IoT devices secured by removing static credentials
The Internet of Things (IoT) is not a separate internet, but instead means lanes of the internet over which simple devices share data. Examples of the devices include smart factory equipment, wireless inventory trackers, smart domestic appliances and biometric cybersecurity scanners. Connecting such devices to the internet created huge unforeseen security vulnerabilities. IoT devices are notoriously vulnerable to hacking. In addition to a long list of vulnerabilities shared with web servers, these devices also suffer from poor device authentication, where hacked units can hack other devices. This problem is called zombie botnets and commonly results in denial-of-service attacks. A second major weakness of IoT devices is that they are too computationally simple to run defence software featuring encryption. Until recently, such devices essentially had no protection at all.
Attacks cost society
Nearly half of all companies dealing with IoT devices have suffered major security breaches affecting revenue. Since such breaches now cause over EUR 5 trillion in annual losses, the IT industry has begun taking the problem seriously. Furthermore, the European Commission enacted the General Data Protection Regulation (GDPR), which, as of 2018, began imposing heavy fines against non-compliant companies. Nevertheless, achieving real security will require more than a financial deterrent alone. The EU-funded ELIoT Pro project developed a reliable solution, by replacing a key IoT weakness of fixed passwords with a one-time password used in the IoT system administrator authentication protocol also in device-to-device authentication and encryption. These protocols are also designed to be very computationally lightweight, suitable for even simple IoT devices.
Goodbye to static credentials
“Passwords, and any other static credentials – such as biometrics, if not managed correctly – are well known and widely exploited vulnerabilities,” explains project coordinator Jack Wolosewicz. “Eighty per cent of all hacks involve exploiting these credentials.” To avoid this, the project team eliminated the need for such credentials, and the associated vulnerability, replacing them instead with one-time transaction tokens that expire within 200 ms. No passwords means nothing for hackers to steal. This neutralises the risks of phishing or man-in-the-middle attacks. This alone eliminates 80 % of all threats for human-machine communications, like those between a system administrator and IoT control panels. The project’s encryption protocol eliminates the other 20 % of threats. The protocol provides strong encryption that nevertheless runs on very simple devices. This is achieved using a software solution, which secures data transmission and device authentication for machine-machine communications. Another aspect of the ELIoT Pro system is self repair, achieved through predictive artificial intelligence analytics. Thus, the system is able to detect anomalous activity, including cyberattacks, while also being able to anticipate device or system failure. “ELIoT Pro’s concept makes it a universal solution for IoT networking,” adds Wolosewicz, “regardless of industry. Our system is being used in industrial IoT, smart buildings, smart homes and smart cities’ applications. There is no comparable all-inclusive solution like ours.” Thus, the project team concluded agreements with major companies in each of these sectors. Next, researchers will be looking to secure more such agreements, while also building the project’s sales and marketing arms.
Keywords
ELIoT Pro, IoT, encryption, passwords, static credentials, security, Internet of Things, one-time password, transaction token, artificial intelligence, Self-Healing.