No doubt many who read this article have heard the expression “You can’t get there from here…” It’s most often attributed to New Englanders – primarily residents of Maine – to describe a route to a destination that is so circuitous and complex that one needn’t bother embarking on the journey.
In the context of the business world, the expression takes on different meaning. It defines a situation where the leaders of a business can see what needs to be done, but can’t in any way define an easy, clear, financially-viable path to achieve what’s required. For example, in the late 1990’s when one of the largest, most successful companies serving the telecom sector – Northern Telecom (aka Nortel) – realized that the TCP/IP Protocol was viable for business networking applications, and that young upstarts like Cisco were aggressively staking their claim to this space, it was too late. Nortel’s entire business was based on selling clunky digital switches and networks, and it couldn’t abandon its core offerings and income streams to embrace the change that its executive team knew was needed. It tried, by acquiring Cisco competitor, Bay Networks, but reality quickly set in. The market finished the Nortel story by figuratively stating, “You can’t get there from here.”
I believe that expression captures the current state of IoT, and while it’s not exactly comforting, it’s nice to know that I’m not alone in my view. Renowned security expert and best-selling author, Bruce Schneier, appears to be on the same page.
Click Here to Kill EverybodyI just finished reading Mr. Schneier’s new book, Click Here to Kill Everybody, and I thoroughly enjoyed it. Though I suppose enjoyed it is not exactly accurate. It’s more like I enjoyed Bruce’s writing style which makes for easy reading, and I found myself fully aligned with his insightful views on the incredible risks that our world is facing due to the massive vulnerabilities inherent in the Internet. And worse, those vulnerabilities and the danger that they create are increasing at a staggering rate due to the widespread deployment of non-secure IoT devices.
And unfortunately, I also agree with Bruce’s conclusion that nothing is going to happen in the near term to fix our broken connected world. He writes, “As a society, we haven’t even agreed on any of the big ideas. We understand the symptoms of insecurity better than the actual problems, which makes it hard do discuss solutions. We can’t figure out what the policies should be, because we don’t know where we want to go. Even worse, we’re not having any of those big conversations…Internet+ security isn’t an issue that most policy makers are concerned about. It’s not debated in the media. It’s not a campaign issue in any country I can think of…”
Put another way, the Internet is so pervasive, so unmanageable and IoT deployment is so out of control, that rendering all of it secure today is….well…“You can’t get there from here.”
Mr. Schneier doesn’t only paint a picture of gloom and doom. He has some practical suggestions on how to solve our current dangerous dilemma, and he remains confident that in the long term the security problem will be solved. I agree, and while technological advancements, business leaders and governments will surely be involved in crafting this long-term solution, I believe that there are things we can do in the near term that can immediately close big IoT security holes for the greater good.
Start with the Things
It all starts with the things or devices. The State of California is the first US government to recognize this and to that end, recently passed a cybersecurity law that states that any manufacturer of a device that connects “directly or indirectly” to the Internet must equip it with “reasonable” security features designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means no more generic default credentials for a hacker to discover. The law comes into effect on January 1st, 2020, giving manufacturers plenty of time to comply.
And while this law appears to be a positive step, security blogger Robert Graham has slammed the bill as bad, stating it is “based on a superficial understanding of cybersecurity/hacking that will do little to improve security, while doing a lot to impose costs and harm innovation.”
If you read Mr. Graham’s entire blog (accessed via the above link), he makes some very good points. One that resonates with me is the complexity and vulnerability inherent in current approaches to authentication. Graham notes that “A typical IoT device has one system for creating accounts on the web management interface, a wholly separate authentication system for services…” He goes on to write, “That was the problem with devices infected by Mirai [author’s note: the IoT attack that almost brought down the Internet]. The description that these were hardcoded passwords is only a superficial understanding of the problem. The real problem was that there were different authentication systems in the web interface and in other services like Telnet.”
The authentication issue is also addressed in Click Here to Kill Anybody.Mr. Schneier concludes, “as bad as software vulnerabilities are, the most common way hackers break into networks is by abusing the authentication process. They steal passwords, set up man-in-the-middle attacks to piggyback on legitimate log-ins, or masquerade as authorized users.” His conclusion: “Authentication is getting harder and credential stealing is getting easier.”
A New World Approach to Authentication
I agree with Bruce Schneier. Authentication – the process of identifying a person or device – is getting harder. And given that the IoT world continues to rely on broken vulnerable protocols and technologies, it’s no wonder. What’s needed is an innovative, standards-based new approach to authentication that can completely eliminate the risks posed by stolen credentials.
Now, before you continue reading this article (and thanks for getting this far into it), I need to post a disclaimer.
In the many years that I have been writing IT Security related articles, I’ve made a conscious effort to avoid promoting my company, in favour of publishing articles that I hope bring attention to the serious IoT security issues our world faces, and to do so in an informative, perhaps entertaining manner.
However, from this point forward in this article, I’m deviating from my personal publishing policy, because I think what I’m about to write is important as it introduces a dramatically more effective, secure and economical way of handling IoT authentication (and key management).
So, if you’re not a fan of the “advertorial” writing style, I suggest you stop here and we’ll catch up the next time I post a neutrally-written article. But if you’re curious, and want to learn more about how our technology is being deployed by others to protect their IoT services, solutions and products, please keep reading.
VIBE is an acronym for Verifiable Identity-Based Encryption. VIBE is patented technology that improves upon the market-proven IBE standard in 15 different ways, most notably by adding authentication at the application layer, and eliminating the need to protect the public parameters. The VIBE key management and authentication schema can be easily embedded in others IoT products, services or solutions.
VIBE’s “coming out” party is at the NIST’s Feb 2019 Global City Teams Challenge event as part of a Government of Singapore initiative called Project GRACE. GRACE (Graceful Remediation with Authenticated Certificateless Encryption) implements a security architecture using an advanced form of pairing-based cryptography called Verifiable Identity-based Encryption (VIBE) to provide simple, scalable and secure key management for Cloud services, the IoT and the Critical Information Infrastructure (CII) which are otherwise vulnerable to existing and new cyber-physical attacks.
Project GRACE implements an alternative set of cipher suites, containing VIBE in TLS 1.2, and maintaining forward compatibility. This standards-based approach ensures a smooth transition to the new scheme with minimal updates to the existing ecosystem of web servers and web browsers. Most importantly, the security gaps in the TLS layer are filled in the process. TLS with VIBE embedded is certifiable to ISO 27001-2013.
TLS with VIBE accommodates deployments on a very large scale – the Internet scale – as it eliminates the complexity of using PKI-based SSL/TLS certificates in web servers/browsers, and does so economically.[
Once configured the Control Server can run offline from the Trust Centre (TC), and any device can be authorized to communicate with another without key management intervention.
When the system is setup, the TC can be taken offline, and easily and temporarily reinstated when there is a requirement to reconfigure existing devices and/or add new devices.
As our Asian and EU partners have discovered, VIBE-inside products, services and solutions solve the authentication issue permanently.
If you’re interested in learning more about VIBE, please send me a note and I’ll pass along a copy of our FAQ. Also, as the work required to embed VIBE in our Partner’s HSMs and Chips is near completion, we are welcoming dialogue with companies interested in participating in a IoT Pilot Projects.