We are living in a Internet of Things (IoT) world where every device can be connected to the Internet. Everything from your refrigerator to your lights and cars can communicate. IoT’s glitter is often dimmed by legitimate security concerns. Just as the power of this new technology can make our lives easier and immensely more delightful, IoT put into the wrong hands could lead to very undesirable results.
Consider how car break-ins are done in the past and in the future. With a car that is not connected to the Internet, the car’s physical security is at risk and customers may bear the loss of a music system or personal valuables. With a connected car, we are talking about a systemic cybersecurity threat with results that could be as severe as a remote car hijacking with you still in the driver’s seat. This is one example of where a lack of security poses life-threatening dangers. As more and more devices around us are connected to the Internet, we become more susceptible to these types of threats.
Recent incidents involving connected cars, such as the Chrysler Jeep Cherokee hack, pose a threat to customer confidence in IoT technology. Chrysler had to physically recall 1.4 million vehicles. If it had happened to Tesla cars, the fix would be possible with a remote software patch overnight.
Securing the realm of IoT requires applying two basic principles of information security: strong authentication and secure communication. The current leading solution to apply these principles has existed for decades in the form of Public Key Infrastructure (PKI).
PKI is a foundation of trust that enables security by providing strong authentication and encryption services.
Take the connected car from above as an example. Communications between the car and its connected services needs to have strong authentication. The car system must not accept commands from a third party without properly ensuring the commands actually came from an authorized user of the car. One way to mitigate this risk is to perform mutual authentication where the car authenticates the service, and the service authenticates the car.
In addition to strong mutual authentication, devices need a secure channel to communicate with the service to ensure confidentiality and integrity of data. This can be implemented using high-strength encryption protocols between the device and connected services. Digital certificate and asymmetric encryption technology enables such strong encryption when devices and services are configured to leverage them appropriately. The common technology that enables strong authentication and secure communications leverages PKI.
When you use a computer to connect to an Internet service such as your email, you would normally input a username, password, and in some cases a token for authentication. Because most IoT devices have a small form factor, they do not possess interfaces such as a keyboard. This is where PKI becomes the solution. With PKI, a device can have a digital certificate installed and managed by a secure service that allows the device to mutually authenticate without further human interaction.
PKI has a number of use cases beyond IoTs, including mutual authentication for APIs, endpoint authentication, and secure remote access to production systems. We, at Zuora, have built a PKI for secure distribution of digital certificates to endpoints for secure authentication and communication with internal systems. We also go to great lengths to test our security. We proactively validate security of our systems with industry testing leaders like IOActive. This is the same security consultancy that discovered the Jeep Cherokee hack.
Although PKI has the potential to solve all of the above considerations, it brings about its own unique set of challenges. The Internet of Things is a constantly evolving and growing field. The potential volume of devices presents many scaling challenges never before encountered, from digital certificate provisioning to validation.
There is no longer any doubt that security must join physical safety at the top of every IoT company’s primary consideration. The Jeep Cherokee hack wasn’t just a wake-up call for the automobile industry–it was also a lesson for all companies with devices that connect to the Internet.