Table of Content
- IoT Security: Key Concepts, Measures and Protocols to Secure Devices
- Authentication, Authorization, and Encryption with Two Factor Authentication
- IPsec VPN
- Firewalls and Network Address Translation
- Layer 2 VPN
- Secure Domain Name
- Secure DNS
- Secure HTTP (HTTPS)
- Discovery and Security IoT Protocols
- Additional Risks, Challenges, and Protocols
IoT Security: Key Concepts, Measures and Protocols to Secure Devices
A key aspect of achieving IoT device security is employing measures to secure IoT devices, which we can enumerate as follows.
Encryption: The IoT devices send encoded data to the cloud. This step also makes it easier for the cloud to detect if the data received changed.
Authentication: If the data changes in the cloud, the cloud could validate the data received from the IoT device with the stored checksum.
Authorization: The cloud creates an access key for the IoT device, and the IoT device stores this key. If the device receives a command, the machine uses the key and syncs to the cloud.
Authentication, Authorization, and Encryption with Two Factor Authentication
The following process is applied to secure an IoT device with two-factor authentication. First, authentication takes place using an authentication protocol and a passkey.
The authentication uses a unique encryption key. The cloud then stores the unique encryption key along with the received data. If the device requests an update or a new command, the device performs further authentication.
The new authentication uses the unique encryption key to calculate a checksum and stores the new checksum and the received data.
IPsec VPN is a network security method that uses IPSec to secure communication between devices, secure data in transit, and communications between IoT devices. This method creates security tunnels to ensure data traffic.
For example, IoT devices that use IPsec VPN to communicate with the cloud securely can be considered IoT edge devices.
Firewalls and Network Address Translation
Firewalls ensure that incoming traffic cannot enter the network unless the incoming traffic passes through the firewall. Network address translation (NAT) is the process of translating IP addresses. NAT devices generally are used for mobile and IoT devices.
For example, if a home gateway has multiple devices using IP addresses from the same IP range, then NAT is used to secure and communicate with the IoT devices.
Layer 2 VPN
Layer 2 VPN is a networking security method that relies on the second layer of the OSI model to secure the communications between devices. Layer 2 VPN uses tunneling protocol such as IPsec to ensure communication. Layer 2 VPN provides secure communication between IoT devices and between IoT edge devices and the cloud.
Secure Domain Name
A secure domain name is a domain name that registers using a security certificate obtained from a certificate authority.
It ensures that the domain name is authentic and unaltered, preventing man-in-the-middle attacks such as domain hijacking.
The domain name and the security certificate form the domain owner’s identity, meaning that a malicious attacker can not hijack the domain.
An IP address is first sent to the DNS server to translate into a domain name. Then, the domain name is sent to the browser and displayed on the screen.
When a user enters the domain name, the browser redirects to the website. The browser authenticates when the URL of the domain is verified. Therefore, the domain name uses a security certificate.
A secure DNS allows the DNS server to verify the validity of the domain name of a website, which ensures that the website does not have to authenticate every time it is accessed.
It can be a security breach when there are multiple attackers, and they use different stolen certificates to access the same website.
Secure HTTP (HTTPS)
An HTTP is an unencrypted protocol used for data communications over the Internet. All the data transmitted between two computers is unencrypted—this is why it is important to use HTTPS instead.
An HTTPS is a secure protocol for data communications over the Internet, providing secure communication between two computers. The protocol offers two levels of security.
First, there is the transport layer security. Second, there is the encryption layer security. The first layer ensures that the data is secure while in transit, whereas the encryption layer provides that the information is safe once it is received.
For the SSL (Secure Sockets Layer) protocol to be enabled on a device, the device must be using a web browser. It is a common mistake to send sensitive data through an HTTP protocol connection. The HTTP protocol does not provide transport layer security.
When a web browser uses HTTPS, it automatically encrypts all the data it sends through the protocol. The data that a web browser sends through HTTPS is known as Secure Sockets Layer (SSL)—this is an essential and integral part of secure web browsing.
Discovery and Security IoT Protocols
SAS (Security Association Specification): A Security Association specification for the Internet of Things. It is a protocol for securely authenticating entities and establishing and securing relationships between them.
Profile-based device identity (PBDI): in 2013, the OMA developed a new authentication protocol to manage device identities within the IoT.
This new authentication protocol, together with a profile-based device management architecture, is being developed by OMA working groups and partners.
Additional Risks, Challenges, and Protocols
On top of this, there are new risks and challenges the IoT security team has to deal with—such as the fact that no single vendor is providing the end-to-end security—there are hundreds of different vendors.
That means that if any of these individual security products turn out to be insecure, it is likely that no security vendor is the only responsible party for the attack because different security products cannot communicate or share information.
The IoT solution must be tested and checked. But, how can you know that the systems are going to work together?
The fact is that there are no security standards for IoT devices, so there is no common way of checking how all the different security software works with each other.
The same applies to IoT services, with there being no standards for what IoT services are doing or how the security services can work together.
The above issues mean that the IoT solution must also be easy to manage and flexible with easy-to-use interfaces and simple-to-use tools. IoT should provide security and privacy.
That’s why IoT solutions need to incorporate Identity Management, which is the ability to provide proof of identity and prove who you are, just in case something goes wrong and your IoT data gets leaked out. At the same time, it should provide the ability to keep your IoT data secure.
The IoT ecosystem relies on many services that have to be provided by various IoT service providers. Such services include connectivity, identity, data management, discovery, access control, authorization, authentication, and privacy.
The Device Management Architecture is a core service in the Internet of Things. It allows device manufacturers to control their devices and services from any location and any device via a REST API. It also provides device manufacturers a mechanism to provision their devices and applications through a standard protocol.
The CoAP protocol provides access control (AC) through two mechanisms: the authorization header and the access control policy. The access control policy defines permissions that an authorization header represents. The authorization header specifies an entity (e.g., a client or an application) to access a particular resource. The authorization header is part of the standard (HTTP) access control mechanism.
The CoAP protocol provides access control through two mechanisms: the authorization header and the access control policy.
The OMA-DM (Open Mobile Alliance Device Management) protocol is a device management standard that allows service providers, device manufacturers, and others to deploy and manage devices in an open environment.
So, there are myriad options for IoT communications and protocols, which makes IoT security a complicated issue. Later in this series, we will explore the applicability of IoT security in finance and business. Stay tuned.