Often IoT devices are built using low-cost, low powered microcontrollers. When they are deployed in remote and potentially hostile environment, they become the weakest link in the overall End-to-End IoT security architecture. Fortifying these microcontroller based IoT devices involves ensuring the devices are identified, manage-able, the data they send are encrypted and origin of data authenticated. Fortunately enterprises have solved similar challenges with employee laptops and mobile devices by implementing best practices using the PKI security framework.
In the IoT landscape, there are several challenges in expanding these best practices into the tiny and plethora of devices.
In order to be uniquely identified and managed individually every IoT device needs to be have an unique Private Key and Device Certificate (aka device artefacts). To be able to practically implement the above PKI model, every IoT device will end up having an independent & unique software image which makes flashing in the mass manufacturing setup a very arduous task.
Our approach at vitalpointz is to issue these IoT Device artifacts on run-time from our cloud instance VESP (Vitalpointz Edge Services Platform) and re-issue every time it power cycles. More importantly, how to safeguard the IoT device from downloading its artifacts from unknown source, sometime malicious, or even worse – if subjected to Man-in-the middle proxy?
Each IoT device must be able to verify the authenticity of the server by validating the certificate of the server it is communicating with. By creating a Key chain like framework in IoT Operating System and bundling it with CA-Certs solves the problem of validating the cloud platform. Once the IoT platform is trusted, the device artifacts can be downloaded securely. The Device Agent presents its own certificate while establishing MQTT connection to the IoT Platform to prove its identity. Server does the same to the Device. By virtue of the TLS connection, the private keys are used to encrypt the MQTT Messages transacted. This provides second layer of security which further enhances security posture of the overall IoT architecture.
Our approach of the IoT Security Framework at Vitalpointz –
Vitalpointz has two service offerings:
(a) IoT Platform called VESP (vitalpointz Edge Service Platform)
(b) Managed Services from vitalpointz called VMIST (vitalpointz Managed IoT Services Trust)
VESP is our cloud-native IoT platform that can be instantiated in public cloud such as digital ocean or private clouds. VMIST ensures the URL for customer’s instance of VESP is created and configured. Letsencrypt certificate is provisioned in every sub web service VESP offers.
This ensures that all REST APIs hosted by VESP are protected using Letsencrypt CA-signed certificate. However the VESP runs its own cert manager for providing identity and certificate for hundreds of thousands of devices. These certificates are used to protect the device MQTT channel.
IoT Device Agent called VESPa (vitalpointz Edge Service Platform Agent) is factory-baked with CA-cert. Using the CA-Cert, the authenticity of the Platform is validated avoiding Man-in-the middle attempts. Once authenticated the artefacts are downloaded and used in further MQTT communications. VESPA is available for Raspberry PI, FreeRTOS variant and OpenWRT edition
With this End-to-End security architecture the key chain of trust issues in IoT Devices can be addressed at scale. You can try our platform now on digitalocean marketplace for free. For more info, email@example.com