Passwords Aren’t Enough – Rethinking IoT Access with Public Key Cryptography

Carsten Gregersen -
public key cryptography
Illustration: © IoT For All

Strong security is business-critical in the Internet of Things (IoT) as devices increasingly enter our cars, transporters, aircraft and satellites. Unfortunately, high hacker activity and low device cybersecurity present ongoing causes for concern. Many devices today come with default and publicly disclosed passwords, while others lack even the most basic security. With 27 billion devices expected to be online by 2025, the industry requires trust more than ever. It’s for this reason that passwords are no longer enough. It’s time for the industry to embrace stronger encryption standards, like public key cryptography.

This status quo is true for even some of our most important devices. For example, a report released in January found that more than half (53 percent) of internet-connected medical devices contained a known vulnerability, while one-third of bedside devices were identified to have a critical risk. The report warns that if these medical devices were to be accessed by hackers, it would impact service availability, data confidentiality, and even patient safety.

What Is Public Key Cryptography?

Unlike symmetric encryption, which uses the same shared secret key (password) to encrypt and decrypt sensitive information, public-key cryptography, or asymmetric encryption, uses mathematically linked public and private-key pairs to encrypt and decrypt senders’ and recipients’ sensitive data. Since encryption is a basic building block of authentication, this is not only important for privacy but also for establishing user or device validity.

The public key cryptographic approach uses two distinct, yet related keys:

  • Public Key: Used for encryption
  • Private Key: Used for decryption

As implied in the name, the private key is intended to be private so that only the authenticated recipient can decrypt the message. This is another form of single-factor authentication, but one which renders brute force attacks infeasible.

The Case For Improved Encryption In IoT

One of the best features of this method is that the same public key can be shared with multiple devices or users without security concerns. As a result, the exchange of shared secrets (passwords) becomes unnecessary, and only public keys that are meant to be shared will be shared.

Much more than standalone passwords, public-key cryptography ensures core device security, personal privacy, and adherence to standards and critical maintenance.

As we enter a new era of IoT expansion and integration, these are benefits that must be seriously considered. Ensuring that IoT solutions and projects meet key trust elements is not only important for today’s threat landscape, but also for product and service lifecycle challenges that would otherwise inhibit future success. Public key cryptography is uniquely positioned to deliver on the necessary and critical security needs of IoT going forward.

The Potential of Public Key Cryptography: From Healthcare to Smart Homes

Stronger cybersecurity checks and balances are necessary if we are to depend on devices for increasingly important functions. Hacks have real consequences and, in healthcare, this is especially critical during the pandemic.

In December, The Department of Health in Maryland experienced a ransomware attack that reverberated for weeks. The attack left the department scrambling since it could not release COVID-19 case rates amid the Omicron surge, and the number of COVID-19 deaths was not reported in the state for almost all of December.

Healthcare has become the number one target for cybercriminals in recent years, primarily due to outdated systems and not enough cybersecurity protocols. For example, more than 93 percent of healthcare organizations experienced some type of data breach between 2016-2019. Solutions like public-key cryptography will go a long way to stopping would-be healthcare hackers in their tracks.

And this is just one sector. As mentioned, connected devices are only growing across our society – from space exploration to smart homes – and users deserve confidence in their products. In this way, the industry must look to stronger protections and improved manufacturer standards, and the widespread adoption of strong, standards-based encryption holds the key.

Prioritizing Security

Highly regarded in internet security, public-key cryptography meets the specifications to accommodate the requirements of diverse IoT deployments. Therefore, this method is the best option for solution providers to secure data and connected devices in the all-important years to come.

For now, it is incumbent on users to implement strong security protocols with connected devices. Passwords alone are not enough to protect cheap products and users would be foolish to think otherwise. Instead, they are best to incorporate additional security layers and public cryptographic algorithms to bolster their security standing.

Carsten Gregersen - CEO and Founder, Nabto

Guest Writer
Guest Writer
Guest writers are IoT experts and enthusiasts interested in sharing their insights with the IoT industry through IoT For All. If you're interested in contributing to IoT For All, cli...
Guest writers are IoT experts and enthusiasts interested in sharing their insights with the IoT industry through IoT For All. If you're interested in contributing to IoT For All, cli...