Laying the foundations of a more secure IoT
The Internet of Things will introduce billions of networked devices into our lives, bringing huge opportunities to understand and control our environments – and potentially huge threats if IoT security isn’t properly managed. The very network connectivity that is fundamental to the IoT’s promise is also the root of its vulnerability – a single poorly secured device at an edge node can open an entire network to attack.
While it may be inconvenient to find a hacker has compromised your connected thermostat and turned the household heating on in summer, in sectors such as the industrial Internet, public infrastructure, smart grids, automotive and healthcare, malicious hacks can have much more serious consequences.
So far, system design methodologies aren’t keeping up with the challenges of securing the IoT.
Many early IoT devices lack basic security features, such as secure boot, update, and provisioning protocols. Some security implementations are poor, especially for physical ports – it’s not unusual to boot a device and find that you can replace the bootstrap ROM using a TFTP protocol over Ethernet or through a JTAG port.
Some designs still use external Flash memory for unencrypted storage, which attackers can analyze for vulnerable code and credentials to exploit. There are still real-time Linux distributions being shipped with obsolete versions of critical libraries such as OpenSSL. Webserver device interfaces implemented using scripting languages are often vulnerable. And some designers even use cleartext communications for authentication protocols.
And then there are the legitimate backdoors installed for testing or manufacturing reasons that should have been turned off when the product shipped but weren’t, the default passwords that never got changed, and the continuing use of interface protocols that are vulnerable to buffer overflow attacks. These issues shouldn’t persist, but they do and it is up to designers to deal with them.
A more secure IoT will have to implement functions such as symmetric and asymmetric cryptography and hashing as basic building blocks for higher-level security features such as:
- Authentication, in which a secret key is used to show that data originated at a particular entity and that it is intact as it’s being received
- Identification, the ability to prove one’s identity by demonstrating the knowledge of a piece of secret data
- Signing, which uses the private key of a public/private key pair to encrypt a hash, so that if the hash is later decrypted it can be compared with the result of applying the same hashing function to the data. If the decrypted hash matches the hash produced from the data, the verification is successful.
These functions, in turn, should be used to design IoT devices that can provide good answers to the following questions:
- Is this the service I think it is?
- Is this user of my service legitimate?
- Is the firmware that is being delivered to me trustworthy?
- Does the firmware being delivered to me come from a known source that I trust?
- Is the execution environment for this code secure and unmodified?
- Is the code running as expected?
- Can I store and communicate data securely, in terms of both privacy and integrity?
If you can implement such devices, they can be used as the foundation for a more secure IoT designed to tackle architectural issues such as:
- Whether an IoT implementation is decentralized, robust, reliable, and continuously available
- Can it work around failures?
- Will it scale?
- Will it protect its users’ anonymity?
- Does it have, and can it sustain, enough control to protect itself from bad actors?
- Will it support revocation, so that compromised devices can be locked out of secure networks?
SoC design will be critical to implementing the cryptography functions, security features and network architectures needed to build a secure and robust IoT.
Take the apparently simple task of turning a device on and off. A secure IoT device needs to protect the code and data that it stores, even when it is off, to avoid misuse of stored credentials or embedded intellectual property.
As devices are powered up, they need to check that the operating environment they’re about to boot and the code and data they’re about to use has not been modified since it was last used.
Finally, at run time, IoT devices should monitor the integrity of the system to help protect themselves and the network from attacks. Effective implementation of these three steps creates a ‘trusted execution environment’, a reliable place in which to run the code that powers the IoT.
There’s no single way to design IoT devices and the network architectures that connect them – the attention paid to security will, as always, be informed by the value of what is being protected. But one common requirement is a ‘root of trust’ – something, often hardware, associated with each device that can be used to authenticate that it is the device that it claims to be. Once this function has been added to an IoT device, it can act as a foundation for other functions, such as protecting user and system data, authenticating communications, enabling truly secure field updates, and checking the authenticity of applications code.
As the IoT evolves, we’re likely to see more devices implementing hardware roots of trust. As the foundation of each IoT network solidifies, these devices will start participating in network monitoring, testing their own code integrity and examining the integrity of other devices nearby.
Market analysts expect that billions of devices will be linked together over networks and networks of networks over the next few years to create a true Internet of Things. Given the likelihood of unintended consequences of such a radical change in our lives, it makes sense that we do everything we can to secure these networks from the outset by building them on the firm foundations of hardware roots of trust and security-aware design strategies.
Mike Borza has more than 20 years of leadership experience in security system and safety critical system engineering. He was founder and CTO of Elliptic Technologies, recently acquired by Synopsys, and has been an active contributor to the security task group of IEEE 802.1. Borza was an editor of the 802.1 AR secure device identifier standard, is a founder member of the Purple Foundation and co-chair of its security engineering group, and chairs the EMBC IoT security benchmark working group.