FIDO Alliance says IoT security is imperative, focuses on device to cloud authentication
In its ongoing fight to secure the IoT with FIDO passwordless authentication, the FIDO Alliance has established a dedicated IoT Technical Working Group to deliver an authentication framework for connected devices. Currently, there are no IoT security standards for device authentication, which leaves devices vulnerable as they are released in the wild with default password credentials and manual onboarding options.
The way IoT devices are built today and weaknesses in IoT infrastructures open the door to large-scale attacks. This makes security a critical, mandatory focus point, said Andrew Shikiar, Executive Director and CMO of FIDO Alliance, in a webinar this week about the organization’s progress and future plans. FIDO has brought together a number of companies, including competitors, to establish together a technical base to improve IoT authentication and deployment standards.
Dr. Rolf Lindemann, Vice President of Products at Nok Nok Labs pointed out that a compromised device could very well turn not only into a national threat, but a global economic peril. Weak authentication in devices that were discoverable online generated the massive DDoS IoT botnet attack in 2016 when much of the internet collapsed. Hardcoded usernames and passwords are not a secure method, he pointed out, which makes multiple devices vulnerable, including home security systems, cameras and routers. A compromised in an industrial scenario could even lead to safety issues.
Regulators have identified shared default passwords as the main concern to be looked into, because users most often never change them. Even unique passwords are an attractive target for hackers, Dr. Lindemann said, because users now have multiple devices which makes it impractical to remember dozens of unique passwords.
As a result, FIDO has identified four use cases – user to cloud authentication, user to device authentication, IoT devices or gateways that connect to cloud services to upload meta data and IoT devices that communicate with other devices. When the Alliance first started out, it focused on solving the first use case scenario, where users had to safely configure and manage their devices, and it now also supports the second use case. Device to cloud is slightly more complex as it may involve device onboarding and more friction, which is why the Alliance is now focused on device to cloud authentication.
There are several advantages to using FIDO, Dr. Lindemann explained, including protecting users from phishing and man in the middle attacks, because FIDO credentials are specific to the origin. Therefore, attackers cannot use the FIDO credential to authenticate themselves to the original website or device. Because small devices are usually equipped with cheap firmware, they contain vulnerabilities that can be hacked remotely. FIDO is practical because with a single gesture, the user can benefit from more secure two-factor authentication, unlike the traditional text-based 2FA.
In a recent interview with Biometric Update, Dr. Lindemann shared details about the recently developed IoT SDK concept and how FIDO-based biometric technology can solve the problem of weak IoT authentication.
Qualcomm’s senior director for technology Giridhar Mandyam discussed a number of challenges in user authentication and pointed out that there is no silver bullet solution for all onboarding authentication scenarios across verticals. Industrial IoT, for example, needs third-party intervention, while there are many sources of friction, such as proof of value.
With IoT devices covering both low- and high-end product portfolios, manufactures often release them with “immature security models.” And while a lot of security has been created with internet connectivity in mind, many IoT devices have very limited connectivity, so manufacturers have to come up with a different security model. The Alliance’s goal is to implement the concept of zero touch onboarding, although some minimal user intervention might still be necessary.
Many challenges arise from the different infrastructure approaches, Mandyam said, whether it is a private cloud or network, on premise or hybrid. When a manufacturer deals with so many verticals, it will end up producing different products with different security models. In the case of many low-cost devices, “security takes the back seat as it’s harder to justify investments.”
There are currently no standards for automated onboarding as it is mostly done via manual passwords, and with some devices not even connected to the cloud, authentication takes place locally on a private network.
Several authentication issues have been reported in baby monitors and pacemakers that sent unencrypted messages or drained batteries. Worse is that once an attacker has access to the local network, it can tamper with the remote cloud service. While some IoT devices communicate directly with the internet, others leverage a gateway to communicate with cloud service providers. In a device’s lifetime, these could be multiple and involve different levels of authorization security.
FIDO is trying to solve these problems, and one of the solutions it is looking into are standardized identity devices. FIDO has already successfully implemented authentication protocols, standards and technologies, and it is now looking into facilitating interoperability between IoT devices and service providers, authentication profiles and automated onboarding. FIDO has been able to deliver a single authenticator for multiple services, and some work has been carried out for a physical authenticator in the form of hardware tokens.
The working group has been able to establish more than 40 use cases which it has categorized based on deployment, binding and enablement. Deployment has been identified as most critical, because there is no user interface for configuration. Although most use cases fell under deployment, the group expects the numbers to increase in the other categories.
The next meeting of the working group is yet to be announced, however more experts are encouraged to reach out and get involved in boosting security and solving IoT authentication challenges.