Copper Horse’s Mobile Security Intern, April Baracho discusses challenges and methods of setting up secure and usable associations for IoT devices that have no visible user interface.
We are living in a world that is getting to be increasingly interconnected, an environment best described as the ‘Internet of Things’. Central to the existence and proliferation of the IoT is the automation of mundane tasks. This in turn depends on the ability of devices to communicate with each other with minimal human interaction. In order to achieve this, any device joining the network needs to be enrolled onto it. Enrolment of an IoT device is its initiation into the grid of interconnected devices. This is achieved by the secure exchange of credentials between the device and the network.
Connecting devices such as a laptop or a smartphone to a network is something most of us do on a regular basis. (often gullibly without batting an eyelid!) Provisioning IoT devices, on the other hand, is a whole other ball game. The main challenge is that most IoT devices are equipped with either a rudimentary user interface or in some cases no UI at all. While the secure bootstrapping of devices such as these is challenging, there are several ways in which this can be achieved.
A review of the big players in the IoT space demonstrates that most headless devices in the market today use a laptop or a palm-held device as an extended user interface allowing for effective monitoring and management of the IoT device. A thermostat with only a display could flash a string the first time it is powered on, allowing a user to key in that string into the application. Similarly, a device with a series of LEDs could blink a ‘key’ that could be entered into the smartphone app, linking the device and smartphone app together in a verified association.
Out of band provisioning methods such as NFC and Bluetooth are also common place. A headless device such as the FitBit fitness tracker uses Bluetooth Low Energy (BLE) to enrol with the smartphone application and thereafter the rest of the home Wi-Fi network. Updates to the WI-Fi Alliance certification program enables two Wi-Fi devices with NFC tags to connect to each other and the local Wi-Fi network by tapping them together.
Other methods used to connect headless IoT devices to a Wi-Fi network include the PIN method and Push-Button Connect (PBC) method for Wi-Fi Protected Setup (WPS) enabled devices and access points. An obvious setback of the PIN method in this scenario is that both the access point and the headless device do not have a keypad for the PIN to be entered. While the PBC method seems to be just a bit more effective in provisioning headless devices, it suffers from security issues such as a two minute window that allows any WPS enabled device to join the network once the button on the access point (hub) is pushed. Further security flaws in the WPS design such as a vulnerability of the PIN method to brute force attacks have since been found.
PKI for the Internet of Things
Enrolment of an IoT device, although a task in itself, only connects a device to the local network. It does not provide for the secure mutual verification of device identity. The setup of secure associations between devices is typically achieved by certificate exchange carried out via key agreement protocols. While it should be relatively straight-forward to use a PKI framework for certificate exchange, there are some issues relating to scalability and device capability when it comes to considering the use of PKI in the IoT space.