Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Certificate Security for IoT Devices

Internet of Things (IoT) devices have been a rapidly growing industry trend that can provide invaluable and unique data to many organizations. While most devices are designed to maximize the efficiency of data distribution, they often leave security by the wayside.

Due to the lax nature of IoT security, they are often the targets of hacking attacks and can act as an avenue into the organization’s secure wireless network. Many organization’s poorly manage the IoT devices connected to their network. A Ponemon Institute study found 56% of risk professionals did not keep an inventory of IoT devices. Read here how a Global Fintech organization upgraded the security of all their network devices to protect against potential threats.

Utilizing certificates for IoT security is an excellent way to ensure your network is protected and all devices are accounted for and securely connected.

Why is IoT Vulnerable?

The potential uses for IoT are as boundless as manufacturers can imagine. Industries such as medical devices, automotive safety, building security, agriculture, and countless others have potential to be revolutionized by unique IoT device applications.

These devices already transmit unbelievably large amounts of data every year, with trends indicating that the amount will only continue to increase dramatically. But where there is swathes of valuable data, there are those that seek to steal and take advantage of it. NETSCOUT’s Threat Intelligence Report found that it takes 5 minutes for an IoT device to be attacked after it has been connected to the Internet. These devices are connected to the network, transmitting huge amounts of data and present a clear target for threat actors.

Since manufacturers have focused on efficiency instead of security, there is seldom encryption of the data being sent. The devices are built to transmit data, so it’s up to the owner to protect that process.

IoT devices must be secured to protect the network

Potential Consequences of Unsecured IoT Devices

Organizations that fail to recognize the risks of unsecured IoT devices expose themselves to a variety of potential attacks. One of the most common that should be expected is a malware attack on an unsecured device. Without the protections of a secure network, the devices have a greater chance of being accessed and distributed dangerous malware.

Another highly effective action is for an outside actor to remotely control IoT devices. Since the devices are not secured, it’s relatively easy to take control of that device and conscript it into a botnet. Threat actors will use these massive, remote botnets to distribute DDoS attacks or email spam and negate all usefulness of the device.

At the crux of the issue is the lack of reliability of the data IoT devices provide. If the device is unsecured, it can be accessed remotely or fall victim to an over-the-air attack. The primary function of many IoT devices is to send accurate data for use by the organization. If the device can be easily compromised, can the data be trusted?


Protect IoT Devices with Certificate Security

Cloud technology and mobile initiatives have driven an increase in PKI adoption over the last few years. With efficient certificate distribution solutions available, more organizations have enhanced their network security by deploying PKI services.

Uploading digital certificates to IoT devices is the best solution available because it is a lightweight solution that can be outfitted without compromising efficiency. Certificates require only a small amount of space on the device and provide strong authentication and data transmission protections.

An IoT device equipped with a certificate also can be outfitted with attributes for identity management. If your organization has many devices that change often, they can be easily identified and updated as needed. Certificates can be customized to have a long lifespan, so each individual device can be configured and not be a concern for IT.

In order for the solution to be effective, the organization must be equipped to handle a PKI solution. It must be scalable, customizable, and cost-effective.

Image result for digital certificate image"

Using EST, SCEP and Custom Protocols to Provision Certificates on IoT Devices

One of the key network security issues IoT devices face is a lack of standardized certificate enrollment protocol. With other personal computing devices, there are standard methods of certificate provisioning. For example, if you want to enroll an Apple iOS device for a certificate, you have to use a .mobileconfig file.

IoT devices are purpose built to perform unique tasks, from very low power/compute devices to off-the-shelf hardware/software, this makes it difficult to enroll them. However, the EST and SCEP protocols have shown a lot of promise with IoT devices. Managed Devices are able to auto-enroll by sending SCEP configuration profiles through an MDM.

Using this method, many IoT devices are able to enroll for certificates. The use of ECC (elliptic curve cryptography) certificates is less operationally intensive compared to traditional RSA and well suited to IoT devices. This is not to say ECC certificates are less secure, an 256 bit ECC key offers the same level of protection as an 3072 bit RSA key, well above the 2048 bit industry norm.

However, a barrier to using EST or SCEP to enroll is the software that comes with the IoT devices. Some IoT manufacturers come with software that act similar to an MDM, few of them have native EST or SCEP support. SecureW2 works with IoT manufacturers that don’t support EST or SCEP natively so that their software and devices can easily enable them in the software stack or custom deliver protocol options. Devices can then come either pre-loaded with certificates to customers, or customers can use SecureW2’s managed PKI to generate their own Private CA and enroll all their devices (IoT, BYOD, or Managed) for certificates.


Manually Provisioning Certificates on IoT Devices

With SecureW2, you can easily generate custom client certificates and install them on your IoT devices. You can use any Root or Intermediate CA using our Managed PKI to create a custom, one-off certificate and install it on your IoT devices. This is particularly convenient because you can use the CA that is used by other devices on the network, allowing your IoT to seamlessly connect to the network.

If your IoT device runs any of the popular Linux Distributions, we generate custom scripts that can be run so devices both enroll for certificates and install network settings to use certificate-based Wi-Fi. Here’s a guide we created on how to install a certificate on a Raspberry Pi.

As the uses for IoT devices continue to grow every year, the glaring issue of weak security will become more prevalent and pose a greater risk. Equipping the devices with certificate-based security offers protection that is highly secure from outside attacks and an efficient user experience. Navigate to our pricing page to see if SecureW2’s certificate solutions are a fit for your organization.

Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

Certificate Security for IoT Devices