Revisiting IoT Week and the Need for 2FA in IoT
It's not always easy to determine when a certain technology or buzzword has really integrated into the mainstream. Unless, you know, the mayor of one of America's most notable cities actually creates an entire week for said technology/buzzword. This past week was actually "IoT Week Boston" and represented an important line in the sand for both industry enthusiasm about IoT and general recognition for this pervasive and quickly growing realm of technologies.
The Security of Things Forum
As part of this week of IoT recognition and discussion, Duo Security was a proud sponsor of the Security of Things Forum put together by our friend at the Security Ledger, Paul Roberts. I had the pleasure of participating on a panel entitled, "Democratized Data, IoT and Enterprise Risk" with fellow panelists from Cisco Systems, Pioneer Investments, and InStep Group.
During our panel, we touched on a wide assortment of topics ranging from the struggle to standardize security requirements for IoT devices to getting a better grasp on scoping the term in the first place. Certainly, no 45-minute panel will ever solve big problems like those that we conversed about, but following the panel, many break-out discussions dove more deeply into panel topics. This sort of dialog among those both passionate about IoT and members of organizations who have a vested interest is exactly the point of events like this, and it was great to see and participate in.
The event included an epic-as-usual keynote by industry legend, Dan Geer. Dan's talk included truly thought-provoking points related to embedded devices and the necessity of making such devices ephemeral in nature as to antiquate their use before a lack of updates would render it an unmanageable threat. It's this forward-thinking that has made Dan's research and papers a continual source of inspiration for many of us as we approach the next hurdle of security realities.
Authentication's Role in IoT Security
While people’s own definitions of IoT vary wildly, the basic premise of a piece of Internet-connected, embedded hardware that leverages a complex set of technologies, protocols and backend services leaves a lot of potential for abuse. Similar to cloud computing’s need for strong authentication to secure the critical resources and data put online often by organizations of all sizes, IoT also needs a firm authentication strategy to prevent attackers from easily compromising such a wide range of devices.
Cloud computing generally suffers from a security model problem where without a defined network perimeter, organizations that used to put a firewall, IDS, and encryption around everything in their data center no longer could control resources in the same manner with cloud deployments. Whether IaaS, PaaS, or SaaS, often the only security control still available to manipulate is the authentication mechanisms of those resources.
The Internet of Things is, effectively, cloud computing with discreet pieces of hardware, often utilitarian in nature, also hanging outside of traditional security perimeters. Why then, aren't we seeing two-factor authentication as a bigger part of IoT vendors' security strategy?
If we use Amazon Web Services as a "starting point" for the cloud computing that most of us have come to know and love, it's been nearly a decade since AWS started providing some of its core services. I'd contend that it's only been over the past 2-3 years that cloud computing organizations have really begun to offer authentication security that matches the risks posed to end-users. Since IoT is certainly in a nascent stage of its growth (despite the number of devices already deployed), I fear that it may be another couple of years before we see IoT providers get serious about authentication security as well.
Imagine, for instance, having a push notification from Duo Mobile pop up the next time someone tries to log into your home's IP camera. I think this is a great example in which authentication security comes in to provide an extra level of assurance to consumers that they have a say in how an IoT device is being used.
Phishing credentials and brute-forcing weak passwords are not enough of a challenge for attackers as-is, so how can we honestly believe it's wise to put our oven on the Internet to control its temperature without two-factor? What's more, what if you received a Duo Mobile push request when someone in your home turns on the oven to broil and you could approve or deny the request to help protect your children that may be fooling around?
To that end, we can't think of authentication security as merely keeping "bad people out" but helping to provide additional layers of access control to those who may not be able to adequately protect themselves from certain IoT device functionality. As IoT progresses, so must our application of technologies and security controls. With Duo Security's REST API, the future is not yet written on the many ways we will be able to help the Internet of Things grow more safely, with consumers in control. As they said in the Six Million Dollar Man, "We have the technology."