The Internet of Things (IoT), and the task of securing it, follows the same pattern of technical innovations that have come before it. If the creators of IoT products do not adequately address security, the consequences could be impact the entire market and have a ripple effect for companies opting to design irresponsibly.
Given the growing prominence of the IoT, attackers will seek out and exploit vulnerabilities wherever they can. Despite the ever-present threats, companies and developers designing new IoT products often focus on the application itself at the expense of proper security. Security is often viewed as inconvenient because it increases cost and time needed to get to market.
Varying Degrees of Security
Keeping the IoT safe lies in how we view security. It’s not a simple question of whether to have security or not; security is not binary.
The capabilities of attackers are typically dynamic, and therefore, the security level will change over time. We know how fast security threats can change for an object. A device launched in 1998, for example, was once only vulnerable to nation-state attacks; today it must be able to withstand differential power analysis (DPA) attacks by hobbyists with inexpensive tools and lots of spare time.
The only reasonable way to counter future attack scenarios is for the security of the device to evolve and keep pace with the increased capabilities of adversaries. This requires IoT security with upgradable software
Secure updates involve authenticating, integrity checking, and potentially encrypting the software for the device. The software handling such security updates is the bootloader, typically referred to as a secure bootloader. Along with its corresponding cryptographic keys, the secure bootloader constitutes the root-of-trust in the system and must have the highest level of security. IoT vendors should expect to receive secure bootloader functionality from IC manufacturers.
Authentication and integrity check should be implemented using asymmetric cryptography, with only public keys in the device. It’s not necessary to protect the device’s signature-checking key. Since protecting keys in deployed devices is harder than protecting keys in control of the device owner, it is acceptable to use the same bootloader keys for many devices.
Secure bootloaders are needed to ensure upgradability for IoT devices.
Encrypting the Software
Encrypting software running on the IoT device has two benefits. First, it protects what vendors consider to be intellectual property (IP) from both competitors and counterfeiting. Second, encryption makes it more difficult for adversaries to analyse the software for vulnerabilities. Encrypting new software for secure boot involves secret keys in the device; however, protecting secret keys inside a device in the field is becoming increasingly harder. At the same time, newer devices have increased resistance to DPA attacks. Furthermore, a common countermeasure against DPA attacks is limiting the number of cryptographic operations that can take place to make it infeasible to get sufficient data to leak the key. Even though protecting the key is difficult and motivated adversaries will likely extract it, key protection makes attacking more difficult for the attacker.
Another consequence of secure updates is the future need for more memory in the IoT device. This is a complicated trade-off for several reasons. First, software tends to expand to the memory available in the device. A larger memory device requires discipline from the software team to leave room for future updates. The other complication is the value of free memory in the future versus the device’s initial cost. More memory tends to increase the cost of the device, which must be justified from both a device maker and consumer point of view.
Finally, it is important to have a plan for distributing security updates. For most devices, these updates use the device’s existing Internet connection. In some cases, this requires adding or using physical interfaces such as USB drives (i.e., sneakernet). It is also important to consider that the devices might be behind firewalls or in some cases disconnected from the Internet.
Securing the Future
There is no such thing as a 100 percent secure device, especially during the entire duration of a product’s lifecycle.
Yet it is possible to understand and prepare for the most likely threats and safeguard for future threats by designing in the ability for upgradable software updates. IoT developers must adapt to this critical mindset of responsible security design. Otherwise, they are placing their innovations, and the IoT’s market potential, into the hands of adversaries.
About the author
Lars Lydersen has an extensive background as a security researcher and was a part of the team that broke into the “unbreakable” commercial quantum cryptographic systems. Currently, he has shifted his focus to classical embedded security systems and works as the Senior Director of Product Security at Silicon Labs in Oslo, Norway. Lars holds a Master of Science degree in electronics and a PhD in quantum cryptography from the Norwegian University of Science and Technology.
Lars Lydersen will be speaking about ‘Building Security into the Design of Billions of Cheap IoT Devices‘ at the Keynote Stage at Infosecurity Europe on Wednesday 6th June, 12.35 – 13.10.