Device onboarding is the process of installing secrets and configuration data into a device, so it can connect and interact securely with an IoT platform. An IoT platform could range from an application on a user’s computer, phone or tablet, to an enterprise server, to a cloud service spanning multiple geographic regions. The device owner uses the IoT platform to manage the device by patching security vulnerabilities, installing or updating software, retrieving sensor data, interacting with actuators, and more.
So, how long does it typically take to manually onboard a device (gateway or a sensor) to a solution or to a platform? Assuming out-of-box to then streaming data to an IoT platform, is estimated to be 20 minutes per device!! Hence manual onboarding does not work out well for IoT at scale. Also consider other friction points such as high costs, need for additional resources and untrusted installer.
How will the organisations scale with their IoT deployments, in terms of volumes and velocity? Even the existing automated “Zero Touch” solution in the market are proprietary i.e either linked to a particular cloud service provider or silicon vendor, hence limiting in scope. The other challenge being the device-to-cloud binding decision happens at the point of manufacturing, so imagine the number of SKUs the manufacturer would carry in the inventory, resulting in high customisation costs & a complex supply chain.
The FIDO Device Onboard (FDO) standard solves all these challenges by bringing in simplicity, flexibility, and security to IoT device onboarding. The new protocol is expected to bring in this balance between user convenience and security to the IoT industry thus fostering IoT device secure deployment at a scale.
To lead these efforts the FIDO Alliance has formed the IoT Technical Working Group (IoT TWG) and using Intel SDO (Secure Device Onboard) as a base, developed use cases, target architectures and specifications covering:
Specification were developed by leading Cloud Service Providers, Semiconductor companies and security companies. The way it works is that the IoT device maker installs the FDO software client along with a Root of Trust key, an ownership voucher and other FDO credential. The user that buys the device sends the ownership voucher to the preferred cloud platform and a rendezvous server receives the ownership voucher. When the device is powered on and connected, it identifies itself to the rendezvous server which matches it to the cloud platform. The device then contacts the cloud platform and provides its Root of Trust key and the cloud platform provides the ownership voucher creating a secure, encrypted channel between the two and then necessary credentials or software agents can be downloaded through the channel.
Main features of FIDO Device Onboard are:
FIDO Device Onboard provides numerous benefits:
Use cases where FIDO IOT delivers maximum value
Having an industry onboarding specification with FIDO is a major step forward. However, mass deployment will require multiple companies in the supply chain (device manufacturers, semiconductor companies, cloud service providers, etc.) to create and deploy FDO compliant software and associated tools. To jump start this, the FIDO Alliance has made early versions of the FDO specification available publicly so that software development could take place within the Open Source community. LF-Edge SDO project with FDO 1.0 production code is now available on GitHub.
Device Authority is part of the IoT TWG and will be one of the first security platform provider to support & integrate the FIDO device onboarding (FDO) specification in our IoT security platform, KeyScaler.
Device Authority KeyScaler is the first device identity centric IAM to address the complex end-to-end challenges of IoT Security lifecycle management. KeyScaler has support for the FDO standard within the platform, that allows devices to securely enrol themselves and be provisioned with the security assets needed to do their job. Current and future customers will be able to leverage FDO in their IoT projects.
Later this year, FIDO is planning to launch FDO certification which covers Functional certification / interoperability testing & Security certification testing
In summary, FIDO Device Onboarding will enable businesses with replacing the current manual onboarding process with an automated, cost effective and highly secure industry solution, thus simplifying deployment of IoT at scale.
Find out more about FIDO Device Onboarding in this webcast with Intel from our Virtual IoT Security Summit.
One of the differentiating risk factors for an IoT device is that its domain is in the physical world - an attacker may be able to physically interact with your device. As a collection of engineers at Device Authority, many of us have an interest in hardware modding, and investigating devices for their security vulnerabilities in order to better protect them. This blog will give a brief overview of IoT hacking, and some links to tools we've found useful.
For small and medium sized enterprises, cloud-based software infrastructure delivered via SaaS model can provide a great cost-effective alternative to delivering effective security services to your business.
