IntroductionAround the globe, tens of thousands of new IoT devices will come online in the time it takes to read this article. But if there’s anything that’s going to hold back the future of IoT, it’ll be security. While consumers might tolerate the occasional data breach online, there will be no margin for error when it comes to life or death systems like those powering autonomous vehicles, traffic systems or even smart door locks.So where do developers start? With IoT, the critical components are less the “things” and more the data being collected and consumed by those things. The first step to protecting the data layer is verifying that the data being sent to and from an IoT device has not been manipulated or altered by another party.In this tutorial, we’ll apply this concept to two real-world scenarios involving a smart door lock:Building a cloud-connected smart door lock in a way that prevents it from being opened by the manufacturer or by anyone with access to the manufacturer’s cloud account.Preventing thefts of opportunity by preventing the manufacturer’s cloud backend from revealing which doors are open and closed.For the tutorial, we’ll use PubNub’s Data Stream Network for message delivery, Virgil Security’s open source SDK for data verification and Virgil’s key management service for securely exchanging keys for verification and end-to-end encryption.How can IoT devices be compromised and why does it matter?By their very nature, IoT devices can be very small, and common security mechanisms simply can’t fit on board. And unlike your smart phone, which you expect to update regularly, most people don’t expect to update their smart toaster or router. This is problematic from a security standpoint because it makes the device vulnerable from the get to, and also hard to update once vulnerabilities are discovered.Let’s look at how easy it is to trick an IoT device into accepting a command from an unauthorized party.As you know, almost every kind of electronic device will need a firmware update at some point. How will the device know that the firmware that just came down from the server is safe to run? By using the device manufacturer’s public key to verify who signed the package. This is standard practice for all installer packages and apps deployed from app stores.What if we tweaked the above use-case for a smart door lock that wants to verify if an OPEN command sent to it has actually been initiated by a user who’s allowed to open the door? It’s the same use-case, but a problem that isn’t widely solved in IoT products today for a variety of reasons including the financial costs of implementing previously available security technology and lack of consumer pressure. The end-result is a market full of insecure IoT devices – hackable pacemakers, smart cars that can be taken over, and millions of doors that can be opened by anybody who takes over the door lock manufacturer’s cloud account.As we see here in this illustration, without encryption or signing, it’s quite simple for an unauthorized party to read commands going to and from a door lock and even send commands or firmware.Typically we would be able to verify the identity of the sender by using the door lock’s public key, but in reality, IoT devices aren’t built with keys planted on the device. That’s what we’re changing, now that the technology exists. Keep reading and you’ll find how you can implement the same authenticity check for your IoT product that we use to verify firmware packages today.How does data verification work?When Alice wants to open her door, here’s how the lock determines that it’s Alice trying to get through, and not an intruder:Alice’s mobile app uses Alice’s unique, device-stored private key to sign the OPENDOOR command.The resulting Base64 string is then sent up to the door manufacturer’s cloud, which queues the command in a database.The WiFi-connected door lock de-queues the latest command from the manufacturer’s server and receives the command, signed by Alice.The lock verifies if the Base64 string has been really signed by Alice using her cloud-stored public key.If verification succeeds, the lock opens.In the illustration below, we see this in action.