What are some good solutions to authentication for IoT devices?
There's nothing wrong in principle with using a certificate (other than it being overly complicated...there's a reason we aren't all using client certificates to authenticate with our email server, Twitter, Facebook, etc). Just as there is nothing wrong in principle with using a user/password scheme.
Both certificates and user/passwords suffer from the same serious problem: how do you change them on the device? If you don't have a way to change them, all someone has to do is learn the factory default and game over. (Even if you provide a way to change them there is the issue of how to make sure people actually change them, which is a whole other problem).
IoT devices often do not have a good interface on the device itself that you could use to change a user/password (let alone enter a new certificate!).
You could include Bluetooth in the device, and provide a configuration application that the user runs on their phone. If the device does not otherwise need Bluetooth that is going to raise the cost a little, and if the device does not otherwise need a mobile app making people get one just to set the thing up is going to seriously annoy many.
What I would like to see is this:
1. Every IoT device (and every non-IoT device, for that matter, for reasons given below) should have at least one of: (A) A USB port that you can plug a thumb drive into, (B) A USB port that you can use to connect the device to a computer, or (C) some type of SD card port. I think that USB is cheap enough now that it would not cost much to add it.
2. If you plug a FAT or FAT32 formatted thumb drive or SD card into the device, it reads and applies configuration information from a file on the drive or card. There should be a convention established for the naming and location of configuration files so that multiple devices from multiple vendors can all have configuration files on the same drive.
3. If you plug the device into a computer via USB, the device shows up as a FAT or FAT32 formatted drive with its current configuration in files on that drive. You can edit them to change the configuration.
4. When you connect a thumb drive or insert an SD card and there is a "DOCS" directory on it, the device makes a subdirectory in that named after itself, and in that directory writes a copy of its user manual and other documentation. If there is a "LOGS" directory, it should do a similar thing, but with any logs it keeps. If there is an "INFO" directory, do a similar thing but with information about the device, such as model number, serial number, and other such stuff useful to have if you need to contact customer service.
5. This mechanism could also be used to provide firmware updates to the device.
(#4 and #5 are why I want this everywhere, not just IoT).
Another issue with IoT devices, once you have figured out how to change authentication information, is how to keep that safe? For instance, I'm making a motion detecting bird camera to take photos of the birds that stop by for the food I leave out. If I want it to use my home wifi to upload photos...it needs my home wifi credentials.
But it will be outside. If someone steals it, they have my credentials! (I'm currently using a Raspberry Pi, so they could just steal the SD card...or if they came prepared they could just borrow it, copy it, and put it back, and I might not even find out about it).
My current thoughts are to have the thing come up after boot offering its own wifi network. I can connect to that from my computer, and start the bird cam software, which can ask for my wifi credentials. It can then stop offering a wifi network and join mine, keeping the credentials only in RAM.
Still vulnerable, but it would then take an attack more sophisticated than simply stealing it, or cloning the SD card.
There's nothing wrong in principle with using a certificate (other than it being overly complicated...there's a reason we aren't all using client certificates to authenticate with our email server, Twitter, Facebook, etc). Just as there is nothing wrong in principle with using a user/password scheme.
Both certificates and user/passwords suffer from the same serious problem: how do you change them on the device? If you don't have a way to change them, all someone has to do is learn the factory default and game over. (Even if you provide a way to change them there is the issue of how to make sure people actually change them, which is a whole other problem).
IoT devices often do not have a good interface on the device itself that you could use to change a user/password (let alone enter a new certificate!).
You could include Bluetooth in the device, and provide a configuration application that the user runs on their phone. If the device does not otherwise need Bluetooth that is going to raise the cost a little, and if the device does not otherwise need a mobile app making people get one just to set the thing up is going to seriously annoy many.
What I would like to see is this:
1. Every IoT device (and every non-IoT device, for that matter, for reasons given below) should have at least one of: (A) A USB port that you can plug a thumb drive into, (B) A USB port that you can use to connect the device to a computer, or (C) some type of SD card port. I think that USB is cheap enough now that it would not cost much to add it.
2. If you plug a FAT or FAT32 formatted thumb drive or SD card into the device, it reads and applies configuration information from a file on the drive or card. There should be a convention established for the naming and location of configuration files so that multiple devices from multiple vendors can all have configuration files on the same drive.
3. If you plug the device into a computer via USB, the device shows up as a FAT or FAT32 formatted drive with its current configuration in files on that drive. You can edit them to change the configuration.
4. When you connect a thumb drive or insert an SD card and there is a "DOCS" directory on it, the device makes a subdirectory in that named after itself, and in that directory writes a copy of its user manual and other documentation. If there is a "LOGS" directory, it should do a similar thing, but with any logs it keeps. If there is an "INFO" directory, do a similar thing but with information about the device, such as model number, serial number, and other such stuff useful to have if you need to contact customer service.
5. This mechanism could also be used to provide firmware updates to the device.
(#4 and #5 are why I want this everywhere, not just IoT).
Another issue with IoT devices, once you have figured out how to change authentication information, is how to keep that safe? For instance, I'm making a motion detecting bird camera to take photos of the birds that stop by for the food I leave out. If I want it to use my home wifi to upload photos...it needs my home wifi credentials.
But it will be outside. If someone steals it, they have my credentials! (I'm currently using a Raspberry Pi, so they could just steal the SD card...or if they came prepared they could just borrow it, copy it, and put it back, and I might not even find out about it).
My current thoughts are to have the thing come up after boot offering its own wifi network. I can connect to that from my computer, and start the bird cam software, which can ask for my wifi credentials. It can then stop offering a wifi network and join mine, keeping the credentials only in RAM.
Still vulnerable, but it would then take an attack more sophisticated than simply stealing it, or cloning the SD card.