IoT security considerations
The internet of things (IoT) is a very broad space covering many different sectors, however many of the security needs are similar. This article discusses some of the most important ones.
Secure boot and update
The first generation of IoT devices was relatively dumb. Devices were based on specialized hardware and used limited amounts of software.
However, the trend is very much towards reusing standardized hardware platforms and software stacks. This reuse has many positive impacts from time to market to computing power – but software reuse brings with it the risk that a vulnerability found in one platform can be exploited in another.
A key requirement we see again and again is for the secure over-the-air update of software – and the secure boot to ensure that only certified software can be downloaded or used.
This is a fundamental requirement of many industry standards, but is itself surprisingly complex to achieve at scale, especially if a failed update can “brick” a device and render it worthless.
A secure update is not just about cryptographic and clever software – it is about process and compliance. The Solar Winds attack demonstrated the result of illicit updates being pushed to [initially secure] devices.
Secure isolation and execution
Secure boot and update are a great first step – but if all software on the device runs at the same privilege, then any single vulnerability brings the whole house of cards down. This is not just about theoretical security – many industries require devices to be certified, and without appropriate isolation that means an expensive validation of every line of code, rather than just validation of the critical “trusted computing base”.
The Trusted Execution Environment (TEE) is a key technology here. It provides an isolated security-focused enclave, protected by the CPU hardware and secure boot. TEE Operating systems such as Trustonic Kinibi can be certified to a high degree and used for multiple security-focused applications.
Unsurprisingly, TEEs are required or recommended by many industry standards and provide the best means of protecting code, user data, and cryptographic keys without having to resource to specialise in additional hardware.
Zero trust (In Networks)
A common security buzzword is “zero trust”. What this is really about, is reducing trust in external networks beyond your control. For a manufacturer of a smart home appliance that could live on any home network, or even a sensor in a smart city, relying on the network being secure is increasingly an impossible dream.
To achieve zero trust you need to identify and secure communications between the endpoints (typically the IoT device itself and a cloud service). This relies on establishing identity. PKI infrastructure is a great tool for this and can be used to allow devices to recognize the services they need to communicate with.
However, the opposite problem is harder to solve. Whilst PKI can use “client certificates” to allow the cloud to identify the client, deploying and storing those certificates is extremely challenging, especially if the individual devices are not physically secure.
One common approach is to give every device the same secret key (a ‘class key’). This is straightforward operationally, but if (or rather when) a single device is hacked and the key is stolen, every single device becomes insecure. A more robust – but complex – solution is to give devices individual keys, and individual identities.
Trustonic has a lot of experience in this space – with over 2 billion keys/identities distributed in over 100 factories globally. This is not a one-size-fits-all problem, and we have solutions ranging from wafer-level key injection to OEM production lines to in-field re-keying after complete data loss.
Software IP protection
Once the boot, update, and network are secured, thoughts often turn to the intellectual properties in the devices themselves. Many IoT devices are extremely novel and contain significant software intellectual property. An audio codec, or a fitness tracker algorithm for distinguishing skipping from swimming are two examples of code IP that may be small, but that is extremely valuable. This places greater focus on protecting data and services.
To protect code against theft, it must be impossible for an attacker to read the protected code. It must be encrypted, and also the decryption keys and software to do the decryption must be equally protected, and so must the software to load and validate that decryption logic, and so on.
This is a complex technical puzzle and needs the cooperation of all players from the lowest level boot rom upwards.
Trustonic works together with Silicon Providers to provide such solutions, enabling strong IP protection even in traditionally challenging environments such as contract manufacturing.
Trust in hardware
It is easy to focus on trust and security from the perspective of the IoT device – but often it may be the device itself that is the weakest link. What if your device is replaced with a fake or a forgery? Will your cloud services still trust data coming from it? Will your customers blame you when it fails? Fakery is centuries old and is as prevalent in smart devices as dumb ones.
We have seen fake ‘high end’ mobile phones containing low-end components, and fitness trackers that purport to be from well-known brands, but that fail at the first hurdle. In both cases, it is often the entirely innocent brand holder who finds they have lost a potential customer for life.
Trust can be established through secure manufacture and crypto keys – much as for zero trust – but ‘legitimacy’ may be more nuanced, especially if devices may be recalled, refurbished, or resold. Is a second-hand pacemaker still considered ‘genuine, for example? This is a complex space, but our digital holograms solution can help to address this complexity.
Consumer trust is very fragile. It is often said that one accident caused by a self-driving car will gain a million headlines, but a million accidents prevented by that same car won’t get a mention. Brands and whole industries are recognizing this challenge and setting high demands for certification before their logos can appear on partner products, or their industry body will sanction the use of a new device.
One common approach is to specify a ‘protection profile’ defining the security characteristics needed for a given device or component, as well as a ‘functional profile’ defining what it must do. These profiles are written and maintained by individual companies or industry bodies, such as GlobalPlatform, and 3rd parties test devices for compliance.
For some industries this has been commonplace for many years – for others, this is a significant change. Trustonic has been involved in standards bodies since our inception and has significant experience both in certifying our TEE and in helping partners certify products using it.