Application programming interfaces; we’d be lost without them. Simply put, they specify how applications can talk to one another. Every time you check the weather or a train time on your smartphone, you’re making use of APIs that enable your smartphone app to pull information from the weather bureau’s applications or the train operator’s train tracking and timetabling systems.
APIs are the glue of the IoT
The world of IoT is equally dependent on APIs. APIs help connect devices, products, facilities, assets and other objects with the applications that make use of the data they generate. Every one of the millions of devices in IoT would be useless if the data it produces could not be communicated to applications that are able to act on it.
Back in 2014, Infoworld columnist Andrew Oliver wrote: “APIs are actually the glue and interesting part where the Internet of things starts to become useful and more than a buzzword,” adding: “Ultimately [IoT] is all about the data the APIs expose.” Trouble is, anything that exposes data is vulnerable to attack, and APIs are no exception. Because APIs are an integral part of IoT applications, making them secure is essential to maintain overall security of an IoT network
API-related Threats and Measures
In its TechRadar report Internet of Things Security, 2017 Forrester Research predicts that API-related threats and vulnerabilities will drive interest and demand for API-based security measures.
“API security,” says Forrester “will be essential for protecting the integrity of data transiting between edge devices and back-end systems to ensure that only authorized devices, developers, and apps are communicating with APIs as well as detecting potential threats and attacks against specific APIs.”
Forrester explains that IoT API security solutions will provide the ability to authenticate and authorize data movement between IoT devices, back-end systems, and applications using REST-based APIs.
“Hackers are increasingly targeting server-side APIs, which is forcing organizations to seek more-robust API protections and security.”
Is OAuth 2.0 the Answer?
To meet the challenges of securing APIs in the world of IoT, much hope is being placed in OAuth 2.0. It is being billed as “one of the most powerful open authorization solutions available to API developers today.”
OAuth 2.0 is commonly used to enable Internet users to grant websites or applications access to their information on other websites without revealing their passwords. It’s what enables you to share information about your Amazon, Google, Facebook or Twitter account with third party applications or websites.
OAuth 2.0 has been standardized by the Internet Engineering Taskforce (IETF) and is published as RFC 6749. The IETF is now looking at specifying the use of OAuth 2.0 specifically for IoT applications, in its Authentication and Authorization in Constrained Environments working group.
This work is detailed in RFC 7744 Use Cases for Authentication and Authorization in Constrained Environments, published in January 2016. It details numerous use cases: container monitoring, home automation, personal health monitoring, building automation, smart metering and industrial control systems. In short, API security for IoT is a work in progress with promising prospects.
Learn more about IoT Security:
- Security IoT Infographic
- Blockchain for IoT Security: Potential Still Unrealized
- Securing IoT: The Potential of Public Key Infrastructure
- Securing IoT : Threat Detection using Security and Behavioral Analytics
- Securing IoT: Segmentation At Scale
- Securing the Internet of Things: Identity in an IoT world