Mbed Cloud makes device passwords a thing of the past
IoT devices often require technicians to connect to the device to change configuration, diagnose problems, update software, and more. This is typically done using a web page, a terminal connection or a mobile application.
Today, a password is the most common solution for protecting devices from unauthorized access. Each device or a group of devices would have a password and only technicians who know the password can connect to the device. Sounds nice and easy, but the reality is different.
Device passwords are often sent via email, shared on post-it notes, or worse, written on the devices themselves. How do you handle it when a technician who memorized passwords leaves the company? How can you update the passwords of thousands of devices, when the device password leaks to the internet and is now known to hackers?
It’s virtually impossible to achieve high-level operational security when passwords are used to protect access to devices. The potential weakness of IoT device passwords is a well-known security challenge responsible for numerous high-profile security breaches and hacks.
Device passwords must become a thing of the past, but what’s the alternative? How can you control access to a resource without sharing a secret with the party that requests access to the resource?
A very similar problem has been already solved on the internet: users can grant websites or applications permission to access their information saved on other websites, without giving them the passwords. This solution is OAuth, an open framework for access delegation widely used to protect access to web sites and API.
Arm is working on adapting OAuth to the requirements of IoT devices in IETF. An Authentication and Authorization for Constrained Environments (ACE) working group in IETF works on a standardized profile of the OAuth technology. Arm is one of the co-authors of this emerging OAuth-ACE IETF standard.
OAuth-ACE introduces much more efficient CoAP (either instead of, or in addition to the use of HTTP) and Concise Binary Object Representation (CBOR) encoding of access tokens. It also achieves end-to-end security by introducing proof-of-possession (PoP) tokens instead of bearer tokens used in classic OAuth.
Mbed Secure Device Access, a new feature of Mbed Cloud, makes it easy for enterprises, system integrators and device OEM to put OAuth-ACE into use.
Mbed Cloud allows system administrators to define device access policies for users and user groups. The device policies define who is allowed to access specific devices and device groups, when they can do so and how their access is granted.
Let’s say you define an Mbed Cloud policy allowing technicians in group “Senior Technicians” to access devices in group “Connected Elevators” and change their configuration.
One day there is a failure and a connected elevator goes off network. A technician is dispatched to diagnose and fix the problem. The technician uses a mobile app to log into the enterprise network with the strong credentials he uses for other work-related applications.
It’s the same credentials, with a unique user name and strong password, that he uses for downloading his work email or accessing files.
Using his mobile app, the technician requests permissions to read diagnostic data and change configuration in the elevator he is dispatched to fix. Mbed Cloud evaluates the policies, checking that the technician is part of the “Senior Technicians” group and that the requested permissions allow access to the elevator in the “Connected Elevators” group. If everything checks out correctly, the Mbed Cloud authorization server issues an OAuth-ACE access token for the technician, allowing him to read diagnostic information from the device and change its configuration. The access token is signed with the private key of the Mbed authorization server.
When the technician arrives to the site and connects his phone to the elevator, the technician’s mobile app presents the access token to the elevator. The elevator is configured to trust policy decisions of the Mbed authorization server. This trust is represented by the certificate of Mbed authorization server that the device can use to validate the authenticity of the access token.
By verifying the signature of the access token, the elevator now can validate that the technician does indeed have permission to read the diagnostic information and change configuration of the elevator. Inherently unsecure device passwords are no longer needed.
Note: the elevator is also able to validate the permissions while disconnected from the network - Problem solved!
We are really excited about this new feature of Mbed Cloud that extends policy-based authorization to devices outside the security perimeter of the organization.
Stay tuned for more news about how Mbed Cloud uses OAuth-ACE technology to improve operational security of IoT networks!