How to Improve Trust in the Source and Content of Internet-of-Things Devices
While they have become increasingly prevalent in modern life, offering opportunities for efficiency, automation, and improved decision-making in various domains, the proliferation of IoT devices also raises important considerations related to security, privacy, data management, and interoperability.
The purpose of IoT devices is to gather information from the physical world and communicate it to other systems for analysis, monitoring, control, or automation—now, there are approximately 15.14 billion connected IoT devices, according to Transforma Insights, and that figure is expected to almost double to 29.42 billion by 2030.
Given that unrelenting wave of IoT devices and our increasing dependence on them, how do we enable greater trust in the source and content of data from these devices? Answering this question began over eight years ago when Internet and Identity architects determined that a re-architecture of the Internet protocol was necessary to maintain and create trust in the source and content of Internet transactions.
In this article, we’ll explore three game-changing components of that proposed restructuring of the internet—decentralized identifiers (DIDs), verifiable credentials (VCs), and governance—to create a better understanding of what will need to be implemented to keep IoT devices, and our increasing reliance on them, safe.
Society’s Established Dependence on Highly Sensitive IoT Devices
As we noted already, IoT devices are already incredibly enmeshed in society in many ways, including those in highly sensitive roles in various domains, such as:
Sector |
IoT Devices in Use |
---|---|
Healthcare |
|
Smart Home |
|
Industrial |
|
Smart City |
|
Military and Defense |
|
If increased trust was achieved, consider how much more confident you would be in the following transactions from a sample of IoT devices:
- “Ted is experiencing a stroke…”
- “The temperature of the nuclear core is above acceptable levels…”
- “The drone operating in this jurisdiction has not been successfully registered…”
- “The video you are watching originates from the White House…”
- “Perishable human tissue has maintained viable temperature ranges during transport…”
- “No one has tampered with chips installed on this astronaut’s spacesuit…”
As enmeshed as IoT devices are, their security characteristics are unfortunately limited due to their proprietary operating systems that use firmware embedded into chips on these devices.
What’s more, the advent of generative AI and advanced video technology not only challenges our ability to distinguish between deep fakes and real people but also muddles our reliance on the source of transactions emitting from any IoT device.
3 Components That Could Help Secure IoT Devices
But there is a potential solution.
According to Internet and Identity architects, global deployment of the following game-changing elements as part of a reimagined Internet protocol will help enable greater trust in data sources and content from IoT devices:
- Decentralized Identifiers (DIDs)
- Verifiable Credentials (VCs)
- Governance
1. Decentralized Identifiers
Designed to be globally unique, persistent, and cryptographically verifiable, DIDs represent a way to create and manage digital identities that are not tied to a centralized registry, certificate authority, or a specific intermediary like a tech company or bank.
Key features of this new type of identifier that can be used for truly verifiable digital identity include:
- Decentralization: As they’re intended to be created, owned, and controlled by the individual to whom the DID corresponds, DIDs are not controlled by any single organization or entity.
- Global Uniqueness: To prevent naming conflicts, DIDs are designed to be globally unique using a combination of cryptographic methods and blockchain technology.
- Cryptographic Verification: For a strong level of security and trust in online interactions, DIDs are paired with cryptographic keys, allowing the owner to prove ownership and control over their identity.
- Identity Control: Entities have full control over their own digital identities and can choose when and how to disclose information about themselves.
- Interoperability: Combined with a strong system of governance, DIDs are designed to work across various systems and platforms, making them suitable for use in a wide range of applications and services.
Given that potential to empower individuals with greater control over their personal information and who has access to it while also making digital interactions more secure and trustworthy, DIDs can be an important building block for creating a more secure and user-centric approach to digital identity—including for IoT devices.
Using DIDs in IoT devices offers several compelling, increasingly apparent benefits while also addressing important challenges that have arisen in the IoT space, including:
- Ownership and Control: DIDs give IoT device owners more control over their devices' identities and data. Device owners can create and manage their DIDs, reducing reliance on centralized authorities or third parties.
- Interoperability: DIDs are designed to work across various platforms and services, making it easier for IoT devices from different manufacturers to interoperate seamlessly, regardless of the underlying infrastructure.
- Verifiability: The cryptographic nature of DIDs allows for easy verification of the authenticity of IoT devices, helping to build trust and prevent unauthorized access.
- Tamper Resistance: DIDs can be used to create immutable records of device activity, making it difficult for malicious actors to alter device log files or data.
- Supply Chain Security: DIDs can be used to track the provenance and ownership of IoT devices throughout their lifecycle, helping to ensure that devices are genuine and have not been tampered with during production and distribution.
Despite this, DID adoption in the IoT space is still evolving—implementing them in IoT devices still requires careful consideration of the specific use case, the choice of decentralized identity systems, and the interoperability with existing IoT protocols and standards.
