A proposal for a new open source toolkit
It is important that connected devices can be controlled securely, and that the data they hold is protected and can be trusted.
As the barriers to entry for building devices get lower, it is critical that developers have simple options for securing Internet of Things (IoT) devices.
Transport Layer Security (TLS) is already widely used for web and mobile apps. Although the constraints of connected devices make it hard to fully implement TLS, we think it can still be helpful for improving IoT security.
We recommend the use of a simplified subset of TLS that is tailored to IoT devices, where:
Manufacturers run their own Certificate Authority: rather than using public certificate authorities, every manufacturer becomes its own certificate authority and issues certificates to its own servers.
Devices bundle a single root certificate: instead of including all root certificates, the device is bundled with just one — the manufacturer’s root certificate. This means devices would only connect to servers controlled by the manufacturer.
Servers offer a single cipher suite: the manufacturer selects a single cipher suite because they control both the device and the servers, which would simplify the device’s TLS code.
Servers support elliptic curve ciphers: the devices and servers use elliptic curve algorithms optimised for low power, low memory devices.
Servers proxy requests to the internet: because devices wouldn't be able to connect to any arbitrary destination, servers would need to proxy any requests that devices make to other destinations.
Server certificates expire quickly: instead of checking certificates for revocation, the manufacturer automates regular replacement of certificates, limiting the lifetime of a compromised certificate.
Devices keep time with roughtime: a lightweight protocol is used for keeping time roughly but securely.
We believe an open source toolkit would help IoT developers implement these suggestions. The toolkit would need to include:
- Embedded code (C/C++) providing a restricted subset of TLS. This library would likely be forked from an existing open source library with much of the code being deleted to reduce the size
- Embedded code implementing a roughtime client
- Example web server configuration files for enabling elliptic curve cipher suites
- Tools and scripts for running a private certificate authority, for example issuing server certificates
- A tool for bundling a single root certificate into a device
- A simple proxy server which forwards requests between a device and an external service
We think these open source tools would be a good step to securing the IoT and ensuring connected devices are safe, and can be trusted.
If you are interested in taking this research further, understanding the opportunities for your company or piloting such a system, get in touch with us firstname.lastname@example.org.