Earlier this year, news came out that the US Federal Government has re-introduced an act that aims to increase IoT cybersecurity. This announcement has drawn fresh attention to the issue.
As some analysts have noted, IoT device manufacturers have sometimes prioritized connectivity and functionality over security in their devices. This is the case despite the increasing evidence that the IoT is a major target of cyberattacks.
However, this seems to be changing. The re-emergence of the Mirai botnet has stressed the importance of defending the IoT. This was even exacerbated by recent concerns over how easily the Triton malware was able to infiltrate IoT devices.
There has been much speculation about how to secure the IoT going forward. Some have suggested that AI and Blockchain technology will eventually provide a solution. But as of now the scaling issues that affect blockchains mean that they are a rather poor solution to securing large IoT networks.
As of today, most IoT manufacturers rely on tried and trusted security solutions. This predominantly means that they use SSL certificates. However, just because this technology has been around for a while, it does not mean that it is any less secure than more exotic solutions to IoT security. In fact, SSL certifications provided by a trusted SSL provider afford the highest level of security currently available.
Ways of using SSL
SSL certificates are a well-used option for ensuring the security, identity, and integrity of websites. But you can also use them to increase the security of IoT devices.
There are different types of SSL certificates, but all function in a similar way. The SSL protocol uses asymmetric encryption to secure data shared between two devices on the same network. In the most common application, a website will send an SSL certificate to a user’s browser. This certificate will then have been signed by a trusted provider.
The mathematics of the protocol mean that these SSL certificates are essentially impossible to falsify given a large enough key size. This means that users can be assured that the site they are connecting to is legitimate.
But there are more ways to use SSL certificates than just this . Large companies commonly employ them by to authenticate clients or grant particular employees secure access to databases or documents. They are also a common security solution for email.
SSL and the IoT
We can use this same technology to validate the identity of devices connected to IoT networks. This improves the security of IoT devices in three key ways:
- An IoT device can be given a publicly-trusted SSL certificate. This allows users to connect to it (via their smartphone or other device) just as they would to a secure website. Because this SSL certificate is also publicly trusted, a user will not have to click through a security warning, or to add an exception on their device for a self-signed certificate.
- Conversely, an IoT device can request a client certificate from a user’s device in order to perform particular tasks. For instance, this is commonly used in ‘smart locks’. These need an SSL certificate from a user’s phone in order to unlock a door.
- Finally, whichever form of SSL validation is used, after these certificates are exchanged, the connection between an IoT device and another device is encrypted. This prevents third parties from intercepting passwords and other critical informatio during a cyberattack.
Why a VPN is not enough encryption
SSL certificates and virtual private network (VPN) technology both use the same encryption algorithms. So why can’t you just use one or the other? Why do you need both? For that answer, you need to understand that these technologies are suitable for completely different types of cybersecurity protection.
With VPN software in place, you can enjoy an encrypted internet connection that hides your browsing data from snoopers. A VPN also allows you to lounge undetected behind a distant IP address that provides no clues to your real geographic location. Most popular VPN services today will do this quite well.
The problem is that a VPN does nothing to provide assurance that a website you visit or to which you submit a credit card number is legitimate. It was not designed to do that, while a SSL certificate is.
The challenges of using SSL for IoT
Historically, there have been some challenges involved in using SSL to secure IoT networks. Primarily, these have rested on the assumption that SSL is too computationally expensive for small IoT devices to run. This might have been true a few years ago, and may still be true for legacy devices. But recent advances in SSL protocols, as well as increased computational power of IoT devices, has largely made this concern obsolete.
For instance, a 2011 study of the energy consumed by mobile devices using SSL, showed that while SSL/TLS overhead is significant for very small transactions of less than 10KB, “with transactions larger than 500KB, the energy required to transmit the actual data clearly outranks the TLS energy overhead.”
There are also tools available that will reduce this footprint further. The open-source TLS Toolkit (formerly MatrixSSL) can be configured to a code footprint of only 66KB. And wolfSSL, a similar kit, promises a minimum footprint size of 20 – 100 KB.
A second challenge is the observation that SSL is not totally secure. This is also true, but is no reason for IoT manufacturers to ignore the technology. Combined with other layers of security, SSL currently offers the best level of protection available for IoT devices.
How to Secure IoT Devices with SSL
How you use SSL to secure IoT devices will depend on the type of user you are. Are a device manufacturer, or simply someone who wants an extra bit of security for your home IoT network?
For device manufacturers, it is worth noting that SSL is likely to become the most common form of security protocol for IoT devices in the coming years. At the moment it is the only scalable security technology that can offer protection against contemporary cyberattacks. This means that engineers should design IoT devices with (modest) extra computational overheads, in order that aftermarket vendors may configure them to use SSL.
For users looking to improve the security of their IoT networks using SSL, be aware that you will need to do some coding. The first step, though, is to make sure that you simplify your life by finding a single SSL provider for all your certificates.
Ultimately, it is likely that all IoT devices will eventually require SSL, whether through government legislation or simply public pressure. But it doesn’t hurt to get ahead of the curve.
Guest post by industry specialist Samuel Bocetta.