New IoT devices are being added in industry and home use. The big question that arises What level of security do they have, are we exposed to hackers?
by Osvaldo Callegari*
Continuing with the development of the theme, the current conditions of the world in terms of health eclipse any industrial process, innovation or entrepreneurship. The fact that information is disseminated universally and instantaneously causes stress and worry to increase considerably. Hopefully the situation will improve and stabilize.
At its launch, IoT devices were designed openly, easily accessible and with very low protection codes. As they entered the market and the different industries, it was necessary to establish safety regulations and protocols. Since they went on to integrate edges in the risks of each sector.
Keep devices safe
The big three cloud service players have already thought about protection solutions due to the universal demand for IoT applications and devices.
Amazon®, Alibaba® and Google Cloud ®
Within this perspective we will approach a screenshot of each one, to observe and analyze what they are delineating regarding this dilemma.
Amazon IoT Device Defender
• AWS IoT Device Defender is a fully managed service that helps you protect a fleet of IoT devices.
• Performs continuous audit on your IoT configurations to ensure they don't deviate from security best practices.
A configuration is a set of technical controls that you define to protect your information when devices communicate with each other and with the cloud.
• Facilitates maintenance and compliance of IoT configurations, such as ensuring device identity, device authentication and authorization, and encryption of device data. AWS IoT Device Defender continuously audits your devices' IoT configurations according to a set of pre-defined security best practices.
• AWS IoT Device Defender® sends an alert if it finds deficiencies in your IoT configuration that could create security risks, such as identity certificates shared by multiple devices or a device with a rejected identity certificate that attempts to connect to AWS IoT Core®
• AWS IoT Device Defender also allows you to continuously monitor device security metrics to detect deviations from values that you have defined as appropriate behavior for each device.
If you find something that's not in order, AWS IoT Device Defender sends an alert so you can take action and fix the problem. For example, spikes in outbound traffic may indicate that a device is participating in a DDoS attack.
AWS IoT Greengrass and FreeRTOS automatically integrate with AWS IoT Device Defender to provide device security metrics for evaluation.
AWS IoT Device Defender can send alerts to the AWS IoT console, Amazon CloudWatch, and Amazon SNS.
The importance of Security in IoT
To maintain the security of the devices in an efficient and effective way it is necessary to use applications that make the integral management of the same and primarily that detect the changes in them or the strange processes.
Challenges ahead
A security vulnerability is a weakness that can be exploited to compromise the integrity or availability of an IoT application. Such devices are vulnerable by nature.
IoT fleets consist of devices that have various functionalities, are long-lasting, and are geographically distributed.
These characteristics, along with the growing number of insecurities raise questions about how to address the risks of IoT devices. To further increase security risks, many devices have low compute, memory, and storage capacity, limiting opportunities to implement security in them. Even if you've implemented security best practices, new attack vectors are constantly emerging. To detect and mitigate vulnerabilities, organizations must systematically audit the configuration and health of devices.
Google® IoT Cloud Security
Security is a critical concern when deploying and managing IoT devices.
Cloud Iot Core in the cloud offers the following security features:
• Public/private key authentication per device using JSON Web Tokens (JWTs, RFC 7519).
• Function: Limits the surface of an attack, because a compromised key would affect only a single device and not the entire fleet.
• Support for RSA or Elliptic Curve algorithms to verify signatures, with application for large keys.
• Support to rotate keys by device allowing concurrent keys to be recorded, and support for expiration time per credential.
• TLS 1.2 connection, using root certificate authorities (required for MQTT).
• Access to the core of the Cloud IoT API is controlled by Cloud Identity and Access Management (IAM) roles and permissions.
Credential provisioning
The following diagram summarizes the process for provisioning device credentials. The authenticated "provisioner," which is usually the user who configures the device, is assumed to have created a project and a record, and that they have permissions to create devices. The provider uses the central Cloud IoT API, gcloud commands, or the cloud platform console to create a logical device in the cloud.
