Blog

The Internet of Things (IoT), in its essence, covers connecting a large number of devices (Things) to the internet (Internet). This is highly useful, as it gives devices on the ground access to the cloud, however it also exposes said devices to many threats and brings in more attack vectors to wherever the devices are installed. As a result, security should always go hand in hand when talking about IoT.

What is Security?

Information Security follows the simple CIA triad for information - Confidentiality, Integrity and Availability. [1]

  • Confidentiality prevents people who aren't allowed to see the information, from seeing the information.
  • Integrity prevents information from unauthorised modification.
  • Availability lets people who are allowed to see the information, to see the information.

Insecure IoT devices violate at least one, if not all, of these design principals and leave the device and its data to the hands of nefarious attackers. Weak confidentiality leaks information, weak integrity creates data inconsistency, and weak availability reduces usability of the system.

“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.” - Gene Spafford [2]

Gene's quote above captures the trade-off between security and usability very well. When designing a secure IoT system, the value of the data surrounding the system should be carefully assessed, e.g.:

  • How important is it that no one else sees your device's sensor data in transit?
  • How certain do you have to be that the data came from a particular device?
  • How resilient does the device have to be and what happens if it gets hijacked?

Are IoT Devices Secure?

Research suggests that only "1 in 10 IoT devices offer adequate security" [3] and that only "33% of organisations believe their IoT products are "highly resilient" against <...> security threats" [4]. It's not very comforting to hear that your internet-connected fish bowl could be your potential downfall.

Data in Transit

By design, IoT devices send and receive some form of data to and from the cloud. In security terms, this is information being exchanged over public network channels, e.g. Bluetooth, Wi-Fi, cellular networks. In the same way one wouldn't broadcast their credit card details over a public radio, sensitive data should be secured and protected.

Data at Rest

These devices often store configuration data on the device that dictates how it interacts with the outside world. This gives devices flexibility in their use cases, allowing users or developers to specify e.g. how frequently data is gathered, how the devices identify on the system or even which system they are a part of.

If done well, the IoT device becomes a configurable tool for a larger system rather than a product. However, to a skilled user, this data can easily be accessed and modified, which creates less trust in the system as a whole.

Device Identity

More secure devices use public/private key encryption, for which keys/certificates must be stored securely onboard of the device. These can be used to encrypt any outgoing messages and decrypt any incoming ones. If done well, this allows the device to maintain a strong identity, as only it should have access to its own private key.

How can I Secure them?

IoT devices generate, store and consume a wide range of information, all of which should be treated as sensitive. It's very tempting to forego security in favour of faster time-to-market and lower cost, however it's now easier than ever to use secure off-the-shelf components and get professional support for IoT projects.

Below are some pointers to help you get started with Secure IoT:

Software - Security Research

There are now more resources on IoT Security than ever before and keeping abreast is a task in itself. At Think Engineer we continually monitor the landscape and develop skills. We recently attend a local Secure IoT conference which I found immensely useful in expanding my understanding of the current IoT Security landscape as well as some of the best practices for securing IoT devices and their supporting cloud back-ends.

There are plenty of other Information Security conferences to attend as well that give more insight on the software aspect of IoT. Learning from case studies is critical in not repeating someone else's mistakes, and there are plenty of good ones, such as Mirai and Sality, to help you get started.

The IoT Security Foundation has also been the driving force in raising awareness for Secure IoT and providing the resources to make that possible. Their IoT Security Compliance Framework and other documents are instrumental in ensuring best practice in your projects.

Hardware - Secure Processors

Making a cloud system secure is only half the battle if devices on the ground are not. The vulnerabilities described above all stem from a single point - weak Roots of Trust. There are many chips that allow secure key and certificate storage, support hashing, implement encryption algorithms, can detect hardware attacks and allow secure boot, amongst many other features.

Here are a handful of popular options on the market:

Microchip

Microchip are one of the leading providers of microcontroller, analog, FPGA, connectivity and power management semiconductors. Amongst their security options, they offer the ATECC608A secure co-processor, designed to be used alongside a less secure processor. This co-processor features all of the secure functionality as described above.

An example that implements this is the AVR-IOT AC164160, which is a very small, low-power, and secure IoT development board. With its secure private key management built-in, the AVR-IOT sports native support for connecting up to the Google Cloud IoT Core.

The AVR-IOT is perfect for starting out prototyping with security built-in from the very start, and the secure co-processor is ideal for integrating into existing IoT systems to add (an additional layer of) security.

MULTOS

MULTOS is an open standard, whose development is overseen by the MULTOS Consortium - a body of companies which have an interest in its development. MULTOS have been historically known for their secure chips that can be used for payment, identity and mobile SIMs, widely used and trusted by banks, governments and mobile carriers. This technology is ideal for any project that involves smart cards, such as a University campus cards or something like the Tesla Model 3 Keycard.

A key advantage with the MULTOS standard is the fact it features the EAL7 certification. The Evaluation Assurance Level (EAL) of a system is its grade in the Common Criteria security evaluation. While EAL1 concerns functional tests, and EAL2 concerns structural tests, any level above EAL4 requires formal verification using mathematical methods - EAL7 is the highest achievable level.

Recently, MULTOS released the IoT Trust Anchor offering for IoT applications, bringing its total security to IoT - perfect for mission-critical applications where security is of upmost importance. Unlike the Microchip ATECC608A, the MULTOS Trust Anchor can be used both as a co-processor as well as a stand-alone microcontroller.

Texas Instruments

Texas Instruments has a wide range of microcontroller options (MCUs) with built-in security. This makes choosing the right tool for the job much easier, as there's a variety of MCUs with different features (e.g. Wi-Fi, Sub-1GHz radio) that all feature strong device identity as well as cryptographic acceleration and software IP protection.

This amount of choice, coupled with TI's LaunchPad development kit options, makes secure prototyping a breeze.

STMicroelectronics

Last on the list, but certainly not least, is ST's very wide range of secure microcontrollers. From the hardware side, these feature a full range of contact and multi-protocol radio interfaces, which make them ideal for many applications.

The base ST33 offering is ideal for wearable and SIM applications and the higher-memory ST32 is designed for M2M / IoT / Automotive applications. The ST31 (EAL5+) is optimised for contactless performance, making it suitable for payment and identification. Lastly, the ST23 (EAL6+) is built for banking and e-government smartcard solutions.

Wrapup

Overall, security has been mentioned 49 times in this article and hopefully it gives you a better idea of where to get started. Security (50) can seem like an rabbit hole to go down some times, but it definitely has to be considered to avoid any fishtank incidents.

References

[1] - Perrin, Chad. "The CIA Triad". Tech Republic, June 30, 2008.

[2] - A. K. Dewdney. "Computer Recreations: Of Worms, Viruses and Core War". Scientific American, March 1989, pp 110.

[3] - Dave Neal. "Just one in 10 IoT devices offer adequate security, warns research" TheINQUIRER, June 3, 2016.

[4] - Mike Turner. "How to secure the internet of things". Computer Weekly, June, 2015.