“Everything is now a computer,” cybersecurity expert Bruce Schneier said at a congressional hearing in 2016, a reference to the propagation of computational capabilities and connectivity into the physical world.
“Everything else will get connected to the internet. If it uses power, it will go online,” said cybersecurity expert Mikko Hypponen during a keynote speech at the TNW Conference last year.
Thanks to the flourishing of the internet of things (IoT), there are already more connected devices than there are humans on our planet. And we’re only at the doorsteps of a digital revolution ushered in by big data, AI and seamless internet connectivity.
Putting aside the nonsensical uses, there are undeniable benefits to the internet of things. It can make life easier, smarter, greener and less expensive. However, every new connected device that enters homes, cars, offices and factories trails along security challenges for the people and organizations that will be using them. If these challenges are not met, the IoT industry can end up doing more harm than good.
I had the chance to catch up with Alex Momot, Founder and CEO of REMME, a decentralized authentication platform created for a future where billions of devices will want to connect to the internet and interact with each other. Momot shared insights on the opportunities and challenges of IoT and which direction the industry should take.
Opportunities are met with challenges
“The synergy of connected devices is becoming increasingly apparent. Connectivity gives us greater opportunities for running/managing, controlling, and monitoring our hectic lives, thus providing convenience,” Momot says.
This is an opportunity that big companies such as Apple, Samsung and Xiaomi have already recognized and embraced, creating devices and development platforms and environments that make it possible to aggregate information and functionality across various connected devices, what Momot calls “integrated information environments.”
An example is HomeKit, Apple’s platform that lets users monitor and control the functionality of different home appliances through their iOS devices. More advanced use cases include home automation. For instance, with IFTTT (If This Then That), users and developers can connect different apps and devices together and allow them to trigger each other when specific conditions occur. The same kinds of synergies can be seen in other fields, such as medicine, agriculture, transportation and traffic control.
“There are no standalone spheres that have been left untouched by this trend; everywhere that devices can be combined, they are being combined,” Momot says. “From medicine to the extraction of mineral resources, single systems are being integrated and optimized to impart time- and labor-savings and to provide all-in-one control via a single but multifunctional device.”
However, Momot points out, the appearance of each new component in a system immediately brings new security challenges. For instance, even in the simplest use cases where two devices want to interconnect, developers must overcome several issues. “You’re going to have to address issues pertaining to two-step identification and authentication, setting a protected bi-directional connection bus, protected administration, management, and updating,” Momot says.
While traditional algorithms and authentication methods can still address many of these problems, they run into trouble when applied to large ecosystems of inter-device synergy and complete connectivity.
The challenges of authenticating many devices
One of the first problems that large ecosystems of devices face is authenticating and protecting the identities of all connected devices.
“When you’ve got 10 devices to manage, for instance, retaining the same login and password for them all, even when accompanied by unique 2FA codes, is evidently insecure. A lot of attacks are possible, and the IAM (identity and access management) process is inconvenient for the user. There needs to be a simpler solution that doesn’t compromise security in the process,” Momot says.
From a user experience perspective, signing in and authenticating too many devices and accounts is very burdensome. Users tend to forego known best security practices for the sake of convenience and a frictionless experience. For instance, users tend to disable two-factor authentication (2FA) because of they find its additional steps annoying, especially if they have to repeat over and over again for multiple accounts.
Some services use single sign-on (SSO), authentication systems that allow users to sign on to a single account (such as Facebook or Google) and use the same authentication token to access other services. But SSO is not without its own challenges.
“Thankfully, we’re seeing a lot of innovation now with IAM systems that are pioneering new methods for identification and authentication. This progress has been aided by the appearance of Single-Sign-On (SSO) services,” Momot says. “But let’s not forget that cybercrime is getting more commercialized. As a consequence, any element of an opened system that can be attacked will be attacked by malicious actors, including identification and authentication systems.”
The specific challenges of securing authentication on IoT ecosystems
One of the specific challenges of IoT is the hardware and software differences that IoT devices have with generic computing devices such as desktop and laptop computers and smartphones. IoT devices usually have lower memory and processing capabilities and can’t run endpoint and security solutions that have been created for computers.
“IoT is characterized by low electrical energy consumption that also necessitates the simplification of solutions,” says Momot. “Unfortunately, this budget-based approach to security means that additional resources must then be applied to bolster security and deter malicious actors.”
Many manufacturers of IoT devices ignore finding the right security solution for their products to reduce costs and keep their prices competitive. “The risks lie first of all in the fact that developers of IoT devices, aiming to cheapen and speed up production, often exclude secure elements,” Momot says. “It would be nice if we could call it the IoST, with the S standing for ‘secure’, but right now that element is sorely missing.”
