Now that the Internet of Things is clearly here to stay, it’s become an attractive target for cybercriminals. While the data stored on devices themselves may not be all that interesting to hackers (they probably don’t care that you took 8,745 steps today or that you need to pick up milk and eggs at the store), IoT devices can provide access to more valuable targets or be used as tools in a larger attack. For instance, in late 2016, internet service provider DYN was the victim of a DDoS attack that used wireless security cameras to send traffic to the company servers. The owners of the cameras had no idea that their devices had been infected with malware — and the DYN servers were not able to immediately distinguish the traffic coming from the cameras as ghost traffic — but the effect was the same: The servers were overwhelmed, and several major websites were knocked offline for several hours.
The attack on DYN is but one example of the potential for an IoT-related attack, but it highlights the need for improved security for connected devices. While there are a number of techniques for keeping devices safe from nefarious criminals, one of the most important pieces of the security puzzle is cryptoauthentication.
Cryptoauthentication: An Overview
Cryptography has long been a standard method of securing data during both storage and transmission. Essentially, cryptography means encrypting data by scrambling or encoding the data, rendering it unusable until it is decrypted or unscrambled. The entire process relies on keys, and the same key must be used to encrypt and decrypt the data. This way, even if an unauthorized party does manage to acquire the data, he or she cannot access it unless the key is present. No key, no data.
The problem, of course, is that should someone manage to access both the encrypted data and the keys, then the data can be exposed. It’s important, then, to protect the keys. Think of it like this: You wouldn’t lock your front door, and then intentionally leave the keys in the lock when you leave for work. You take the keys with you, and keep them safe all day. Cryptoauthentication is a similar concept, designed to keep the encryption keys safe against attack and out of the hands of hackers.
Cryptoauthentication is a form of hardware security that ensures that the keys being used to encrypt and decrypt data are the real keys associated with that cryptography. Not only does cryptoauthentication protect the keys by ensuring that they can only be accessed by authorized software, and that the requesting software or individual is what/who it claims to be, but it also generates new keys.
Why Hardware-Based Security
It is widely accepted that hardware-based storage is far more effective than software-based solutions, as it is simply more difficult to tamper with this type of security. But on a larger level, cryptoauthentication is widely becoming an important part of the growth of the IoT. In fact, many experts argue that the only way that the IoT is ever going to reach its full potential is if developers make security a priority. In fact, Dr. Vint Cerf, one of the principle figures in the development of the internet, has publicly mentioned that the IoT will require authentication if it’s ever going to be more than a “toy.”’
Hardware-based cryptoauthentication circuit devices are already widely available, and are on the whole easy to install and use in IoT devices. Microchip Technologies, for instance, offers a line of devices that are small, compatible with most MCUs, use very little power, and are easily customizable for more advanced security protocols. Most importantly, though, these devices keep the keys safe from attackers, who cannot access them.
The IoT is creating and sending billions of bytes of data every day. Keeping that data, and the devices that create it, safe is of paramount importance, not only because the consequences of an attack can be dire, but because without security, the entire industry is likely to collapse. If data can be stolen, corrupted, or otherwise tampered with, it’s of little to no use to anyone. Instead, by employing simple yet elegant solutions like cryptoauthentication, devices and their data are one step closer to being completely secure against hackers.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.