Special Report: Digital Identity and the IDoT
As the Internet of Things (IoT) becomes an increasingly integral part of our lives, we’re taking a look at some of the security risks posed by its adoption, and exploring the ways that Digital Identity and the Identity of Things (IDoT) can keep individuals and enterprises secure.
A New Age
The IoT will shape our personal and professional lives for the next decade and beyond. Our world is becoming increasingly connected, as smart sensors are integrated throughout every aspect of the manufacturing, retail, healthcare and retail industries. Our homes are getting smarter, with IoT connectivity evolving from curiosities and prototypes towards expected features of everything from our TVs to our refrigerators. Beyond the walls of our homes, intelligent lighting systems, traffic monitoring artificial intelligences (AI) and connected utility meters are making cities smarter and more digitally capable than ever before. Across enterprises and personal environments, the mobile device is increasingly becoming the universal remote that allows us to interact with our increasingly intelligent surroundings.
The global IoT market has grown dramatically in recent years, from $110bn in 2017 to $248bn last year. By 2025, IoT is expected to generate more than $1.5trn annually. Its applications are predicted to transform the ways in which we live and do business. More and more, the need for companies to incorporate IoT into their digital transformations is becoming an apparent necessity.
“When we talk about the IoT, it’s not just putting RFID tags on some dumb thing so we smart people know where that dumb thing is,” says MIT professor, the first ever TED Talk speaker and author of the book Being Digital, Nicholas Negroponte. “It’s about embedding intelligence so things become smarter and do more than they were proposed to do.” A future enabled by IoT transformations throughout our factories, homes and cities has the potential to be truly remarkable.
The Price of Progress
However, these advancements come at a price. “As our world becomes more connected, it also becomes more complex,” stated a recent report by leading Swedish telecom Ericsson. As the number of IoT devices currently in operation skyrockets, so does the risk to the people and enterprises that use them. Figures vary, depending on who you ask but, according to Statista, there are an estimated 31bn IoT devices in the world right now - meaning there are just over four smart devices for every person on the planet. Every single one of those devices is a potential entrypoint for hackers.
Back in December of last year, a smart camera belonging to the LeMay family in Tennessee turned itself on and began speaking to the LeMays’ eight-year old daughter. “I’m your best friend … I’m Santa Claus. You can do whatever you want right now. You can mess up your room. You can break your TV. You can do whatever you want,” said the voice, suspected not to have actually been jolly old Saint Nick after all. The local news outlet that broke the story revealed that a stranger remotely accessed the camera - which is somewhat ironically designed to help protect smart homes against intruders - and “found a way to manipulate it, turning the security device into a room of horror.” Around the same time, another Ring device was breached, allowing a stranger to demand that a Calabasas, California, woman called Tammy, “show me some [unprintable].” While Ring, which is owned by Amazon, has stated the breach did not occur on their end - and that the breaches were due to the LeMays and Tammy neglecting to set up two-factor authentication on their devices, the events clearly show the alarming potential that smart devices have to compromise individuals’ privacy and security - and these risks are in no way confined to individuals in a smart home.
According to Professor Ahmed Banafa, a leading expert on all things IoT, the widespread implementation of IoT presents serious difficulties for cybersecurity professionals everywhere.
“The concept of IoT introduces a wide range of new security risks and challenges to IoT devices, platforms and operating systems, communications, and even the systems to which they’re connected,” he noted in an interview last year. “New security technologies will be required to protect IoT devices and platforms from both information attacks and physical tampering, to encrypt their communications, and to address new challenges such as impersonating ‘things’ or denial-of-sleep attacks that drain batteries, to denial-of-service attack (DoS). But IoT security will be complicated by the fact that many ‘things’ use simple processors and operating systems that may not support sophisticated security approaches.”