Provisioning flow
- The public-private key pair is generated by the provider.
- The provider creates the device using the Cloud IoT Core API, gcloud commands, or the cloud platform console, specifying the public key you just created. This will be used to verify the identity of the device.
- Cloud IoT Core device manager stores the device resource and public key.
- The device manager responds to the provider, indicating that the device was created.
- The private key is stored on the device for later use for authentication. The hardware Trusted Platform Module (TPM) can be used for this step.
Note that the order of the steps shown here is not prescriptive. For example, the key can be stored on the device before the device has registered with the Cloud IoT Core.
For information about creating keys, see Creating Key Pairs.
Authentication
Figure 3.
Authentication flow
• The appliance prepares a JSON Web Token (JWT), as described in Using JSON Web Tokens. The JWT is signed with the private key of the authentication flow.
• When connected to the MQTT bridge, the device presents the JWT as the password in the MQTT CONNECT message. The content of the username is ignored; however, some MQTT client libraries will not send the password unless the user name is specified. For best results, set the user name to an arbitrary value as unused or ignored.
• The MQTT bridge verifies the JWT against the device's public key.
• The MQTT bridge accepts the connection.
• The connection is closed when the JWT expires (after taking into account the allowed clock drift).
Safety standards
• The ioT core of the cloud uses authentication based on the digital signature, both for the tokens signed by RSA and by the elliptic curve.
• The RSA algorithm is commonly used and is widely supported by client libraries. However, the keys and signatures generated can be quite large (usually on the order of one or two kilobytes). In addition, RSA can use a significant amount of resources (both in terms of key length and CPU), which can affect devices that have limited resources.
The elliptic curve algorithm is well supported but not as widely used as RSA. To use Elliptic Curve, you may need to install additional dependencies in your client library. However, the keys and signatures generated are significantly smaller than those generated by RSA, which can be useful for devices with limited resources.
Strength of the keys
• A minimum of 112 bits of security is required by the cloud IoT core, following NIST recommendations (Section 5.6.2, pages 55-56). this translates to a minimum key size of 2048 bits for the rs256
• The ES256 has a preset level of 128 bits of security (key size is fixed).
Alibaba Cloud IoT Platform (FROM HERE TO CONCLUSIONS, ALL THESE PARAGRAPHS ARE NOT IN INTERTITLE FORMAT, ONLY IN BOLD)
Alibaba shows a detail of the security services it can offer:
Safety
It provides multiple security features to secure the devices.
Device authentication
Provides a unique certificate to authenticate each device. This design reduces security risks.
Secure communication
Supports TLS transmission to protect data confidentiality and integrity.
Permission management
Permission management ensures secure communication between devices and the IoT platform.
Device Management
Provides comprehensive device management.
Lifecycle management
Allows you to register, delete, or deactivate a device.
Device Management
It allows you to dynamically get device information and sends notifications when the device settings have changed.
Device permissions
It allows you to manage device permissions to communicate with IoT Platforms.
Modelling
Performs digital modeling of devices to facilitate application integration.
Relationships between devices
It allows access to and management of sub-devices.
Supports management tags
Provides device tags to help handle a large number of devices.
Rules Engine
It allows you to integrate with other Alibaba Cloud business services and systems.
M2M
It allows you to configure custom rules to achieve M2M communication between devices.
Various additional services such as data storage, database connections, and third-party applications as own services.
Conclusion
The question is to see which platform is ideal for your project. These large companies are trying to join forces to make the IoT industry grow and secure. If a function suffers from a function in the short or in the long run, it will have it available. There are smaller companies that provide very effective services in terms of security controls on Internet of Things devices. Obviously, everything is a growing process. As always the idea is that the reader can have a panorama of options before these paradigms.
Note: The names and brands mentioned in the article are names and brands mentioned of their respective companies. The information provided consists of a public and private part with authorization.
* To contact the author of this article write to [email protected]
Leave your comment