Technological armor evolves to keep IoT devices safe from attack
Rubicon Labs, others work to provide secure cryptographic keys
By Jaikumar Vijayan, ThirdCertainty
Tens of billions of physical objects, from toasters and thermostats to vehicles and buildings will become network enabled over the next few years and join the Internet of Things.
As that happens, there will be a growing requirement for technology to identify and authenticate devices connected to the IoT to enable secure communications between them. Just as today’s users authenticate themselves when accessing their bank accounts, and web browsers authenticate websites to make sure they are safe, IoT devices will need a way to identify one another in a trusted manner.
Complimentary webinar: How identity theft protection has become a must-have employee benefit
Among the handful of companies trying to address the problem early is Rubicon Labs, a San Francisco-based startup that offers technology for securely providing cryptographic identities to IoT devices and then protecting those identities against compromise.
The technology gives manufacturers a way to attach the rough equivalent of a Hardware Security Module on individual IoT sensors and devices. It enables IoT device identification and authentication at a substantially lower cost and in a more scalable manner than approaches based on digital certificates and Secure Sockets Layer/Transport Layer Security, according to Rod Schultz, Rubicon’s vice president of products.
A couple of factors make Rubicon’s method different. The company requires very little real estate on an IoT device or sensor in order to attach a digital identity to it. Rubicon also uses so-called Zero Knowledge Key architecture to protect the cryptographic keys that are used to authenticate identity while in transit, at rest and while they actually are being used, Schultz says.
Zero knowledge is good knowledge
Zero Knowledge Key technology is designed to ensure that IoT devices can digitally identify and authenticate themselves without disclosing the secret keys that give them their unique identities. The approach all but eliminates the potential for attackers to steal cryptographic keys and spoof devices and services.
One area where Rubicon’s technology is an obvious fit is in the electronic control units (ECUs) of modern cars, Schultz says. Connected cars can have dozens of ECUs controlling every aspect of the vehicle’s operation, including steering, braking, engine performance, entertainment, navigation systems and airbags. It is not uncommon for the ECUs to communicate with one another, with external cloud services, and the vehicle’s main Control Area Network (CAN) in a completely unencrypted and unauthenticated fashion, making them vulnerable to compromise in the process.
As an example, Schultz pointed to a sensational exploit last year where security researchers showed how they could take complete control of a moving Jeep Cherokee’s steering, transmission and other functions from 10 miles away.
For their demonstration, the security researchers first gained access to the vehicle’s entertainment system via a poorly protected port and then used that initial foothold to gain access to the vehicle’s CAN-bus and take control of virtually every function.
Because the vehicle’s CAN-bus communication was not authenticated or encrypted, the researchers were able to get it to act on malicious commands sent from an untrusted, unverified external source. In a properly secured environment, the CAN-bus should only have been communicating with known and properly authenticated devices in the car.
Bracing for the worst
Issues like this are going to proliferate rapidly and with far worse consequences as more insecure devices and sensors get connected to the IoT in the next few years, especially in areas like health care and other critical infrastructure sectors.
Compelling IoT use cases also are expected to emerge for small and medium-size businesses, as well, over the next few years, according to the SMB Group. For example IoT sensors for tracking crates and pallets could help reduce logistics costs. In-store, network-connected beacons could help small retailers deliver more targeted advertisements to customers, while those mounted on vehicles could help with fleet management.
Rubicon’s technology is designed to address the security issues such use raises by giving manufactures a way to assign digital identities to IoT sensors and devices in a cost-effective and highly scalable manner, Schultz said.
Rubicon is positioning its technology as appropriate for connected cars, or any other computing device that needs to be certified authentic and needs a certified communications stack, said David Monahan, an analyst with Enterprise Management Associates.
“By embedding their tech into IoT devices, their keying proves that the device is authentic and can be trusted,” Monahan said. Rubicon’s technology can prove that both the device trying to communicate and the target device are authorized to send and receive communications from each other, he said.
While Rubicon’s technology is primarily aimed at the IoT for the moment, it can help address a number of broader business issues as well, Monahan said. “They would be great for automobile ECUs. They are also excellent for any embedded control device.”
Importantly, Rubicon’s technology also can be used as an embedded hardware security module (HSM) if they decided to go that route, Monahan said. HSMs are basically dedicated servers for provisioning, managing and protecting encryption keys.
Rubicon, which has attracted more than $12 million in venture funding, so far, is among a handful of companies with specialized tools for creating and managing digital identities for IoT device authentication. Others include Certified Security Solutions (CSS), Device Authority and Infineon Technologies.
More on Internet of Things:
Security must be part of device design as Internet of Things evolves
Health care data at risk: Internet of Things facilitates health care data breaches
Ripples from Internet of Things create sea change for security, liability