IoT devices have already been proven to represent a critical vulnerability in many enterprise and personal networks. The ongoing COVID-19 pandemic is only exacerbating the issue, as an unprecedented number of people around the world switch to personal devices to access enterprise systems as part of remote working initiatives. More and more people are connecting personal IoT devices like fitness monitors, smart watches and speakers, and more to their enterprise networks, which then renders those networks vulnerable to attack. In the last year alone, 46% of organisations surveyed by cybersecurity firm Infoblox found devices connected to their network that the IT department was not aware of. These “shadow IoT devices” are easily one of the biggest risks to an effective cybersecurity strategy.
However, a developing trend in the cybersecurity space could be the key to counteracting these risks.
The Digital Identity Solution
In essence, digital identity refers to the information about an entity used by IT systems to represent an external “agent”, be that a person, organisation, application or device. According to Utah-based cybersecurity firm DigiCert, “In the IoT world, identity management must be able to identify devices, sensors, monitors, and manage their access to sensitive and non-sensitive data.” This practice of giving sensors and other connected devices their own digital identity is known as the Identity of Things (IDoT). This trend is still in its relative infancy, and there are three major hurdles that will need to be overcome in order for the IoT of the future to be as secure as cloud servers and physical buildings are today: how to ensure that digital identities are secure, and how to apply them to the enterprise at scale.
Trustworthy Certificates
Successfully creating functional solutions that create and manage the digital identities of IoT devices is an ongoing challenge for IT firms. By creating forgery-proof certificates for all entities in a network (including people as well as IoT sensors), companies can significantly improve their security measures, according to a report by NexusGroup.
Blockchain is one of the most promising technological developments to support these certificates, as it provides easily-traced and near-impenetrable levels of encryption. A report by cybersecurity firm Consensys posits that blockchain-powered identity management systems could overcome issues of inaccessibility, data insecurity and outside forces gaining network access using fraudulent identities. “The user’s digital identity landscape experience is exceptionally fragmented. Users juggle various identities associated with their usernames across different websites. There is no standardised way to use the data generated by one platform on another platform,” adds the report. “Due to the increasing sophistication of smartphones, advances in cryptography and the advent of blockchain technology, we have the tools to build new identity management systems; digital identity frameworks based upon the concept of decentralised identifiers.”
The effectiveness of secure certificates also lies in the fact that they only remain valid for a limited time period, after which they must be reviewed and recertified. The authorisations linked to the identities can be withdrawn if a certificate is not renewed or is compromised.
Scalable security
Large organisations may have tens of thousands of IoT devices from hundreds of manufacturers spread throughout their business. Frequently, IoT devices are created with only their primary function in mind, and according to Robert Muehlbauer, Senior Manager, Business Development Partner Ecosystems, at Axis Communications, “many products available today fail to incorporate even the most basic security measures.”
The process of creating unified security standards across huge, disparate device networks starts at installation - although it can still continue as IoT networks are continually patched, upgraded and altered going forward. The Certificate Enrollment for Billions of Things (otherwise known as CEBOT), a Swedish non-profit research organisation, claims to have at least solved the onboarding process. “When it comes to the internet, the state of the art for enabling trusted identities is using public key infrastructure, PKI. But a real challenge with PKI is the enrollment process,” said Shahid Raza, a Senior Researcher at CEBOT, in an interview with NexusGroup. This process involves an individual operating an IoT device requesting access from the certificate issuing authority. However, there’s a problem with this. “Many of the things that now are getting connected have no user interfaces,” adds Raza. “[Also,] when billions of connected things are to be enrolled, it has to be an automated process. There are already protocols for enrollment, but they are too heavy for really resource-constrained things. And the current enrollment protocols are also not fully automated.”
To solve this issue, CEBOT has developed what it describes as a super lightweight protocol for getting IoT devices to automatically request certification from the local authority using a secure code built into it by the manufacturer. “If you for example buy a lamp, the manufacturer has already placed a certificate in the lamp. And when you plug the lamp in for the first time, it automatically talks to the certificate authority via the new protocol and asks to get the certificate signed,” says Raza.
By automating the onboarding process, large companies and organisations can ensure that their IDoT protocols are unified and secure out of the gate.
