If you're serious about securing IoT gadgets, may as well start here

We're not here to fsck spiders – prove you care by getting busy with RADIUS and EAP

Can we overcome the SOHOpeless security of the Internet of Things at the home and small business level? An Internet-Draft from Ericsson engineer Mohit Sethi suggests so.

Sethi's ambitious proposal isn't destined for the hall of internet standards. Instead, it sets out a possible way to get IoT gadgets connected securely to the local network and internet, without trying to turn every home user into a seasoned sysadmin.

The goal is to help folks easily set up their gizmos without misconfiguring their gear, nor using weak or default passwords or no authentication at all. Rather than walk them through typing in Wi-Fi keys, it should all be mostly automated from the cloud. He noted that the supporting technologies for this already exist: RADIUS, EAP, and IEEE 802.1x aka port-based network access control. These are well-known but enterprise-focussed.

The draft describes how an IoT device can use EAP to securely join a Wi-Fi network and then securely connect to a RADIUS server to be authenticated and activated. This server could run on the wireless access point, or be an online service on the public internet run by the maker of the gadget. IEEE 802.1AR certificates present in the gizmo could be used for secure EAP-TLS authentication. This requires the wireless access point to support this system, of course.

Crucially, after you buy the device, you'd set a secret with the manufacturer that would be supplied when the thing is first turned on so that it can, via EAP and RADIUS, identify itself with the maker's backend – a classic Authentication, Authorization, and Accounting (AAA) system – and establish all the necessary credentials. At that point, the device can know when it's securely talking to its maker's backend systems, preventing man-in-the-middle attacks and the like.

Here's some snazzy ASCII diagrams of the setup from Sethi's proposal:

A small office setup

A home setup

Click to enlarge

Sure, users might still have to play pick-a-passphrase when they buy a new device, but with the vendor's authentication infrastructure in place, the customer just needs it to register their toy.

“The online RADIUS server can prevent the user from registering the same (or similar) secrets for the different devices," Sethi explained in the draft. "This would ensure that devices in network do not share the same secret.”

While a good stab, some problems remain. For one thing, it requires an awful lot of effort on the part of gateway and device makers, who may resist splashing cash on setting up RADIUS and EAP services. In particular, the draft, written up this earlier month, doesn't address the thorny question of maintaining continuity of service and security if a vendor goes under, or decides to withdraw a product and its associated services. In other words, if the cloud service goes down, it'll likely take its gadgets with it.

Still, Vulture South feels it's a decent contribution to the debate and sits alongside similar approaches touted by Arm and Microsoft. We look forward to seeing what readers think in the comments. ®

Similar topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022