Connecting Securely to IoT Devices in Edge Environments
Created April 2022
Internet of Things (IoT) devices play a crucial role in the success of military and rescue operations. In the edge environments where field personnel work, however, connectivity is often limited, and devices can be targets for cyber attacks. To ensure field personnel can securely and quickly communicate with IoT devices, even in chaotic and uncertain terrains, the SEI developed new layers of security and functionality for IoT connectivity in the field.
Connections to IoT Devices Can Be Insecure and Unreliable
First responders, military personnel, medics, and others who work in the field often leverage IoT devices to perform critical tasks and improve mission outcomes. For example, cameras or temperature and motion sensors are useful for gathering information about difficult environments, such as a war zone or an area affected by a natural disaster. Often, the information provided by these devices can improve the speed and efficacy of rescue missions, and it can keep military personnel safe from danger.
Accessing the data from these devices, however, isn’t always easy or straightforward. IoT devices are limited in terms of storage and processing power compared to other devices, such as laptops or smart phones. As a result, these devices often don’t provide encryption or a way to safely store connections.
To make matters worse, the environments where field personnel work are teeming with unique challenges and threats. These environments often lack reliable connectivity to networks, and the devices themselves might be attacked or compromised by enemy actors.
A lack of trustworthy and reliable connections for IoT devices in edge environments can jeopardize military and rescue operations, and it puts the safety of personnel in the field at risk.
Collaborations That Extend the Reach of Our Work
To develop secure and reliable connections in edge environments, the SEI collaborated closely with Dr. Ludwig Seitz while he served as a Senior Researcher at RISE Research Institutes of Sweden (he is now an Infrastructure Security Analyst at Combitech AB). Dr. Seitz was the main author of the protocol developed by the Internet Engineering Task Force’s (IETF) Authentication and Authorization for Constrained Environments (ACE) working group.
The ACE standard served as the starting point for the SEI’s work because it addresses authentication and authorization issues in places with limited connectivity. Also, it was important for us to work specifically with IETF protocols. The IETF is an open and international community of volunteers that works to make the internet better for anyone that uses it. It enjoys far-reaching influence and has successfully developed widely adopted improvements for years.
Our collaboration with Dr. Seitz laid the groundwork for our understanding of ACE. It also led to the development of new versions of the standard, and we ultimately created extensions that added new functionality and security to ACE. That work formed the basis of this project. Currently, the SEI continues to work with the IETF to secure approval of its extensions for the ACE protocol.
During the development of this project, the SEI’s work also drew the attention of Marco Tiloca, Senior Researcher at the RISE Research Institutes of Sweden, who we collaborated with to formalize our work on token revocation in edge environments.
Security and Reliability for IoT Devices at the Edge
The main result of the SEI’s work to improve the security and reliability of IoT devices in edge environments is SEI-ACE, an open source implementation that the SEI has made freely available to the software community. If you want help implementing SEI-ACE with existing devices, or if you want to incorporate SEI-ACE into the development of a new device, you can reach out to us today!
SEI-ACE is mainly comprised of two key extensions we developed for the IETF’s ACE standard so it could be used in edge environments. While ACE addressed issues with limited communication, it did not take into consideration many of the special conditions of the environments where first responders or military personnel work, such as the threat of enemy combatants impersonating or otherwise compromising devices and their connections.
One way the SEI extended the ACE protocol was by defining a safe and secure way for users to set up trusted credentials to IoT devices in the field. Usually, because of resource limitations and security concerns, the process of setting up credentials for authorization and authentication on IoT devices is slow and customized for each situation and device. The SEI’s automated pairing procedure adds new layers of security to ensure connections are trustworthy, and to allow field personnel to pair IoT devices quickly and easily without having to go through a manual and time-intensive process.
The SEI also developed a way to deny connections to devices if there is a possibility that an enemy has compromised them. In edge environments, devices usually don’t maintain continuous connections to the systems that authorized them. That means that users are unable to regularly check with authorization and authentication systems to see if access permissions for IoT devices are still valid. The SEI’s work adds a needed level of security based on the revocation of permission tokens that helps prevent situations in which field personnel might access data that attackers have tampered with.
Engineering of Edge Software Systems: A Report from the November 2022 SEI Workshop on Software Systems at the Edge
June 30, 2023 White Paper
Based on a workshop with thought leaders in the field, this report identifies recommended areas of focus for engineering software systems at the...read
July 22, 2019 Article
This paper presents an implementation for authentication and authorization of IoT devices in disadvantaged environments, based on an IETF proposal...read