This month has seen the launch of four new attempts to scale device-level security for the internet of things. On the industrial and enterprise side, the FIDO Alliance launched something called FDO to let corporate clients add IoT devices securely to their networks. In the smart home, we saw the Project Connected Home over IP (Project CHIP) working group tackle security with a blockchain-based distributed ledger.
And somewhere in the middle of those two efforts, the ioXt Alliance plans a security standard for Android-based phones and other connected devices that has some things I like and a few things I don’t. What’s clear is that device-side security for connected products is getting serious. And that’s without Arm’s entirely new silicon architecture that will likely be in products in a few years, which relies on something Arm calls confidential computing.
All of this is excellent. We’ve had some serious innovation on the IoT security front when it comes to networking — plenty of companies are promulgating software that monitors and analyzes network traffic using AI to detect threats, for example. But device-level security that scales is a tougher sell. Microsoft’s Azure Sphere was the last big new idea for securing IoT devices, but it only protects new devices and can’t shrink to cover more constrained devices, such as battery-powered sensors.
I covered the ledger-based approach that Project CHIP will provide last week, in this story and in this one, so I’ll focus this week on IoxT’s new standard and the secure device provisioning that the FIDO Alliance has created.
Let’s start with FIDO’s plan for the FIDO Device Onboard (FDO) protocol (look, it’s a nested acronym!). The FDO protocol is designed for two things and only those two things: attesting that a device comes from a specific manufacturer and bringing it online in an enterprise or factory environment securely and easily. A company installing an FDO device knows both that it came from where it says it did and that the company can easily and securely get the device on its (hopefully) secure network without having access to admin privileges or passwords. While this may not sound like a big deal, when you’re managing tens of thousands of connected devices across multiple locations from many different vendors, getting devices online and making sure they are legit is a pain.
FDO works by putting software on a device when it’s manufactured, and that ties it to that manufacturer using a secure key. The manufacturer then ships the device to the customer and the customer takes the secure key associated with the device and registers it to the FDO cloud.
When the device gets plugged in at a customer site, the customer decides which cloud to connect the device to, then connects it. The FDO cloud shares the secure key with the chosen cloud, and the physical device “wakes up” and checks for that key. Once it finds the key, the device gets provisioned to the right cloud. You can see the detailed steps in the above image.
There are several things to like about this approach. Many secure platforms today, such as Azure Sphere, only work on a specific cloud, so if you aren’t using that cloud you can’t use that method to secure the device. Device makers can support similar security frameworks — which use a secure key that checks into a cloud for attestation — but they usually require multiple products for each of the big cloud vendors. FDO eliminates that complexity.
FIDO is a well-established standard in the IT world. It’s backed by Intel, Aetna, Bank of America, American Express, Microsoft, RSA, PayPal, and dozens of other big companies with a vested interest in IT security. FDO, meanwhile, is focused on the enterprise side of IoT device security. And the ioXt Alliance is focused more on consumer devices such as cameras, smart speakers, and mobile phones. It also is unique in that it focuses on app security for these devices.
This week, the ioXt Alliance showed off its app certification program, announcing that several companies had achieved certification for their apps and their virtual private network (VPN) software. It was a bit of an odd turn for the Alliance, which had said it would focus on specific device types such as smart speakers, cameras and phones.
Brad Rees, the head of the ioXt Alliance, said that while device security is obviously important, apps are also a huge potential vector for stealing someone’s data or getting into their network and devices.
The certification is based on factors including how long API calls are left open, how the app stores and handles data, and what the password requirements are. The security standard lets developers start at a baseline level for security and then adds more requirements that a developer can choose to implement. This approach helps ensure that a relatively low-risk app doesn’t have to pass incredibly stringent tests such as those that might be associated with medical or financial apps.
Joe Britt, the CEO of Afero, which makes an IoT platform used by Kenmore, Home Depot, and others, says that getting the recently announced app certification for Home Depot’s Hub Space app was easy since Afero already followed most of the practices. He views the addition of apps as part of a security framework as essential.
If nothing else, these new standards and protocols show how much focus the tech industry is placing on IoT security. They also show how tough it will be to implement only a few standards. The IoT encompasses devices, apps, networking, clouds, and even shared data between companies. It also covers so many different risk levels that any sort of one-size-fits-all approach would never work. So we’re stuck with multiple standards. But my hope is that on the consumer side, retailers step up and demand secure products (they should test them, too), and that on the enterprise side, we see more widely adopted standards.