devices are open to hacking unless preventative measures are taken (we need to enforce security by design). There are several examples of this, from disabling a surveillance monitor on a Turkish pipeline to attacks on medical devices such as insulin pumps and MRI machines. These attacks were potentially life-threatening and indicate that some hackers have no scruples when it comes to target selection or gaining bragging rights to fellow cybercriminals.

Other attacks seem less malicious but still provide food for thought. A baby monitor was hacked, allowing the hacker to talk directly to the infant. Interested in smart guns? Yep, one of these was hacked by a security researcher and his wife. In addition to changing bullet trajectory remotely, they also discovered that the default Wi-Fi password could not be changed.

Clearly, connected devices incorporate risk that could endanger lives or jeopardize the well being of your company or family. To understand the risks, we first need to understand how devices communicate.

How Does an IoT System Actually Work?

The IoT is much more than connected devices and ideally requires an organized and dedicated IoT infrastructure, which is typically viewed as having four distinct stages to reflect the path data travels from IoT devices to final analysis. Data processing can occur at each of these four stages. These stages are:

  • The sensor or actuator – For example, a sensor may collect data to monitor water temperature while an actuator will perform a physical function, such as closing or opening a valve when a predetermined temperature is reached.
  • Internet Gateways – Analog sensor data is collected and converted to digital, then streamed over your chosen protocol, whether Wi-Fi, wired LAN or the Internet. This allows all data to be sent out for processing as real-time analysis is data intensive and could slow down your network. Think of it as a pre-processing aggregation stage from all IoT devices. One example is the Azure IoT hub – where device data is sent to the cloud.
  • Edge IT – An intermediary stage that performs additional analysis before sending data to the data center. Again, this is to reduce traffic to the data center and ensures that network bandwidth is not exceeded at the data center. For example, you will not require all data from all devices but only data that satisfies defined criteria for further action.
  • The Data Center or Cloud – Detailed analysis of remaining data is possible, and reports generated are sent to the on-premise network. When data-intensive processing and analysis takes place off-site, IT teams do not need to worry about lack of network bandwidth onsite.

How each of these stages is implemented will depend on the number of IoT sensors and devices, the volume of data generated and how this data is processed. An effective IoT ecosystem must consider security and authentication is one way of achieving that goal, whether  involved in the Industrial Internet or simply leveraging the benefits of IoT devices that complement operational processes.

What is IOT Authentication?

The ability to secure data and limit it to only those with the correct permissions is not a new idea and is used extensively in many industries. One can only wonder why connected devices were not subject to the same security principles from the beginning.

There are simply too many categories of IoT devices to mention in a post of this size but they vary widely in terms of security levels. Some connect using proximity-based protocols such as Bluetooth, RFID (radio frequency identification), or Wi-Fi while others use GPS, 4G or are hard-wired. Connecting them is often as easy as scanning for nearby devices, by inputting a short code (that may or may not be changed from a default) or by using a form of multi-factor authentication to verify device and recipient permissions.

Cue the game show Jeopardy! “What is IoT authentication?”. The answer is, of course, impossible to define in a short sentence but perhaps in a paragraph or two.

IoT use cases are as varied as the IoT products they utilize but current trends suggest that change is coming, although it may take a while to filter through to all device manufacturers. Most of us are familiar with online shopping. Would you buy from a store that does not utilize SSL, where the lock symbol is displayed on some browsers or the address starts with https? A similar approach to IoT devices is likely and is known as PKI (public key infrastructure) where digital certificates prove the authenticity of the site or in this case, the IoT device.

Digital certificates would ensure a level of trust in an IoT device that may otherwise be lacking and, when combined with IoT applications to monitor the infrastructure, could identify and prevent access to uncertified devices with weak security.

In my opinion, there is no real blockchain vs. PKI argument but it’s worth mentioning. Blockchain’s use of a decentralized ledger could enhance PKI and ensure digital cert management is audit-able and of course any changes made are irreversible. If not decentralized, PKI for the IoT could well be perceived as a financially-motivated initiative by digital cert providers. That said, the primary concern is how to manage authentication.

Implementing IOT Authentication Methods

Regardless of authentication method, IoT security is the aim. You may decide two-factor authentication is sufficient or require SSO (single sign-on) for convenience. You may wish to use Azure IoT to manage all devices. You may have specific requirements for quality of service that require the use of an MQTT client. MQTT (Message Queuing Telemetry Transport) is a messaging protocol and one of many possibly used by IoT devices.

However, IoT devices use a wide variety of protocols and standards and your authentication methods must consider this variation. Therefore, familiarity with these variations is a must and intimate knowledge of the IoT devices purchased is necessary to ensure that each device is capable of authentication in a secure manner. Some may need manual update (lacking OTA functionality) and others may have locked settings that cannot be changed from the default. Perhaps an IoT platform will automate most of your requirements?

In conclusion, IoT authentication methods are necessary to secure IoT devices and there are several ways to achieve this objective. Some may assign dedicated IoT networks, sacrificing beneficial features in the name of security. Bear in mind that it is possible to integrate everything in a manner that is also secure, but you need to ensure that devices are built with security by design. As a result, you may need to decommission some devices but surely that’s a small price to pay for peace of mind and a secure infrastructure?

Michael O'Dwyer

An Irishman based in Hong Kong, Michael O’Dwyer is a business & technology journalist, independent consultant and writer who specializes in writing for enterprise, small business and IT audiences. With 20+ years of experience in everything from IT and electronic component-level failure analysis to process improvement and supply chains (and an in-depth knowledge of Klingon,) Michael is a sought-after writer whose quality sources, deep research and quirky sense of humor ensures he’s welcome in high-profile publications such as The Street and Fortune 100 IT portals.