How to protect digital identity in an IoT world

Four scenarios on how to keep that data safe.

1 iot intro
Credit: Thinkstock
Identity protection

The IoT security battle is lost if you’re uncertain that the person or thing on the other end of an online transaction is actually who or what it claims to be. Most IoT attacks occur when malicious actors are able to replace an authentic sensor with a compromised device, or when unauthorized remote access is gained and transmits a false signal to a device. To prevent these kinds of attacks, digital identity must establish effective online trust for all connected devices and people in an IoT interconnected ecosystem. This kind of online trust is achieved by implementing a comprehensive approach to digital identity and access management.

ForgeRock’s Eve Maler sets the scene with these examples of IoT security issues and four key identity and access management (IAM) practices to ensure IoT ecosystem security and trustworthiness.

2 garage door
Credit: Kevin Zamani
Security issue: Garage doors can experience identity theft

Let’s say you’re in the business of making garage door openers, and you’re making them “smart” by adding camera sensors and giving them network connectivity. If you haven’t safeguarded your digital identity, it may be all too easy for your customers to find that someone has taken control of this home security device and opened the garage door.

You need to ensure that not only the devices themselves, but their identity ecosystem is strengthened. Homeowners need to operate their garage doors with a sense of security and safety so that bad guys aren’t waltzing into customers’ living rooms. What’s the first thing you need to do?

3 iot sensor
Solution: Give IoT sensors and devices their own digital identities

The first step in applying IAM practices is to distinguish all the sensors, and all the devices, from each other giving each one a digital identity. You do this by converting select bits of information about each one into a digital record.

An identity record for a smart, connected thing will have different attributes compared to the profile for a person, of course. They’ll include model and manufacturer information, for example.

It’s estimated that the world population will grow to just shy of 8 billion by 2020. But we’re looking at a multiple of at least three when it comes to smart devices. Managing 21 billion-plus device identities?

4 earthquake japan
Credit: REUTERS/Kyodo
Security issue 2: Smart city earthquake sensors are an attack surface

There were recently serious earthquakes in Japan and Ecuador. Earthquake sensors are meant to send messages to shut down utilities in an affected area, preventing further destruction and potentially saving lives.

Unfortunately, smart cities present the ideal target for hackers to create bot-net style networks of compromised devices, and use them to disrupt critical public services. If a bad actor replaces an authentic sensor with a rogue device, any data from that device would not be trustworthy. But to know that the data’s bad, you’d have to be able to detect that the device itself has become a “bad actor”.

The risk isn’t just theoretical; traffic lights and the smart grid are vulnerable too.

5 credential
Credit: Dennis Wong
Solution: Everything with an identity needs a credential

The second step in applying IAM practices involves associating the IoT device’s identity record with a token or credential. The credential considered the best for sensors and devices is a PKI certificate. They are provisioned at the sensor level and usually at the device level right at the factory.

Too often, passwords are still part of the IoT security landscape, serving as the credentials for Wi-Fi routers and other components that protect important smart devices. Default passwords for hardware continue to be the bane of any security architecture.

6 nissan leaf
Credit: REUTERS/Noah Berger
Security issue 3: Someone left the virtual car doors completely unlocked

It was child’s play for researchers at a workshop in Australia to access and control a Nissan LEAF in the UK. They discovered they could make anonymous requests at the car’s application programming interface (API).

Essentially, all features exposed through the API were unprotected on purpose. In this case, the designers left remote car starting and other dangerous features out of range of API access.

7 credentials
Credit: A.Davey
Solution: Use credentials to prove identity

The third step in applying IAM practices is to present a credential during a transaction to prove identity successfully. This process is called authenticating the identity.

In the Nissan LEAF case, the car itself might possibly have been adequately identified and credentialed. In this case, however, the car didn’t require the calling application to be authenticated. Even apps need digital identities, credentials and authentication!

8 health data
Credit: REUTERS/Brian Losness
Security issue: Health data isn’t just electronic anymore; it can be device-driven

Today, electronic health records (EHR) are seeing a considerable number of breaches. Interestingly, compared to the hacks that make the headlines, the actual top security issue is inappropriate access by those on the inside.

Now add to this the fact that medical technology is being revolutionized by the IoT. Smart clinical devices are able to generate and analyze patient data at lower cost, meaning high data volumes, more data sources -- and more tempting data targets for bad actors.

9 authenticated
Solution: Once you’ve authenticated all the players, check whether they’re allowed to interact

The last step in applying IAM practices is to ensure that known entities are authorized entities. To authorize someone or something asking for access, combine successful authentication with additional pieces of information required to approve the transaction. Approval constitutes matching the information against a policy or checklist.

Failing authorization amounts to being told, “I know who you are, but you can’t do that.” Whether it’s a doctor trying to get access to the EHR for a patient to which he’s not assigned, or a smartphone application trying to control a CPAP machine to which it shouldn’t be connected, or a medical assistant trying to access a smart medications cabinet when he’s not clocked in, limits are important to set.