Jon Gabay, Contributing writer for Mouser Electronics
Safety, security, and privacy are becoming increasingly important as the number of internet-connected devices grow including phones, laptops, desktops, TVs, home interfaces, and medical devices. Apart from consumer devices, IoT enabled military equipment allows ships, planes, tanks, drones, soldier wearables, and bases to communicate with command-and-control centres.
Authentication is an essential part of the electronic communication process which is used to ensure that parties can be confident about who they are communicating with. This is important because intruders often attempt to masquerade as one of the parties in a two-way communication and this can lead to sensitive information becoming compromised with potentially grave consequences for individuals and property. While there now exists many different approaches to electronic authentication, hackers are continuously looking for ways to bypass them. Therefore, it is recommended that even users of consumer IoT devices have a basic understanding of authentication and how they can benefit from it being properly implemented.
What is Security?
Security was not a feature which received much attention during the design of the original internet architecture. Data travelling across TCP/IP networks(including password) can take multiple paths and can even arrive out of sequence before being reassembled, and anyone with access to a network can potentially see the data travelling across it.
The interconnection of global networks makes data vulnerable to unauthorised access from even more people.There are many ways for intruders to access network data and IoT devices are especially vulnerable because they often do not have any security and can be accessed wirelessly. A 2020 report by Palo Alto Networks’ IoT Security Threats Report found that 98% of IoT data is unencrypted because this reduces the cost of manufacture. This means that a technologically aware burglar could potentially take control of analarm system, security camera and a Wi-Fi router in the home. These are referred to as “Man in the Middle” attacks which are made possible by the fact that equipment manufacturers sometimes leave “back doors” into their devices, intended for use for law enforcement and intelligence services but are exploited by intruders.
Passwords are a useful first step to securing devices and these should be changed regularly, and login histories reviewed. Other types of attack are performed by intruders who compromise the data stream, including anonymous spamming, DDoS attacks, and malware.
Practical Authentication
Symmetric authentication(like Shared Secret Authentication) is a simple security technique which uses usernames and password to enable access to a system. This is often called ‘one-way’ authentication because it authenticates the user at one end of the network. Nowadays, usernames and passwords are often stored in many locations and on many different devices which are easily accessed, reducing the effectiveness for guaranteeing security. With two-way authentication the two communicating parties must be able to verify each other using techniques like temporary passwords issued or biometric fingerprints (but these are not suitable for machine authentication). Three-way authentication is more complex and time-consuming meaning users are less likely to use it. The more constraints required; the longer processes become for users. Public-key cryptographic authentication is far more secure than usernames and passwords in the face of attacks by intruders. Cryptographic keys are the standard authentication tools used in security protocols like SSH., which is symmetric, and shares confidential data via secure communications. The use of public keys is considered safe. Third-party authorities and organisations can issue their own digital key or certificate using an algorithm like RSA, whilst individual certificates are stored on trusted global servers. Adding security hardware to an IoT device can reduce processing requirements and the time it takes to validate credentials. The Trusted Platform Module (TPM) approach involves adding a chip or module to an IoT device to manage authentication. Alternatively, this approach can be implemented using firmware or software. Either way, the goal is to prove that a communicating party possesses a secure key that has not been tampered with -this can be verified using a checksum or CRC.
The Quantum Threat
Advances in quantum computing mean that intruders can use this technology to bypass encryption techniques much more quickly. The threat is so serious that the U.S. government is now investigating the security of blockchain, and threats posed to it by quantum computers. Real random numbers from a trusted random number generator are at the heart of cryptography. Generating a valid random number is difficult so pseudo-random number generators are often used. Knowing how many bits in the pseudo-random number reduces the amount of processing required to break a code. Sequential attacks and statistical algorithms also speed up attacks. Ironically, the use of quantum technology to provide securitymay also be a possibility with some universities now actively engaged in research in this area.
Everyday Security
It is recommended that the encryption method used by electronic devices be changed from time to time. Similarly, passwords should be changed on a semi-regular basis, and they should use a wide range of number, letter, and special character combinations on both local and cloud services. Wired and wireless routers should always be protected using login credentials. Security supervisors and facility managers should create and use secure boot via a reliable Root of Trust (RoT). Remote and distributed software updates can be conducted over a network meaning a secure device boot is an excellent way to securing the IoT devices in a domain. A secure root of trust can use a hardware module to perform firmware measurements, identify reporting and runtime state analysis among other tasks. A RoT can also help to protect and secure devices storing sensitive data and prevent unauthorized access. It can also help to establish a secure state in the event of a software failure if an initialization error occurs.
Designer of IoT devices should have an appreciation of interoperability options, which can differ for wired and wireless links. Wireless links require solid Transport Security and Successor Protocols (TSL/SSL), Internet Protocol Security (IPsec), and Private Preshared Keys (PPSK). In addition to IPS security, wired links also require a firewall. Device designers should also be aware of emerging threats and security tools. One such tool is Fully Homomorphic Encryption (FHE) which enables multiple additions and multiplications of cypher text while offering valid results. This means that data can operated on without the need to decrypt it and thereby reducing the chance of data being compromised.
The number of available security tools continues to increase but information can never be made 100% secure, especially if an intruder gains direct access to a data stream. While the chance of an attack on an individual is relatively low, the impact of compromising the security of larger organizations can have significant consequences for numerous people. As the IoT grows, keeping it secure becomes more difficult but even more critical. Device designers must be vigilant and continue to develop solutions to combat unwanted interference from hackers and intruders.
