Securezoo Articles
Article Topics   
By Frank Crast, 11/20/2016


Security experts and Internet of Things (IoT) developers are keenly aware they often need to guard against credential theft. With so many different types of home and enterprise IoT devices connected to the internet, insecure IoT devices can often lead to lost identities, passwords, access tokens or even private keys. To help organizations prepare for such threats, we outline some key security recommendations for IoT authorization, authentication and access control. 


In a recent report, more powerful IoT botnets based on Linux/IRCTelnet malware are being used for Distributed Denial of Service (DDoS) attacks. This malware and other similar strains are often used to discover open ports and weak/default vendor passwords as well as communicate with compromised Linux-based IoT devices. This comes after many other high profile IoT DDoS attacks that took down Dyn and affected many web service providers. 

To help IoT developers secure their products and fight future DDoS attacks, the Cloud Security Alliance (CSA) IoT Working Group issued a report titled "Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products."

In this article, we highlight some key points from the CSA report, to include guidelines on how to better Secure Authorization, Authentication and Access Control for IoT products.
 

Authentication protocols

According to the CSA guidelines, many IoT protocols used for device-to-device communication offer some good secure communication options to include: 

  • OAUTH2 (token-based authentication)
  • MQTT with TLS
  • CoAP (multiple authentication options for device-to-device; pair with datagram TLS (D-TLS))
  • DDS (e.g., x.509 certificate (PKI) tokens)
  • XMPP (e.g., Simple Authentication and Security Layer, SASL-RFC4422, which supports 1-way anonymous and mutual authentication with encrypted passwords and certs)

IoT devices can also communicate to cloud services securely via secure gateways that also support MQTT and REST communications. In addition, "device-to-cloud" communications often use API keys for specific services that need to interact with IoT devices. 
 

Certificates

Certificates can be used for authentication, but developers will need to ensure public key infrastructure (PKI) is used in a secure manner to issue certificates. PKI can issue the certs based on receipt of Certificate Signing Request (CSR). 

To aid in the certificate issuance process, organizations should also consider Simple Certificate Enrollment Protocol (SCEP) and Enrollment over Security Transport (EST) protocols. Devices are typically authenticated based on the possession of private key and trust in the PKI. 

Also, developers should consider implementing two-way certificate authentication, such as x.509 certificates, that can offer a valuable layer of security for TLS communication, secure electronic messaging. The IoT device can pass along its two-way certificate for validation by the cloud service, gateway or peer device that its communicating with. 

Other options to consider are Certificate-Less Authentication Encryption (CLAE) and also biometrics (such as fingerprint technology) used to provide authentication within IoT ecosystem.
 

OAuth 2.0

OAuth 2.0 requires an authorization server (a protected resource) used to verify the user/device identity without passwords and issues a token for access. For example, Amazon Smart Home Skill API uses OAuth 2.0. Google moved to OAuth 2.0 back in 2012. 

Keep in mind that all tokens should be stored securely, such as via iOS keychain or Android's Keystore. 

See more details on OWASP's authentication cheat sheet and also "OAuth: Where are we going?"


User Managed Access (UMA)

UMA is an OAuth-based access management protocol approved by the Kantara Initiative in 2015 and puts control of information in the hands of the user. 

According to the Kantara Working Group charter, the UMA standard helps "enable a resource owner to control the authorization of data sharing and other protected-resource access made between online services on the owner’s behalf or with the owner’s authorization by an autonomous requesting party."

There are numerous UMA implementations to include ForgeRock, GluuJericho Systems, and MITREid Connect to name a few.

The CSA Working Group paper concludes with other good recommended IoT controls to include key management, logging and security assessments. 

This concludes the five part series on IoT security. You can also read more about IoT controls in our previous article "Improving Data Security with Secure Communications, Applications and APIs for IoT" (part 4). See also Secure Development and Integration (part 1), Framework and Platform IoT security (part 2) and Hardware-based Security Controls for IoT (part 3).
 

Topic: Access Control, Authentication, Authorization