As part of our ongoing efforts to improve the state of IoT and embedded devices security and in addition to our in-house research efforts, VDOO has been working closely with the information security community to assist in coordinating vulnerability disclosure to vendors. As such, VDOO acts as an intermediary 3rd party to help researchers communicate with the vendors as well as to help the vendors deal with the disclosed vulnerabilities in the most professional and secure way as possible in order to minimize risks to deployed devices and end users.
The development of an IoT device, many times referred to as an embedded system or a connected device, is a complicated task, involving many processes that are conducted by different entities. Usually, these processes are driven by several owners with different considerations, challenges, and constraints – engineers, architects, and product managers – each wants to deliver the best quality product in the fastest time to market. Once a security implementation is integrated with the other processes, things get even more complicated, and important questions need to be asked – how do we know what is the right security for the product? How do we test its security? How can we fix a security issue as fast as possible? How can we optimize the product security without slowing down the Continuous Integration (CI) process?
This article suggests a method of security integration into the IoT device development process and is designated mainly for technical professionals, yet, provides insights and benefits for those who read it from a business perspective.
In this article, part three of the IoT Security Foundations series, we examine issues related to certificate authentication and the complexities around its use in the Internet of Things.
Many security issues that plague the Internet of Things are directly caused by insecure password authentication. We have reviewed these issues and possible solutions in the previous article. Certificate authentication provides a stronger alternative, as unlike passwords, it does not rely on a short token memorized by a human operator; instead, it uses public key cryptography, with larger storage and processing requirements, more advanced protocols, and better security guarantees as a result. Certificate-based authentication is common in the Internet of Things: outside of regular client-server communication, it is used in such areas as firmware updates and local access. This article should be useful to IoT manufacturers and service providers looking for the right way to design their certificate management.