Using PKI for IoT Security

Internet of Things devices have become widespread in the last decade. They are used both in smart home systems and in more important industrial systems. At the same time, mass deployment leads to security risks, the consequences of which increase with the increase in the number of deployed devices. Attackers can easily compromise unprotected devices and misuse them for nefarious purposes.

Therefore, securing IoT devices is a very important task. Thus, many devices contain truncated versions of operating systems of the Linux family, and if compromised, such systems can be used to perform various hacker tasks, from DDoS attacks and spamming, to use as elements of APT attacks.

IoT challenges

Each IoT device is uniquely identified by its embedded computing system, but is able to communicate within the existing IoT infrastructure. Securing these Internet-connected devices and platforms requires a deep understanding of the structure of the IoT information stack, its various elements, and the specific security requirements of these layers.

For example, an IoT application that collects data from multiple connected devices may have completely different security requirements than the device itself. Security must be considered and addressed within every part of a device's information architecture in the IoT.

Let's look at the list of major Internet of Things vulnerabilities prepared by the Web Application Security Project (OWASP).

As you can see, this demonstrates the critical importance of proper data protection, identity, and trust when developing IoT solutions. The list includes the following most important existing attack vectors for IoT and network devices:

  • Weak Guessable, or Hardcoded Passwords

  • Insecure Network Services

  • Insecure Ecosystem Interfaces

  • Lack of Secure Update Mechanism

  • Use of Insecure or Outdated Components

  • Insufficient Privacy Protection

  • Insecure Data Transfer and Storage

  • Lack of Device Management

  • Insecure Default Settings

  • Lack of Physical Hardening

Many of these vulnerabilities are related in one way or another to weak authentication. First of all, these are the weak/hardcoded passwords that top the list. And we'll talk about authentication next.

NSD in IoT

There are various ways to gain unauthorized access to IoT devices. So, you can, of course, try to find and exploit vulnerabilities in the firmware, but as a rule, it is easier to intercept authentication credentials in order to gain control of the device.

In general, a PIN or password is used to authenticate on a device. So, when connecting to a device via Bluetooth, we provide an authentication code. And for smarter devices running over Wi-Fi, a web interface or SSH can often be used for management using password authentication.

The obvious disadvantage of using passwords for authentication is the risk of them being compromised. So credentials can be stolen in various ways. Even if you store passwords in your head, they can be intercepted using a keylogger – a keylogger – directly as you type. A hashed password can be found using a dictionary search, and here the requirements for password complexity are constantly increasing. So, if previously a password length of eight characters and a subset of letters and numbers was sufficient, now many resources require a length of at least 12 characters and the use of letters in different cases, numbers and special characters. And at the same time, passwords are still checked for presence in lists of those that have leaked to the network.

Also, passwords or their hashes can be stolen while being transmitted over the network. The use of encryption here does not always provide protection, since an attacker can implement man-in-the-middle attacks, essentially standing in the middle between the sender and the recipient. We will talk more about these attacks a little later, when we move on to the main topic of the article. Making passwords more complex is, of course, a good security mechanism, but the user can always stick a piece of paper with a hard-to-remember password on the monitor.

Certificate Authentication

Using certificates for authentication can significantly enhance the security of network resources. Thus, when authenticating with X.509 certificates, a private key and a certificate in the pem file format are used. They are stored on the device or registry. For the private key, you specify the path to the pem file when sending messages or subscribing to receive messages. You add a certificate to a device or registry and specify the path to the pem file with the certificate when sending messages or subscribing to receive messages.

However, there is one problem. An attacker can come between the sender and recipient and offer both parties their certificate for authentication. As a result, both participants in the exchange will think that they are communicating with a legitimate recipient, when in fact all messages will be read by an attacker. That classic “man in the middle” attack.

Public key infrastructure (PKI) helps protect against such attacks. In general, Public Key Infrastructure is a set of tools, distributed services and components that are used to support cryptographic tasks based on private and public keys. Essentially, PKI components allow you to verify the authenticity of certificates of participants in information exchange. As a result, it becomes impossible to implement a MitM attack.

The components of a public key infrastructure are presented in the following figure.

Thus, as a widely accepted and established standard, PKI is the foundation needed to ensure secure communications between IoT devices and platforms.

A PKI infrastructure consists of the following main components: a certificate authority, a registration authority, a certificate store, and users. PKI also includes the following subsystems: creating and eliminating certificates, saving backup copies and regenerating keys, data encryption, and administering keys and certificates.

With a large number of IoT client devices, we can build a hierarchy of certification authorities in order to make the PKI infrastructure more stable.

However, PKI has its own set of challenges when it comes to IoT security. First, the number of devices that need to be authenticated and protected can be overwhelming. Additionally, many IoT devices are not powerful enough to run PKI on their own and must rely on infrastructure provided by manufacturers or service providers.

This can create a single point of failure—if a manufacturer's or service provider's systems are compromised, then all devices that rely on them are at risk. Additionally, updates and changes to PKI systems can be difficult to deploy to all affected devices in a timely manner.

Implementation of PKI in IoT

Implementing PKI in IoT can help improve the overall security of an IoT system, which in turn can make it more difficult for hackers to access data, and can also help ensure that only authenticated devices can communicate with each other.

To ensure proper implementation of PKI, a certificate management system is necessary, as manually managing the number of keys and their renewal dates can be challenging, especially when there are a large number of connected devices. Using a certificate management system to issue and revoke digital certificates simplifies IoT network management.

Conclusion

In this article, we reviewed the main points related to the security of the Internet of Things, as well as those related to the use of PKI infrastructure to ensure the security of IoT components.

In conclusion, I invite you to attend useful lessons that will be held as part of the PKI Public Key Infrastructure course:

  • Cryptography and asymmetric cryptography algorithms – March 13 at 20:00. Sign up for a lesson

  • Designing a public key infrastructure based on Microsoft solutions – March 20 at 20:00. Sign up for a lesson

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *