We are witnessing a major transformation of our civilization as our economy is steadily being digitized. This transformation is exacerbated by Cloud platforms and variety of connectivity options that enable the IOT Devices to sense, feel, track and process the real world. The rise of digital economy also provides an easy opportunity for lawbreakers to get access to the devices and sensitive data. Therefore it is not surprising when IOT Developer trend pointed out security as a key concern for IOT deployment. Insurance and Auditing agencies that rely on device generated data, demand data integrity and non-repudiation as an important starting point. As IOT deployments proliferate the 4 key Security challenges are – Device Security, Insufficient End-User Authentication & Authorization, Transport Encryption/PKI. In this blog, I am primarily addressing the important “IOT Device Security”.
IOT developers are often advised to use TLS (Transport Layer Security) based protocols to protect the data in transit. While it is necessary but not sufficient.
Is TLS Sufficient?
No doubt, the TLS provides a great security – authentication, secrecy and message integrity to the traffic generated by the end devices. However the weaker link could be the device itself. IOT Devices come in all shapes and sizes and are often deployed in a non-trusted or hostile environments. Even when the device operating system used well-protected TLS based messaging protocol, it is easy for any casual hackers to gain access the device filesystem where the device private keys, passwords etc are stored. Most commonly used bus protocols in the devices such as I2C, SPI etc are susceptible to sniffing, wiretapping and data injection. Low powered, low cost micro controller based devices too are vulnerable as often they do not run TLS based communication stacks. Their flash, eeprom and sdcards are easily read by unauthorized third parties. These could lead to device duplication, data modification at the source that undermines the non-repudiation requirement.
What can we do about it?
One possible solution is to build a ‘iron clad’ devices that makes the hardware level hacking a bit more difficult. Custom built devices often increase the cost of the device. Ideal solution is to leverage the cost and availability of mass produced IOT devices but provide an add-on module to ‘fortify’ the device.
At Vitalpointz , we are building a secure IOT platform delivered over cloud, as a service. We understand any amount of security feature at the cloud platform level is worthless unless the end-device is likewise fortified. So we are also developing a hardware module and a software agent that addresses these problems and fortifies any off-the-shelf IOT device.
Vitalpointz hardware module provides universally unique identity to device; securely saves the private keys, passwords; protects the data by encrypting at hardware and guarantees non-repudiation. Our hardware module also watches over the device, identifies hardware level device breaches and reports to cloud platform. Thus making a commercial grade, mass manufactured sensors and devices into enterprise grade, secure IOT Device.