2. Verifiable Credentials
Designed to be both tamper-evident and cryptographically verifiable, VCs are a cryptographically verifiable container of claims that can include content such as qualifications, achievements, or personal attributes (such as age).
By providing a secure and standardized way for individuals or entities to encapsulate, present, and prove a claim or assertion in a digital format, VCs can not only enhance trust and security in online interactions but in IoT devices as well, which can use verifiable credentials in various ways in different ecosystems:
Use Case |
How VCs Could Help |
---|---|
Device Identity and Authentication |
If IoT devices were issued VCs, that could help prove each device’s authenticity and provenance, as VCs can be cryptographically signed by the manufacturer or an authorized entity. |
Secure Device Onboarding |
During the onboarding process of IoT devices, they could be asked to present their VCs to network gateways or platforms in order to gain access/ensure that they are connected to authorized networks or platforms. |
Data Provenance and Integrity |
IoT devices could issue VCs for the data they generate—including sensor readings and event logs—as the credentials could attest to the source of the data and its integrity, which would help in auditing and verifying its authenticity in a transparent and tamper-evident manner. |
Device Trustworthiness |
IoT devices could issue credentials that prove their trustworthiness in the form of security patches and firmware updates, as those VCs could be used by other devices or platforms to assess the security posture of IoT devices within the network. |
Access Control and Permissions |
IoT devices could use VCs when requesting and granting permissions to prove their authorization to access certain resources or services within an ecosystem. (e.g., a smart door lock could request a credential from an authorized smartphone before granting access) |
And though the World Wide Web Consortium (W3C) Verifiable Credentials Data Model and associated specifications provides a foundation for the implementation of VCs in IoT systems, implementation would still require careful consideration of:
- Security practices;
- Cryptography;
- Appropriate key management;
- Revocation mechanisms; and
- Standards compliance, to maintain the security and trustworthiness of the credentials.
3. Governance
While IoT manufacturers could implement a set of DIDs and VCs for their own purposes and a greater sense of security, the greatest accountability, reliability, and interoperability for these devices can be forged through enhanced governance. This wouldn’t mean anything brand new—after all, governance and standards programs drove worldwide adoption of IoT devices that use common standards such as USB, Bluetooth, and Wi-Fi.
In principle, a governance scheme for IoT device VCs would require deep knowledge of the pervasive risks, as well as a common set of requirements that participating manufacturers can prescribe—and then be held accountable to by independent auditors—for the greater good of the users and those that rely upon these devices.
The largest hurdle here would be developing industry-specific IoT identity standards to ensure the safety and integrity of these interconnected IoT devices, which would require critical input from the following industry stakeholders:
- Manufacturers
- Standards organizations
- Regulatory bodies
- Technology experts
Some more specific ways in which these stakeholders can get involved in the governance/ developing security standards for IoT devices include:
Industry Consortiums and Standards Bodies: |
In fact, some industry consortiums, standards organizations, and trade associations are already at work on IoT security standards and protocols, including: |
Regulatory Bodies: |
The U.S. National Institute of Standards and Technology (NIST) and the European Union's Cybersecurity Act have already published guidelines and regulations for IoT security, and the EU has also recently finalized the eIDAS 2.0 standard for the use of verifiable credentials and digital wallets for use in their jurisdiction. Still further legal and compliance requirements—including certification and labeling programs, privacy regulations, and security mandates—are on the table. |
Certification Programs: |
Industry stakeholders can develop certification programs that verify compliance with established security standards. Devices that meet those standards can earn certification marks, which will build trust among consumers and facilitate market access. |
Security by Design: |
Manufacturers should adopt a "security by design" approach and integrate security and data verification measures at every stage of IoT device development, from concept and design to production and deployment—that includes implementing:
|
Security Audits and Testing: |
Industry stakeholders can promote security audits, vulnerability assessments, and testing processes to identify and rectify security weaknesses in IoT devices or non-conformance to standards, as independent third-party security testing can help validate a device's security claims. |
Ultimately, governing security standards for IoT devices will require a multi-faceted approach involving collaboration, regulation, education, and ongoing vigilance. As the IoT landscape continues to evolve, industry stakeholders must adapt and improve security measures to address emerging threats and challenges.
Driving a Web of Trust
In conjunction with each other working against the specific risk IoT devices face, a standardized mix of all three of these components—DIDs, VCs, and governance—would likely create a “Web of Trust” that would complete the ultimate re-architecture of the Internet in a way that would even satisfy the original coiners of the term “Web 3.0.”
Still, while these elements of digital identity can be a valuable tool in addressing IoT source and data reliability, it's not a silver bullet—as technological advancements in creating deceptive content continue to evolve, we all must take a multi-layered approach that includes technology, education, awareness, and legal measures is necessary to combat this problem effectively.
In the meantime, should you have any related questions regarding digital identity and trust, contact us today to be connected with our technical experts who would be happy to work through these solutions with you.
About Schellman
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.