Security of IoT/IP
Extending the Home Trust Model
Remotely controlling devices inside the home has a long history. From infrared remote controls to Bluetooth®, the foundation of its security is physical proximity due to the limited range of signaling carrier (IR light, 2.4GHz radio, etc.).
Bluetooth and recent WiFi™-based products have established models of pairing where a controller, such as a handset, gets authorized to communicate with a headset, smart switch or other similar device. The pairing itself requires real-time physical proximity, partly due to the limits of radios, but also because something from the physical device has to be known to the controller operator, using something like a stamped PIN.
This type of local authentication works surprisingly well, limiting the attack surface. Though it is important to keep in mind the total absence of anything online in this model.
However, this approach does not allow for the remote access to home devices. To enable easy, low cost remote access, the Internet is required. The problem is that the online access has its own authentication mechanisms like usernames and passwords, which come with their own vulnerabilities.
For the users to remain confident that they have sole control over their devices when an Internet-based remote access is used, it is essential that the existing security mechanisms are not compromised.
For this reason, we have decided not to introduce any new security relationships or identities in our IoT/IP infrastructure for remote communication with connected products. Local pairing and authentication stay as is, and are the only requirements to enable remote access. There are no Web portals, dashboards or logins. It is actually impossible for the user or developer to even 'see' our infrastructure in the same way that the ISP routers are not visible when accessing the Internet. Any device authorized, at the time of manufacturing, to use IoT/IP fabric has lifetime access.
As long as the local authentication and pairing are done properly, our IoT/IP network maintains the same level of security when remotely accessing your home devices.
We are deploying state of the art cipher suites and design principles:
- Each paired handset and device receives a random and unique connection name from a huge 128-bit address space, making it impossible to guess. Think of it as 38-digit telephone conference PIN. Only those that know the PIN, can access the conference call. Likewise, both the handset and device use a PIN to find each other.
- Our IoT/IP network does not know about the identity of devices/handsets, much less who owns them. This is similar to what Internet routers know about packets that travel between web users and web servers. Access is granted at manufacturing time, long before the device ever reaches the consumer.
- All communication with our IoT/IP network is encrypted with 256-bit strong ciphers, so eavesdroppers cannot learn content of the communication. Furthermore, our IoT/IP cipher suite deploys Forward secrecy. So if someone were to break into either the device, handset or our IoT/IP network, they cannot reconstruct past communications.
- On top of this, our SDK, which runs on handsets and devices, provides end-to-end security and authentication using a different cipher suite. This does not involve IoT/IP network, meaning that network compromises cannot reveal the content of the communication, or be used to control devices.
All of this is to maintain the existing home trust model when enabling connected devices, and preserve consumer confidence that additional functionality does not come with undue additional risks.
The next step in gaining consumer confidence is robustness. The remote connectivity feature should be available 24/7, and we have designed our technology with this in mind.
Our IoT/IP network is homogenous; therefore all nodes are the same. If one or more nodes fail, clients automatically start to use a different one. This is very fast and efficient, as there is no state, or accounts, to maintain and transfer.
The IoT/IP fabric is composed of multiple machines, placed at major Internet exchange locations at Tier-1 colocation providers. Each node is connected to the Internet with multiple Tier-1 transit bandwidth providers, via Gigabit trunks and guaranteed bandwidth. Failure of a bandwidth or a colocation provider, does not cause service outage.
The homogeneity of our network has another major feature - Distributed Denial of Service (DDoS) resistance. All services are fully distributed and have no single point of failure. The only way to overload the network is to overload all geographically distributed nodes at the same time.
Our DDoS resistance protocols are UDP-based with little or no state, and by the end of the year we plan to deploy over 80Gbps of bandwidth handling. A potential attacker would need significant resources to gain access to the protected information.