The news, earlier this year, that the US Federal Government has re-introduced an act that aims to increase IoT cybersecurity has drawn fresh attention to the issue.
As some analysts have noted, IoT device manufacturers have sometimes prioritized connectivity and functionality over security in their devices. This has been despite the increasing evidence that the IoT is a major target of cyberattacks.
This seems to be changing, however. The re-emergence of the Mirai botnet has stressed the importance of defending the IoT, as have recent concerns over how easily the Triton malware was able to infiltrate IoT devices.
There has been much speculation about how to secure the IoT going forward. Some have suggested that AI and Blockchain technology will eventually provide a solution, but as of now the scaling issues that affect blockchains mean that they are a poor solution to securing large IoT networks.
As of today, most IoT manufacturers rely on tried and trusted security solutions, and predominantly this means SSL certificates. Just because this technology has been around for a while, however, does not mean that it is any less secure than more exotic solutions to IoT security: in fact, SSL certs provided by a trusted SSL provider afford the highest level of security currently available.
SSL and the IoT
SSL certificates are widely used to ensure the security, identity, and integrity of websites, but they can also be used to increase the security of IoT devices.
There are different types of SSL certificate, but all function in a similar way. The SSL protocol uses asymmetric encryption to secure data shared between two devices on the same network. In the most common application, a website will send an SSL certificate to a user’s browser, and this certificate will have been signed by a trusted provider.
The mathematics of the protocol mean that these SSL certs are essentially impossible to falsify given a large enough key size, and this means that users can be assured that the site they are connecting to is legitimate.
SSL certificates can also be used in other ways. They are commonly employed by large companies to authenticate clients or give particular employees secure access to databases or documents. They are also made use of in secure email.
This same technology can be used to validate the identity of devices connected to IoT networks. This improves the security of IoT devices in three key ways:
- ✔ An IoT device can be given a publicly-trusted SSL certificate, which allows users to connect to it (via their smartphone or other device) just as they would a secure website. Because this SSL certificate is also publicly trusted, a user will not have to click through a security warning, or to add an exception on their device for a self-signed certificate.
- ✔ Conversely, an IoT device can request a client certificate from a user’s device in order to perform particular tasks. This is commonly used in ‘smart locks’, for instance, which need an SSL certificate from a user’s phone in order to unlock a door.
- ✔ Finally, whichever form of SSL validation is used, after these certificates are exchanged the connection between an IoT device and another device is encrypted. This prevents passwords and other critical information from being intercepted and read during a cyberattack.
Why a VPN is Not Enough Encryption
SSL certificates and virtual private network (VPN) technology both use the same encryption algorithms, so why can’t you just use one or the other? Why do you need both? For that answer, you need to understand that each technology is suited for completely different cybersecurity protection. Here are the differences:
With VPN software in place, you enjoy an encrypted internet connection that hides your browsing data from snoopers and allows you to lounge undetected behind a distant IP address that provides no clues to your real geographic location. Most popular VPN services today will do this quite well. The problem is that a VPN does nothing to provide assurance that a website you visit or to which you submit a credit card number is legitimate. It was not designed to do that but an SSL certificate is.
Historically, there have been some challenges involved in using SSL to secure IoT networks. Primarily, these have rested on the assumption that SSL is too computationally expensive for small IoT devices to run. This might have been true a few years ago, and may still be true for legacy devices, but recent advances in SSL protocols, and the increased computational power of IoT devices, has largely made this concern obsolete.
A 2011 study of the energy consumed by mobile devices using SSL, for instance, showed that while SSL/TLS overhead is significant for very small transactions of less than 10KB, “with transactions larger than 500KB, the energy required to transmit the actual data clearly outranks the TLS energy overhead.”
There are also tools available that will reduce this footprint further. The open-source TLS Toolkit (formerly MatrixSSL) can be configured to a code footprint of only 66KB, and wolfSSL, a similar kit, promises a minimum footprint size of 20 – 100 KB.
A second challenge has been the observation that SSL is not totally secure. This is also true, but is no reason for IoT manufacturers to ignore the technology. Combined with other layers of security, SSL currently offers the best level of protection available for IoT devices.
How to Secure IoT Devices with SSL
How you use SSL to secure IoT devices will depend on whether you are a device manufacturer, or simply someone who wants an extra bit of security your home IoT network.
For device manufacturers, it is worth noting that SSL is likely to become the most common form of security protocol for IoT devices in the coming years, because at the moment it is the only scalable security technology that can offer protection against contemporary cyberattacks. This means that IoT devices should be designed with (modest) extra computational overheads, in order that they may be configured to use SSL by aftermarket vendors.
For users looking to improve the security of their IoT networks using SSL, be aware that some coding is required. The first step, though, is to make sure that you simplify your life by finding a single SSL provider for all your certificates.
Ultimately, it is likely that all IoT devices will be required to use SSL, whether through government legislation or simply public pressure. But it doesn’t hurt to get ahead of the curve.