IoT Security - Encryption
Monnit Encrypt-RF™ Security
Bank-Grade Security for Your “Internet of Things”
Monnit treats your sensor data in the “Internet of Things” (IoT) the same way your bank treats your money – not a single breach is tolerable – EVER – NOT ONCE! As part of the ALTA IoT Platform, Monnit integrates ECDH-256 (Elliptic curve Diffie–Hellman) public key exchange and AES-128 symmetric key encryption on all sensor data. The more battery-exhausting ECDH-256 encryption is used during initial linking of devices and the more battery-friendly AES-128 encryption is used for all subsequent RF data packets. This combination provides integrators the best of both worlds – – bank-grade security and outstanding sensor battery life (ALTA sensors yield 10-year battery life when powered with 2 AA batteries or 1 industrial lithium battery).
Wireless sensor networks (WSNs) built on Monnit’s ALTA IoT Platform provide bank-grade security at every level.

  • Between Sensors & Gateways (ECDH-256 and AES-128 encryption)
  • Between Gateways & Servers (AES-128 encryption plus the gateways are “Purpose-Built Devices” that do not have an OS (operating system) to hijack or add malicious programs to.)
  • Between Servers & Browsers (TLS Encryption)

In a study conducted by the Ponemon Institute, 533 enterprise IT decision-makers were surveyed. 76% of the respondents believed their organizations were likely vulnerable to cyber-attacks executed through IoT (src: “The Internet of Things (IoT): A New Era of Third-Party Risk”). Monnit extinguished the threat of cyber-attacks within the architecture of the ALTA wireless IoT sensor platform.
We Ain’t Scared of No Botnets!
A large portion of the IoT headlines are focused the DDoS (Distributed Denial of Service) attacks facilitated and propagated by botnets (botnet = a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge). Remote cameras have been one of the most commonly hijacked device types and are easy prey for IoT hackers – because they often run Linux operating systems that are not properly protected. ALTA sensors are not vulnerable to weak passwords or OS-related breaches. ALTA gateways run on a purpose-built real-time operation system without any external administrative access to the device.
Figure 1. Three Things You Should Learn from the Negative IoT Security Headlines
Encrypted RF Data Packets - Purpose-built Devices

ALTA IoT systems are protected by multiple layers of security and encryption.

Security between Sensors and Gateways
(ECDH-256 and AES-128 encryption)

Would be hackers would have better luck finding a needle in a haystack than cracking ALTA encryption keys. Each individual ALTA device uses an embedded TRNG (True Random Number Generator) to achieve a high guarantee of statistical uniqueness for each ECDH key set. ECDH allows any two devices to create unique, link-specific keys between them. ALTA only uses one 256-bit key exchange for every sensor linked to a gateway. No other data is sent using the 256-bit keys. Therefore, would be hackers only have a very small dataset in which to attempt brute force attacks. The ALTA platform provides infinitesimally small key exposure.
128-bit encryption is used for all subsequent RF data packets. This encryption method supports over 50,000 data messages before enough of a dataset is generated to enable brute force optimizations. At 10 minute data intervals, this equates to an entire year of dedicated observation before key exposure becomes slightly more likely (refer to “Birthday Attack” probability, P = 10 ^-18, then 10^-15 after one year –> for the non-techies: the probability of someone finding the key goes from 1 quadrillion:1 to 1 trillion:1). A hacker would have to be physically present within range of the wireless sensor network for one year to get this low probability benefit – dedicated solely to cracking a single key for just one sensor – Ha!
To mitigate further the issues surrounding key exposure, integrators can use the ALTA platform to refresh keys once every year. To add to the futility of cracking one link-specific key, no shortcuts can be realized by the exposure of one device’s key. The same work it requires to crack one key will be required again to crack the next.

Security between Gateways and Servers
(ALTA Gateways have AES-128 Encryption and are “Purpose-Built Devices”)

Any device that runs on an operating system is vulnerable to attack. ALTA gateways are “purpose-built devices” that are built for a specific task and do not contain an operating system. Due to the absence of an OS (Linux, Embedded Windows, etc.); ALTA sensors are not vulnerable to weak passwords or OS-related breaches. The ALTA gateways run on real-time “C” code without any administrative access to the device.

Security between Servers and Browsers
(TLS Encryption)

An IoT system is only as strong as its weakest link and communications between servers and browser are every bit as critical to protect as the other layers in the WSN. ALTA IoT networks employ iMonnit software for interfacing between network administrators and sensor networks. The iMonnit interface is secured using TLS (Transport Layer Security) encryption. TLS is a protocol that provides privacy and data integrity between applications. It is used for web browsers and other applications that require data to be securely exchanged over a network. Keys are established using standard Diffie-Hellman key exchange.
Summary
Businesses should be aware of the threats that have corrupted IoT systems in the past. Hackers crashed the IoT stage with malware and botnets such as BASHLITE, Luabot and Mirai and Brickerbot. These attacks made headlines; but they were only able to exploit weak and unprotected systems. Integrators should take courage in the fact that their sensor data will always be safe and protected when measures of security and encryption are properly executed. Monnit engineered the ALTA IoT Platform with the dangers of hacking in mind. Every device, wireless link and user interface in the ALTA IoT Platform are protected by Monnit Encrypt-RF™ Security.