The Solution to IoT Security Vulnerabilities was Invented in 1903!

Kelly Sheridan, a Senior Editor at DarkReading, called attention to security vulnerabilities that affect millions of IoT devices in her 17th AUG article. Sheridan reported the details of a joint disclosure by CISA (Cybersecurity and Infrastructure Security Agency), Mandiant, and Through Tek about a vulnerability that could allow attackers to obtain video and audio feed from IoT devices.

Sheridan goes into the details of a report by a team of researchers from Mandiant about the said vulnerability. Further down in her post, she identifies that,

“A successful attack would require "comprehensive knowledge of the Kalay protocol" as well as the ability to create and send messages, researchers note. The attackers would need to obtain Kalay UIDs via social engineering or vulnerabilities in the APIs and services that return Kalay UIDs. This would allow them to attack devices linked to the UIDs they have.”

If you look at it closely, we are talking about DDoS attacks here. In her post, Sheridan goes through all the recommended mitigation measures for avoiding the vulnerability in question. However, there’s one aspect of the vulnerability in the quote above that the recommended mitigation measures do not address – Social Engineering.

IoT is Wonderful; But…

The Internet of Things has brought us a wonderful new world of connected devices.  But it has also delivered a new world of opportunity for bad actors to run rampant. One infamous breach installed software “buttons” on millions of webcams and other devices, creating an army of attackers waiting for the signal.  You may remember the DDoS attack on a major DNS provider that caused a continent-wide, day-long outage.  The company was never the same.

IoT will continue to grow in importance, becoming a bigger and bigger part of our lives in a world of connected devices. So, are we facing a future like the one projected in Woody Allen’s film comedy Sleeper, with malevolent robots using their own communication network to back humans into a societal corner?

The answer can be a definitive No! – if we’re willing to step back and think out of the box a bit. Strange as it may seem to look at the past for guidance on this utterly new IoT phenomenon, there is relevant historical precedent.

The internet used to be called the information highway, right? So what is a highway but an outdoor public roadway system that transports vehicles so that their occupants can arrive at their destinations, which are typically indoor spaces called buildings.

The 1903 Problem that Birthed the Solution

In 1903 the world faced a problem that, when you think about it, shares striking similarities with the IoT security problem.

Henry Higginson, the founder of the Boston Symphony Orchestra, got tired of those newfangled horseless carriages speeding by his summer home, with no accountability on the part of their owners or drivers. He got the Massachusetts legislature to adopt his invention: the license plate.

License plates on the physical highway make owners and drivers accountable, without disclosing their identity.]

So why can't we have license plates on packet “vehicles” emitted by IoT devices?

Well, we can indeed, if we look to still more important historical developments besides license plates and internet highway metaphors. The license plates themselves can be made of a fifty-year-old “construction material” called PKI; and their issuance can come from the oldest of all these historical elements: DCPA (duly constituted public authority) and professional licensing.

On March 7, 2005, at the Geneva headquarters of the International Telecommunication Union, a UN agency, a certification authority called the City of Osmio was chartered. A certification authority is the heart and soul of that construction material called PKI.

(Too often, technologists overlook the significance of that word “authority” in “certification authority,” leaving digital certificates with a significance like that of Cabbage Patch Doll birth certificates. This is one of the (ten) reasons why brilliant PKI technology has waited so long to gain traction.)

About the City of Osmio

Osmio is built to operate like a municipality, using a PKI infrastructure called PKIDR. Unlike other PKIs, but like city halls everywhere, all PKIDR certifications start with identity certificates, that is, identities of accountable human beings. Certificates identifying objects – websites, servers, programs – must be signed using the private key of a certificate that identifies an accountable human being.

Some Osmio identity certificates are bound to an additional certificate called a Professional License. More on that later.

That’s the way accountability is built into the physical world of highways and buildings, and that’s the way it will work in the digital world.

If a company puts trucks onto the public roadways, the drivers of those vehicles are accountable of course. But so is the management of the company, in case one of those trucks loses its hazardous cargo all over the public roadway, or if it turns out the company has been damaging those roadways by disregarding vehicle weight limits.

Now let’s add professional licensing to the solution. Professional licensing of architects, structural engineers, contractors and building inspectors assures us that buildings are habitable, because their license, that is, their livelihood, can be revoked at any time if they take shortcuts and then sign for the issuance of an occupancy permit that shouldn’t have been issued.

Now, back to those IoT packet vehicles. If they carry malicious cargo, who is accountable?

Osmio offers a Code Auditor’s Professional License, which attests to the professional competence – and professional accountability – of the individual who digitally signs a piece of source code or executable or both. If there’s any funny business therein, well, our professionally licensed code auditor can simply drop a digit and a comma from their annual compensation and go back to writing code.

The professionally licensed Signing Officer of the maker of the IoT device, the handsomely remunerated holder of a Code Auditor’s Professional License, should be taking responsibility for the packet vehicles put onto the public information highway by the company that provides the IoT device.

Sites and other facilities adhering to the Authenticity Infrastructure protocols accept only packet streams that are digitally signed by the professionally licensed signing officer of the company whose device emits the packet stream.

The signing officer takes personal professional responsibility for what those packets do. Why would a signing officer do that?  For the same reason an architect takes professional responsibility for the habitability of a building: she gets paid well for accepting that responsibility. Again, to help with the concept, look at the annual compensation of successful professionally licensed architects, CPAs and others. A good rule of thumb as to what a professional license does for compensation is, again, add a digit and a comma.

And why should WE trust a signer to execute that duty responsibly and in good faith?

Because her professional license is backed by duly constituted public authority – and because that license, her reputation, and her livelihood are on the line with every signature.

Packet signing is just one way that measurably reliable identities and professional licenses, backed by duly constituted public authority, will bring Authenticity to the extreme challenges of solving the major security problems of our broken Internet.