New standard to simplify IoT device onboarding

The Fido Alliance has developed a new open standard that will make it easier to connect internet-of-things (IoT) devices to cloud-based and on-premise device management platforms.

Called the Fido Device Onboard (FDO) protocol, the standard specifies a set of protocol interactions and message formats to facilitate device onboarding – the process of installing secrets and configuration data onto a device so that the device can connect and interact securely with an IoT platform.

An IoT platform is typically used by IoT device owners to plug security loopholes, install or update software and retrieve sensor data, among other tasks. The FDO protocol is an automatic onboarding mechanism, meaning that it is invoked autonomously and performs only limited, specific interactions with its environment to complete.

A unique feature of FDO is the ability for the device owner to select the IoT platform later in the device lifecycle. The secrets or configuration data may also be created or chosen at this late stage. This feature is called late binding.

Due to late binding, the device does not yet know the prospective IoT platform to which it must connect. For this reason, the IoT platform shares information about its network address with a “rendezvous server”. The device connects to one or more rendezvous servers until it determines how to connect to the prospective IoT platform. Then it connects to the IoT platform directly.

More importantly, the FDO takes an “untrusted installer” approach, which means those installing the device no longer need – or have access to – any sensitive infrastructure or access control information to connect a device to a network.

The Fido Alliance said the new standard – developed together with Intel, Amazon, Google, Microsoft, Qualcomm and Arm – will address the challenges of security, cost and complexity associated with large-scale IoT deployments.

“The FDO standard builds on the Alliance’s ongoing efforts to help close the security gaps that currently exist on the web, by expanding this work into IoT applications,” said Andrew Shikiar, executive director and chief marketing officer of the Fido Alliance.

“Businesses recognise the huge potential of the IoT and the enormous benefits it can bring to manufacturing, retail, healthcare, transportation, logistics and more. The paradigm needs to shift immediately so we can move IoT technologies ahead with safer, stronger and more secure means of authentication for these important uses in industrial and commercial environments.”

According to IDC, the global IoT market is expected to maintain a double-digit annual growth rate and surpass the $1tn mark in 2022.

Despite this projected growth, an IoT World and Omdia survey of IoT providers and enterprise users found that most businesses have serious concerns about breaches to their infrastructures.

Of the 170 IoT leaders surveyed, 85% said security was a major barrier to IoT adoption. Almost two-thirds (64%) of respondents said IoT security was their top short-term priority, surpassing edge compute (55%), artificial intelligence and machine learning (50%) and 5G deployments (28%).

IoT security was again cast into the spotlight when a series of critical memory allocation vulnerabilities in IoT and operational technology devices was uncovered by Microsoft’s IoT security research group recently.

The vulnerabilities, potentially affecting consumer and industrial IoT systems, could be used by threat actors to bypass security controls to execute malicious code or cause a system crash.

Christine Boles, vice-president at Intel’s industrial solutions division, said the new FDO standard will help reduce cost, save time and improve security, paving the way for the IoT industry to expand rapidly.

“Implementation of the FDO standard will enable businesses to truly take advantage of the full IoT opportunity by replacing the current manual onboarding process with an automated, highly secure industry solution,” she added.