This kind of practice reduces the general security of IoT devices and opens them to cyberattack and compromises by malicious actors. In October 2016, vulnerabilities in IoT devices led to one of the largest DDoS attacks in history.
Momot also points out to another characteristic that makes IoT products different from other devices with computing resources and internet connectivity. “IoT implies autonomous and automated interaction between elements, often without monitoring and control,” he says.
Devices that are less monitored by users and operators are more prone to be ignored after being compromised, especially when they number in the thousands and millions. As a user, you have a higher chance of finding out if your computer or smartphone has been compromised because you’re directly using them. In contrast, IoT devices are meant to be “installed and forgotten,” which means users seldom check performance logs or whether the device is functioning exactly as it is supposed to.
IoT device sessions also tend to be much longer than user-operated accounts, sometimes operating for weeks and months without interruption. “Traditional authentication systems are complex and not ideally suited for use in IoT,” Momot says, adding that the reason for this is their focus on authentication of a subject, not an object, exacerbated by their focus on designated interaction (session) of subject and service.
“The IoT world is gradually coming round to the concept of general interaction (shared cooperation) and single information realm/field. The challenge with new IAM systems is balancing a simple and easy solution that can be implemented in any IoT device, whilst maintaining a sufficient security level,” Momot says.
The blockchain solution
Ironically, the solution to some of IoT’s most endemic problems might be found in a technology that was initially designed for something else. Blockchain, the distributed ledger that underlies digital currencies such as bitcoin and ethereum, is now finding its way into many other domains where decentralized structures can provide higher security and better access to pertinent information.
The general idea behind blockchain is to replace centralized servers with networks of independent computers that store information and authenticate access to data.
Blockchain has already proven to be a viable solution to many of the challenges the IoT industry faces. “For IoT problem-solving, there are two main benefits that blockchain can provide: distribution and authorization. Distribution facilitates the idea of shared cooperation very well,” Momot says. “Blockchain can solve the problems related to the rejection/inaccessibility/substitution of centralized authentication systems using processes such as multiple confirmation and random selection of verification nodes. This renders attacks on CA pointless and eliminates the possibility for substitution of certificates or a chain of certificates.”
One of the problems attributed to traditional authentication systems is that they rely on centralized authorities to register and verify the identities of all devices and entities that exist on a network. The problem is that if hackers compromise the authority, they’ll be able to impersonate different devices and persons and perform harmful activities. The criticality of this kind of attack becomes manifold on IoT networks, where devices often perform sensitive functions related to the physical world.
A decentralized authentication platform based on the blockchain will be much more resilient against cyberattacks such as DDoS attacks and data tampering because there will be no single point of failure for attackers to exploit. It will also allow devices to directly identify each other and communicate without the need to go through centralized servers. “Centralized systems add convenience, but they also present a single point of attack. It’s evident that blockchain will replace this model and become the de facto means by which IoT devices communicate. Enabling IoT sensors to communicate directly with one another, instead of via a central control point, is the future of connected devices,” Momot says.
However, not any blockchain fits the bill for IoT ecosystems. Blockchains generally require participating nodes to store a copy of the ledger locally and keep it in sync with other nodes as it changes. This is something that is impossible with IoT devices due to storage constraints.
How REMME fits in the picture
REMME is an enterprise-grade access management platform that replaces passwords with digital certificates, Momot explains. Providing passwordless authentication to IoT devices is very important, because passwords can become the security bottleneck of a network, especially when you’re dealing with an immense number of devices that are working autonomously and tend to be forgotten.
REMME uses its own proprietary blockchain, REMChain. REMChain serves as a data store for the hashes of public key certificates of IoT devices and user accounts in an ecosystem. REMChain also stores and updates the status of each device. “If a certificate is valid or revoked, the information is stored in REMChain and validated each time during user/device authentication,” Momot explains.
The private keys are stored on the devices themselves. Since IoT devices are often installed in public locations, manufacturers need to make sure private keys are stored in components that are resilient against physical tampering. REMME is working with several vendors on developing solutions that enable secure storage of keys.
Since most IoT devices can’t store a copy of REMChain, the network will rely on a number of special master nodes to support and maintain the ledger. “We plan to provide permissioned blockchain for enterprise customers and M2M infrastructures as well as public blockchain for wide use,” Momot tells me. There are advantages to both types of REMChains, which can scale the solution for different needs. Permissioned or private blockchains can enable enterprises to create closed-loop IoT ecosystems for their business while public blockchains can provide the basis for large open-ended ecosystems such as smart cities.