Everyone is working on their own ways to secure IoT
If there’s one thing that alarms even the hardened cybersecurity veterans at the Black Hat convention this year, it’s the huge attack surface represented by the burgeoning internet of things — and at least two researchers are presenting solutions designed to secure connected devices.
Mikko Hypponen, chief research officer for F-Secure was touting his company’s solution for consumer devices; and Brian Knopf, Neustar’s senior security researcher gave a presentation about an alternative to Public Key Infrastructure encryption that enterprises can use to secure their IoT devices.
“PKI is awful,” Knopf told CyberScoop, “It works OK for browsers … but it wasn’t designed for IoT devices … The problem is the scale.”
PKI is a form of asymmetric encryption, in which users have a private key and a public key. Anyone with the public key can encrypt a message, which can then only be unscrambled with the private key. PKI is the basis for most internet encryption.
But PKI relies on digital certificates — which prove ownership of a cryptographic key — and certificates sometimes expire or have to be revoked. That means the software on any device relying on those certificates has to be updated. “Someone has to do that, either the end user or the site manager,” Knopf said, noting that automatic updating would only work if the user enabled it.
Knopf recalled how, as a security chief for a large IoT device manufacturer, he’d been faced with the job of updating a half million devices in the homes of consumers after a certificate revocation or expiry.
“There was a point at which we would just send the users [who had failed to install updates] a new device,” he said, to avoid the security risks inherent in continuing to use an expired or revoked certificate.
“So I had the crazy idea to basically redesign PKI from scratch,” he told CyberScoop.
Trusted Device Identity, or TDI, is the result and will be open-sourced by Neustar later this year, Knopf said, adding that at that point it would become part of the Linux Foundation’s EdgeX project — a multi-vendor supported open-source effort to create a more secure IoT.
TDI is a co-signing server for encryption certificates and a tiny piece of software which sits on each connected IoT device. Unlike PKI, which requires a certificate for every server that needs to communicate with the devices, stored on each device, TDI only requires two certificates: One for the TDI server and one for the “fleet,” which is Neustar’s terms for the full compliment of assets — update or web content servers for instance — that need to communicate with with IoT devices.
“The minute one of those servers is compromised, you can revoke that server [via TDI] and the next request [to the devices] will fail. So instead of months of clean-up, you have minutes,” he said.
He said that, in the case of a more extensive breach, “You can spin up a totally new TDI environment when you need it.”
“The key is,” Knopf said, “We separated identification and authentication. The device doesn’t need to know which server it is communicating with, it only needs to know if [the server] is authorized … and that means you can replace all your servers and the very next request will go through, because they are validated [by TDI.]”
“TDI is not a silver bullet … It won’t stop every attack,” but it does make the IoT ecosystem of a large enterprise more resilient, Knopf said. “We started from the assumption that you will get breached,” he said.
Hypponen says F-Secure is tackling the problem from the other end — for the consumer.
Connected consumer devices, he says, are never going to be secure because the market incentives all point the wrong way. “For the manufacturers, what matters is the price,” he told CyberScoop, noting that, “When people buy a washing machine, they are not asking about its firewall, or whether it has an intrusion detection system. They want to know how much it will cost them.”
Given this, Hypponen believes that, for the time being, the best we can do is to empower consumers to manage their own security, which is what F-Secure’s Sense home IoT router aims to do.
“There is an app interface you can run from your smartphone … It will alert you if one of your devices needs updating or if it is behaving oddly,” he said.
The router segments potentially insecure IoT devices away from conventional computers — just as an enterprise might use a VLAN or subnet to segregate some especially vulnerable part of their network.
Sense aims to make every householder their own CISO, Hypponen said in an interview after his Black Hat presentation.