Any connected device can potentially become the target of attacks by nefarious parties; whether to steal personal data or intellectual property, obtain authorisation credentials for accessing connected servers or systems, or to corrupt its functionality.
All of these can be done covertly, for example as with the Stuxnet attack – which intended to sabotage uranium refining by subtly changing centrifuge speeds whilst falsifying instrument readings – or in more overt ways such as shutting down essential infrastructures or interfering with the controls of a connected car.
Take a smart city, for example; ideally a place designed to provide ultimate comfort and efficiency for citizens, Smart City deployments with neglected security can provide serious safety risks, including identity theft, ransomware attacks, and sabotaged infrastructure, such as power grids, water supply and traffic control.
Given the potentially high consequences of security breaches on IoT devices, it is startling to think that device security is often not a primary design goal of device makers.
In attempting to address these issues, governments around the world have introduced legislation focused on improving the security of IoT devices.
New regulations such as the California IoT law which came into effect on January 1, 2020 and EU regulation introduced in 2019 are now putting the onus back on the manufacturer to deliver secure devices to businesses and consumers.
Approaching device security
To meet the new regulatory requirements, it ultimately comes down to manufacturers putting security at the top of their agenda, taking a “secure by design” approach to the development of their devices.
“Secure by design” means security is treated as a primary design parameter in the development of a product. This means building security into products, starting in the design phase. Proper security starts at the chip level and extends all the way to field deployment and even end of life, using well-researched cryptographic building blocks, applying secure software development practices, and building security into your manufacturing process as early as possible.
This holistic approach means that the entire IoT ecosystem will become less vulnerable to malicious attackers – not just the individual device. It also means that it should be easier for those managing the systems to quickly detect any inconsistencies and threats before there is any opportunity to cause significant damage. The goal would be that once an attack is detected, the system should immediately be able to isolate infected devices to contain the attack, and fix the vulnerability by patching affected devices.
Looking at hardware
“Secure by design” devices must be developed to be individually identifiable and connected. This ensures that there is an auditable path between the device and the organisation. This is essential in order to trust the data received from IoT devices sufficiently to use it in critical business decision making processes. Making this happen should take place at the hardware level, ideally with a root of trust.
Having a hardware root of trust, containing a digital ID certificate or cryptographic identifier, enables an end-to-end trusted path. The root of trust acts as the foundation for many layers of security; from the detection of new devices being attached to a system and subsequent remote service provisioning, to patching and in the case of a compromise, the isolation or blocking of devices or groups of devices.
In end devices, the immutability of hardware – as opposed to software or firmware that are frequently updated and patched (and hacked!) – provides a firm basis for identifying the device, securing the boot process, validating firmware updates received across the network, and securely storing, encrypting and decrypting data using industry-standard cryptographic algorithms executed in dedicated accelerators.
How it can be achieved?
Hardware security can be implemented in a dedicated IC, also called a secure element, acting as a companion chip to the main processor. However, deploying a dedicated secure processor as part of the main CPU is a choice that an increasing number of security-conscious device makers are making.
This permits the primary CPU to be optimised for high performance, low power consumption, or other desired characteristics, while allowing secure processes to be run in the secure processor.
Hardware root of trust products, such as the CryptoManager Root of Trust, developed by Rambus, provide system designers a method of deploying secure processes and applications. They often contain a series of hardware engines coupled with a secure processor designed to provide services to the main processor, including secure boot and runtime integrity checking, remote authentication and device attestation.
The figure below demonstrates the CryptoManager Root of Trust. The hardware also typically performs key derivation, which enables key strengthening and improved secrecy.
Proper protection at the silicon level must also include anti-tamper mechanisms to block attacks such as bus probing, fault injection, and over-clocking. It can also incorporate logic and crypto redundancy, secure-state encoding, and ephemeral keys that are generated on the fly from multiple splits and flushed immediately after use. In addition, root of trust cores should feature an entropic array with a proprietary logic structure that provides robust protection against emulation and reverse engineering.
To ensure robust protection, the root of trust hardware depends on associated security services that must cover the complete device lifecycle. One of those associated security services is device provisioning and key management. Device provisioning involves the injection of secret keys or other device identification data into the device; ideally, this is done at the silicon level during the silicon manufacturing process. Incorporating a dedicated provisioning infrastructure as part of this establishes the trust chain at an early point in device manufacture.
Key Management Services enable the device maker to authenticate and attestate devices anywhere in the world. Through a secure connection, these services allow the device maker to monitor device status, “roll” cryptographic keys, provide disaster mitigation and recovery services, and even decommission devices, reducing the risk of devices being hijacked, copied, re-purposed, or disabled. Compromised or cloned devices can be quarantined and recovered. Protection against cloud-based threats such as DDoS, cross-site request forgeries and digital offensives against unprotected REST APIs should also be included.
Security and profitability
With the introduction of “secure by design” principles, we should start to see manufacturers moving away from neglecting device security. In the modern world of IoT, businesses and consumers are becoming increasingly aware of security pitfalls in products, so for a manufacturer to see profitable success, it will become essential that security is front and centre in device development.
Author details: Paul Karazuba is Senior Director, Product Marketing of Security, Rambus
