Microsoft distinguished engineer Galen Hunt is on a mission. As managing director of the Microsoft group charged with connecting IoT devices securely to its cloud services, he believes everyone working in the field has “a shared responsibility that as we move to a fully IoT-connected world, those devices are secure”.
At the Design Automation Conference (DAC) in Las Vegas this week (June 3, 2019) Hunt gave a keynote on securing the IoT, the role he sees Microsoft Azure playing in that, and how Microsoft’s continuing experience of being a victim of hacking attempts has shaped its security strategy. “Name an attack: we’ve experienced it,” he said.
Initially enthusiastic about the way in which internet connections could improve services and device reliability, he says: “My second emotion was fear. If you connect a device to the internet it creates risk.” It opens up what Harvard associate professor James Mickens called “the cauldron of evil”.
If IoT devices get hacked, the consequences can extend beyond the manufacturer or service provider. The Mirai hack a few years ago demonstrated how millions of devices can be recruited into botnets that carry out further attacks such as distributed denial-of-service campaigns.
It was a learning experience for Microsoft. Much of what goes into Azure’s plan for IoT security, published as a document that outlines seven properties the team sees as essential, comes from the evolution of the Xbox connected gaming console. The year 2001 saw the launch of the first Xbox. “It was hacked for the very first time three weeks after we shipped it,” Hunt says. “We spent a lot of time and money building custom silicon for the next generation. It had six of the seven properties and some were weaker than we liked. It was hacked for the first time three months after it shipped. I guess we bought ourselves nine weeks.”
The third time around was different. “For Xbox One we took everything we knew. It has all seven properties. Five years on it has not been hacked yet,” Hunt says, stressing the word ‘yet’, as a hacker might find a path through the defences.
Hunt asks: “How do we secure the nine billion new devices made each year? I’m going to tell you it’s possible and the existence proof is Azure Sphere.”
The first output from the Azure Sphere program is a microcontroller fabbed for Microsoft by Mediatek, sold exclusively through the distributor Avnet Silica, and coupled to Linux-based software and a cloud service. However, Microsoft Azure has no plans to sell microcontroller silicon directly: its focus is to sell cloud services to OEMs who use the Sphere technology.
The hardware core of Azure Sphere is a hardware root-of-trust module called Pluton based around an Arm Cortex-M4 processor core that runs the secure part of the Sphere operating system. In the Mediatek processor, this sits alongside a 500MHz Cortex-M7 applications processor and a pair of Cortex-M4 cores intended for real-time user tasks. They are connected using an on-chip bus network that is protected by a set of firewalls.
”The firewalls are endpoint filters on the bus. They are pretty low tech: ‘This endpoint is allowed to talk to this address.’,” Hunt explains.
“From a hardware perspective, we’ve established a minimum bar, but a high bar compared to what most chips are doing now. Azure Sphere does significantly better than the seven properties. But there is lots of room above that,” Hunt claims.
The Mediatek-made SoC is just the start, Hunt hopes.
“We are looking to silicon partners to innovate around that. What will happen over time is that additional chips will be announced by other partners. I would pretty much like everything to be built on Azure Sphere or something even more secure. We want to enable them to bring as much as they can to the ecosystem. It’s why we open-source the kernel. They can innovate as rapidly as they want.”
Widespread licensing plan
To encourage microcontroller and SoC manufacturers to incorporate the Pluton engine, Microsoft offers it under a royalty-free licence and does not demand that it is used exclusively with Azure cloud services. The idea is that OEMs and SoC makers will just find it easier and simpler to have the devices connect to Azure when they need to authenticate themselves and obtain other cloud services.
“We believe we have best-of-breed services. But we recognize there are alternatives out there,” Hunt says. “I don’t care if you have Azure Sphere in them or not, just that you secure them.”