Securing IoT Devices
Authentication, Integrity, Confidentiality, Signatures, Cryptography
First lets qualify this post by acknowledging that security is a moving target and that motivated hackers with unbound resources will likely find new vulnerabilities: this should not deter us from implementing basic good practices, and even more advanced practices when the applications demands. A burglar is easily detered from the average property that has an obvious security alarm, but a determined burglar on a mission to breach a high value property with known riches inside will not be stopped by an alarm.
And so it is with IoT security: raising the bar has value, how high depends on the consequences of a breach.
Security is generally driven by the need to protect valuable digital assets and individual privacy. In the IoT applications many devices will interact with the physical world and the consequences of a security breach can cause physical damage and threaten lives. Here are a couple of examples to get you thinking responsibly about security and cyber-physical security:
Security is often considered a 'cost' of doing business but it does not need to be so: in a growing number of applications the quality of the data is important and 'trusted data' can command a premium. Here is one great example:
In this post we will discuss three areas to consider when designing an IoT device or system:
Whats different about IoT?
Cyber security is a $100 billion dollar industry that's focussed on protecting servers and client devices within a mature and homegenous ecosystem: windows, linux, Ios, intel, ARM, and a few others. Client devices are well resourced and protected by caring users, server farms are protected beneath layers of physical, electrical and software security, and dedicated teams monitor and manage security 24/7.
In contrast, IoT devices are generally light on resources, diverse in functionality and live at the edge of the network in unknown territory - perfect ingredients for digital chaos! Additional challenges with IoT security include:
- Often design to interact with unknown parties in the physical world
- No coherent IoT security standards
- Complex technology stack that spans hardware, firmware, software, cloudware
- Organizational responsibility not clear
- Not high on management's priority list
- Customers won't pay a premium for security
Fortunately many of the building blocks required to secure IoT devices and system are already well established and widely used across the internet, connecting servers, PC's and mobile devices. There is no need to 'invent' new technology; what's needed is an intelligent approach to applying the existing building blocks in ways that are appropriate to IoT devices and systems.
In this post we will review some of these building blocks and where they apply. More detailed reviews of each block will be available in related posts.
Trusted data is the currency of IoT
For the internet of things to work the data coming from the edge devices (the Things) must be 'trusted' all the way from sensor to subscriber.
Without trust the data is at best useless, perhaps misleading and in some cases can result in life-impacting consequences. Cloud applications, in particular Big Data and AI, depend upon trusted data.
Fundamental ingredients of trusted data are:
- Authenticity - data comes from a known (unique Identity) and authenticated (verified to match Identity) source.
- Integrity - data has not been changed and can be verified to be so.
- Confidentiality - data cannot be observed by an unauthorized party.
Let's explore these terms more detail.
Most data transactions between parties or devices assume that you know the data truly came from the presumed party or device. But how can you be sure?
The generally accepted solution comes in two parts:
Data that originates from an authenticated device, with the additional requirement of integrity, is sometimes referred to as 'authenticated data'. More on that in a moment.
Knowing that data has not been tampererd with is fundamental to most transactions ( yes there are a few where is does not really matter). If the data represents currency then integrity seems an obvious requirement. If that data represents air quality sensors, then integrity matters because it might negatively impact lives if an emergency response is compromised in a material way.
Confidentiality or privacy of data is not required by all applications - municipality transit data should be public for example - but keeping data confidential is important in matters ranging from an individual's privacy rights to a corporation's need to protect proprietary information. In each case the data must be protected from prying eyes using encryption techniques that extend from the publishing source - the IoT sensor or edge device- to the cloud and onwards to subscribers.
Using standard encryption algorithms is a simple and effective way to ensure privacy. See Cryptography section.
Digital signatures bring it all together
authentication + integrity + non repudiation
Digital signatures are an established part of today's internet communications. They are used widely (but not widely enough) to ensure that data blocks transmitted between parties have integrity and known provenance. Digital signatures are used in standards like OpenSSL and can be equally be applied to custom secure communication applications. Zymbit uses digital signing for intra-chip and intra-board communications as well as outbound connections to cloud services like AWS IoT.
A digital signature serves a similar purpose to a verified physical (hand written) signature; it authenticates the source. Additionally a digital signature confirms the integrity of the data, much like a physical seal on a confidential letter. Digital signatures are applied to block of data. When the digital signature has been verified the data is said to be authentic, or trusted, and the source of the data cannot be redutiated at a later date. Non-repudiation is important in many commercial applications where there is a transactional value, or consequence, associated with the data.
The detailed mechanics of digital signatures are complex and beyond the scope of this post, but for now its sufficient to understand that they are brilliantly elegant cryptographic functions that have been widely scrutinized, characterized, pressure tested and proved to be of value.
A digital signature can be applied to a timestamped block of data in the following way:
Cryptography is the practice and study of techniques for secure communication in the presence of third parties called adversaries. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Various aspects in information security such as data confidentiality, data integrity, authentication, and non-repudiation are central to modern cryptography. Source: Wikipedia
You don't need to be a cryptographer or mathematician to be able to use and benefit from modern encryption techniques. Thankfully the mechanics are made accessible through API's and higher level applications and standards enable practical solutions to be realized with only a basic understanding of the concepts. Here are some common terms that are useful to know:
If you are interested in how the different Ciphers compare, then this is a useful reference put out by NIST:
Protecting intellectual property
By the time your product gets to market you will have spent millions of dollars developing the software, firmware and algorithms (intellectual property, IP) that defines the unique functions and value of that product. Mobile phones are a great example: hardware costs are $500 per phone but the IP inside is worth hundreds of millions of dollars and its a high value target.
IP that has been breached often turns up in counterfeit products. These have an often have adverse economic impact on businesses and they introduce serious vulnerabilities into enterprise systems. In the industrial sectors there have been numerous examples of ‘black market’ spares and generic devices that have introduced back doors into large scale enterprise systems, so much so that the US Government has its own hotline for reporting such breaches. Deparment of Homeland Security - Industrial Control Systems Cyber Emergency Response Team
Protecting IP can be achieved with a variety of techniques including the use of binary-only operating code images, encryption and digital signing of images. Protection needs to be applied to images 'at rest' on the device and to image updates that come in 'over the wire'.
Example - Raspberry Pi security
Within the scope of this post it's not possible to provide a comprehensive commentary on all potential devices. So lets take a look at the specific case of Raspberry Pi which is a single board computer that's increasingly used in IoT applications.
Some known vulnerabilties are as follows:
- Removable SD card - an attacker with physical access to the Pi can easily read and copy software, data and credentials.
- No secure key store - keys are required to lock/unlock encrypted files, data services, passwords. Keys store on the removable SD card are easily exposed.
- No dedicated encryption engine - while the Pi can perform encryption in software, overall performance suffers as a result.
- No real-time clock - Pi relies upon NTP to establish time. Without a network connection 'time' is easily manipulated which introduces several security vulnerabilities.
- Susceptible to power cycling exploits - repeated power cycling of a Pi could place it into a vulnerable state. Pi does not have any power monitor to detect such tampering
Zymbit Security Module
Many of these vulnerabilities can be addressed with the addition of security module that's dedicated to the task of device security management. Zymbit makes one specifically designed for the Raspberry Pi - called Zymkey - that provides security management in a simple to use hardware module with software API.
Good security schemes will avoid single lines of defense and single points of failure. Specific strategies for IoT devices will depend upon the available resources within the device and the supporting ecosytem. Zymkey provides multiple layers of device security management including physical, hardware, software and communications.