Connecting Securely to IoT Devices in Edge Environments
Created April 2022
Internet of Things (IoT) devices play a crucial role in the success of military and rescue operations. In the edge environments where field personnel work, however, connectivity is often limited, and devices can be targets for cyber attacks. To ensure field personnel can securely and quickly communicate with IoT devices, even in chaotic and uncertain terrains, the SEI developed new layers of security and functionality for IoT connectivity in the field.
Connections to IoT Devices Can Be Insecure and Unreliable
Military personnel and other first responders, such as medics and those who work in the field, often leverage IoT devices to perform critical tasks and improve mission outcomes. For example, cameras or temperature and motion sensors are useful for gathering information in war zones and other difficult environments or in areas affected by natural disasters. Often, the information provided by these devices keeps military personnel safe from danger and improves the speed and efficacy of rescue missions.
Accessing the data from these devices, however, isn’t always easy or straightforward. IoT devices are limited in terms of storage and processing power compared to other devices, such as laptops or smart phones. As a result, these devices often don’t provide encryption or a way to safely store connections.
To make matters worse, the environments where warfighters and other critical personnel work are filled with unique challenges and threats. These environments often lack reliable connectivity to networks, and the devices themselves might be attacked or compromised by enemy actors.
A lack of trustworthy and reliable connections for IoT devices in such environments can jeopardize military and rescue operations, and it compromises the safety of personnel.
Collaborations That Extend the Reach of Our Work
To develop secure and reliable connections in edge environments, the SEI collaborated closely with Dr. Ludwig Seitz while he served as a Senior Researcher at RISE Research Institutes of Sweden (he is now an Infrastructure Security Analyst at Combitech AB). Dr. Seitz was the main author of the protocol developed by the Internet Engineering Task Force’s (IETF) Authentication and Authorization for Constrained Environments (ACE) working group.
The ACE standard served as the starting point for the SEI’s work because it addresses authentication and authorization issues in places with limited connectivity. Also, it was important for us to work specifically with IETF protocols. The IETF is an open and international community of volunteers that works to make the internet better for anyone that uses it. It enjoys far-reaching influence and has successfully developed widely adopted improvements for years.
Our collaboration with Dr. Seitz laid the groundwork for our understanding of ACE. It also led to the development of new versions of the standard, and we ultimately created extensions that added new functionality and security to ACE. That work formed the basis of this project. Currently, the SEI continues to work with the IETF to secure approval of its extensions for the ACE protocol.
During the development of this project, the SEI’s work also drew the attention of Marco Tiloca, Senior Researcher at the RISE Research Institutes of Sweden, who we collaborated with to formalize our work on token revocation in edge environments.
Security and Reliability for IoT Devices at the Edge
To improve the security and reliability of IoT devices in edge environments, the SEI developed SEI-ACE, an open source implementation comprised of two key extensions we developed for the IETF’s ACE standard. While ACE addressed issues with limited communication, it did not consider the special conditions of the environments where military personnel work, such as the threat of enemy combatants impersonating or otherwise compromising devices and their connections.
The SEI extended the ACE protocol by establishing a safe and secure way for warfighters to set up trusted credentials to IoT devices in the military theater and for first responders to do the same in disaster environments. Usually, because of resource limitations and security concerns, the process of setting up credentials for authorization and authentication on IoT devices is slow and customized for each situation and device. The SEI’s automated pairing procedure adds new layers of security to ensure connections are trustworthy, and to allow military personnel to pair IoT devices quickly and easily without having to go through a manual and time-intensive process.
The SEI also developed a way to deny connections to devices if there is a possibility that an enemy has compromised them. In edge environments, devices usually don’t maintain continuous connections to the systems that authorized them. That means that warfighters are unable to regularly check with authorization and authentication systems to see if access permissions for IoT devices are still valid. The SEI’s work adds a needed level of security based on the revocation of permission tokens. This security work helps prevent situations where military personnel might access data that malicious attackers may have manipulated to disrupt missions.
The SEI has made freely available. If you want help implementing SEI-ACE with existing devices, or if you want to incorporate SEI-ACE into the development of a new device, you can reach out to us today!
Software and Tools
SEI-ACE
SEI-ACE is an extension of the ACE Working Group proposal to support authentication and authorization of devices in disadvantaged environments.
Learn MoreLearn More
Engineering of Edge Software Systems: A Report from the November 2022 SEI Workshop on Software Systems at the Edge
•White Paper
Based on a workshop with thought leaders in the field, this report identifies recommended areas of focus for engineering software systems at the edge.
ReadAuthentication and Authorization for IoT Devices in Disadvantaged Environments
•Article
This paper presents an implementation for authentication and authorization of IoT devices in disadvantaged environments, based on an IETF proposal (ACE).
Read