IoT security: Safeguarding privacy and safety
With the Internet-of-Things now entering our daily lives, security is more important than ever. In this blog post, I will elaborate on the key technologies referenced in a new whitepaper just published by Ericsson that explores security requirements and solutions in relation to IoT.
The unprecedented interaction with the physical world that IoT entails has potential impact on the safety and privacy of individuals. Securing the IoT can be a challenge as the devices are often deployed in large quantities, and the associated business models do not afford manual per-device configuration.
Many IoT devices and radio protocols are severely constrained and rely on intermediaries for processing and caching. This means that in many cases IoT requires new or modified software and protocols.
Here at Ericsson Research, we are working on many technologies that are designed to ensure IoT security, privacy and safety. Most of them are released as open standards or open source, to encourage collaboration and contribution from academia, industrial partners and talented individuals:
– 3GPP technologies provide global connectivity and offer unrivaled robustness compared to unlicensed spectrum. One current focus area is to make 3GPP technologies an even better fit for IoT by introducing battery-friendly sleep modes and lightweight signaling. For 2G, EC-GSM-IoT introduces modern ciphers for integrity protection. For 4G, LTE-M and NB-IoT bring several improvements to LTE, including lower device cost, improved battery life, improved coverage, and support for a massive number of connections where security procedures are optimized for transmission of small data. 5G and the evolution of 4G will bring further improvements, such as the use of alternative credentials and the ability for factories and other industries to set up their own networks.
– Calvin is an IoT-application environment that enables distributed applications running on a ‘mesh’ of connected devices. This facilitates the creation of complex software-defined systems built out of separate hardware components. Calvin makes no distinction between cloud and device and programmers do not need to worry about which hardware an application will be deployed on – instead, developers can focus on what to do with little concern of where to do it. Application components called actors can also securely migrate between platforms in real-time to best utilize the resources of a network. We are considering security solutions for all layers of Calvin with regards to platform security, transport security, identity management, and application layer security. Calvin is available from GitHub, and you can read more about it in earlier postshere on our blog, and in this conference paper.
– Security at the application layer provides an attractive option for enabling end-to-end security in the presence of proxies and non-IP paths. HTTP and JSON are extremely popular on the web, and we believe that CoAP and CBOR will be as popular for the IoT. OSCOAP is a lightweight and flexible way to secure CoAP enabling many topologies, such as multicast and Publish–Subscribe. EDHOC is a key exchange protocol with forward secrecy built for constrained devices. ACE is an authorization framework built as a profile of the industry standard OAuth and with profiles for both OSCOAP and DTLS.
– Nimble out-of-band authentication for EAP (EAP-NOOB) is a new EAP method intended for bootstrapping all kinds of IoT-enabled devices that have a minimal user interface and no pre-configured authentication credentials.
As editor of the IoT Security white paper, I was pleased to receive contributions from experts across our company. In 2017, Ericsson Research will publish much more about our exciting new IoT-related research, so keep an eye on the Ericsson Research blog.
Please find more reading here: