By Caroline Hayes, Senior Editor
The traditional definition of the Internet of Things (IoT) is sensor and logic-based devices combinations. Now, there is a shift, says AMD’s Steve Kester, where advanced processing capabilities are being incorporated into embedded systems that go well-beyond that traditional model (medical devices, “smart” monitors and signs, home and business appliances, as well as distributed networking devices and dense servers are examples). With these new roles, security will become even more important. Caroline Hayes, Senior Editor, asked Steve Kester, Director of Government Relations, AMD [SK]; Shantnu Sharma, Director of Corporate Strategy, AMD [SS], Rich Rejmaniak, Senior Technical Marketing Engineering, Mentor Embedded Software division [RR], Rob Coombs, Security Marketing Director, Systems & Software, ARM [RC] and Ambuj Kumar, Senior Principal Engineer at Cryptography Research, a division of Rambus [AK].
How are the security risks in an MCU different to those in a connected IoT device?
[RR] The key to the need for security is the reality of the exposure resulting from connectivity itself. While any device can be compromised, non-connected devices require physical access to each and every unit, making security breaches uneconomical for pretty much all potential criminal activity. Note that security was never a problem for the Apple II or Windows 3.x machines. Even if you could gain access, it would only be for one machine at a time.
With the emergence of the IoT, these devices are finding themselves integrated into a communication mesh that provides for massive widespread access. Now the first question that a person would ask is: “What is the economic gain for someone hacking into my IoT to raise the temperature of my refrigerator?” The short answer appears to be; “None.” The truth is that someone who can shut down thousands of refrigerators can blackmail a power company, lest people flee from the option to allow the company to optimize power consumption across their grid.
Access to seemingly worthless data or mischievous control of minor devices can result in popular movement away from the potential business opportunities presented by the IoT. The fact that there young adults sitting in prison because they faked 911 calls to originate at the residences of random people, thereby cause the police to storm their home in the middle of the night, proves that anything that can be hacked will be hacked, even if there is no apparent economic gain.
[SS] Security risks in an MCU differ from—but in some cases may be similar to—security risks in a connected IoT device. In a broad perspective, security risks can be categorized as those related to connectivity, data access, and software.
At a hardware level, IoT devices have connectivity to any device around the world, whereas with an MCU the connectivity is limited to local components. Traditionally, MCUs have data access more along the lines of industrial or factory information; with IoT devices, the data access includes highly personal, end-consumer data. In a software sense, IoT devices are very similar to client/networking devices and are leveraging much of the same software found in traditional PCs.
[SK] The single biggest difference between security risks for MCUs and those for IoT devices are that an MCU’s threat vectors are often localized, whereas oT devices are more like that of a PC or other mobile devices: personal data can be compromised or damage can be inflicted even at a considerable distance from the actual device.
Of course, both have the potential to be exploited to produce considerable harm, which is why it is important to harden these technologies with effective security features.
[RC] An isolated microcontroller could be subject to physical attacks whereas a connected IoT device can also be attacked remotely. Software based remote attacks are more scalable and therefore security (and hardware based roots of trust) needs to be designed-in.
[AK] IoT devices have some very unique security characteristics. Their limited power budget and tight cost constraints greatly influence their architecture and design. The spectrum of IoT use cases is expansive, crossing many different operating environments. Use cases may include deeply embedded modules like the inside of an automotive or a device “in the wild” like a parking meter. The security profiles and requirements depend heavily on the use case, so a technique that works on one product may not be directly portable to another.
Further, IoT application development often has to navigate the challenges associated with a nascent field such as the lack of standardization, fragmented platforms, and a poor understanding of best practices.
The history of security has shown that the attacks and the defense have evolved together. As the architecture became more secure, attacks became more sophisticated and complex too. Today’s attackers have the resources and knowledge produced by their decades of work, meaning that a connected IoT device needs strong security that’s advanced enough to thwart advanced attacks.
What security features can be used to combat these risks in IoT devices?
[RR] The first line of defense is secure communication channels. Encryption and validation can be complex and compute-intensive operations. To be certain of their effectiveness they have to be extensively tested and exercised over a large applied base. This is difficult to do properly at the application level, and it can’t be an option that a vendor will add after getting past the crunch of bringing a product to market. Security must be, and indeed is, built into the protocols and standards in modern IoT proposals. To be successfully implemented, these scrutiny measures must be inherent in the platform execution environment.
[SS] To combat security risks in IoT devices, a combination of network hardening, device hardening, and consumer education/behaviour modification should all be implemented. Advances in the network to which IoT devices will connect are being actively considered by a number of industry players, while device manufacturers are aware that devices will have to be more secure than they are today—for example, appliances and automobile industries will have to account for potential breaches which could impact human life, while end users will have to make educated judgment calls regarding how much personal data they are comfortable sharing. Overall, IoT security is very much a shared responsibility for both producers and users.
[SK] Our view of security for the IoT is that it is a shared responsibility and every element of the IT ecosystem, including users, to address security issues and protect sensitive data and devices.
As cyber security challenges continue to evolve, we can’t point to others to solve the problem. We must take a collaborative approach to secure cyber space.
[RC] Most IoT devices have hardware roots of trust and crypto accelerators to provide the basis of strong authentication and confidentiality (e.g. Transport Layer Security). In addition, one-time-password memory can be useful for keys and “fuses”. If the device is loading third party applications an ARM® TrustZone® based Trusted Execution Environment (TEE) can provide useful protection against software attack and non-invasive hardware attacks to code, data and peripherals.
Some devices will need to offer tamper resistant storage for crypto keys or running attestation and this may be implemented using a secure element. If the device is using a smaller microcontroller with a memory protection unit that can be used to provide some isolation between application code and system or trusted boot code.
[AK] Security cannot be an afterthought. An IoT device needs a solid security foundation to proactively defend itself. A hardware root of trust provides such a foundation, as a properly designed security architecture provides protection against existing, as well as future attacks. This hardware root of trust ensures that device secrets are safe and secure even when an attacker gets control over the software.
Important considerations for IoT security have traditionally included end-to-end encryption, secure key management, strong authentication, side channel resistance, etc. However, today’s device also needs a security infrastructure to secure the device throughout its entire lifecycle, spanning from its earliest form as a little piece of a silicon wafer to a finished product in the field.
What are the best tools to design effective security features in an IoT system? And how are they used?
[RR] For communication security, inherently using SLL at either the socket level itself, or through HTTPS layers, is highly effective at securing access to a device. However this security must be inherent in all communications and cannot be applied to a subset of connections. In addition, using supervised execution through a Hypervisor, memory isolation, or other partitioning allows internal isolation of processes to prevent cross access of data. Such a case would be the separation of credit card processing code modules and data from that of user interface and motor control in a vending machine.
[SK] AMD believes that the strongest security features begin at the processor level – the bedrock of computing – where they can complement and enhance other hardware and software-based security features in a highly-secure manner. The best tools to design effective security features are those based on open standards, such as those AMD uses in our partnership with ARM and their TrustZone technology. This is one reason why AMD is creating a new generation of secure computing capabilities for digital content, data, e-commerce and trusted client-to-cloud interactions. The AMD Platform Security Processor (PSP) is built upon ARM TrustZone technology and architected to protect against malicious access to sensitive data and operations at the hardware level. This architecture is based on open standards and interoperable APIs, and is available now in products from AMD. These products can be then used to build Internet-connected medical devices, commercial kiosks, smart screens, and a host of other IoT products with hardware-based security.
[AK] A system is only as secure as the weakest link. Thus, it’s imperative to start with a strong security foundation and build the system around it. Essentially, it all starts from hardware, where a security IP can be directly combined with a system-on-chip to build a secure system for IoT.
Ambuj Kumar Rambus
In the case of Cryptography Research, we use industry-standard tools and processes for design. Our designs use mostly standard-cell logic, relying on very few external analog blocks to keep our core portable. Our scalable architecture allows customers to make informed decisions about the security needs, performance and area. A standard cell-based IP that needs minimal external macros is lot easier to integrate. Often times, the only analog block required for our IPs is OTP to store private keys.
Once a chip is designed that includes security hardware, its system architecture can be built upon securely. The security hardware thus may enable a private, persistent and authenticated channel over an insecure and public network. The device coupled with security infrastructure can enable remote authentication and audit.
A security infrastructure may provision device specific assets (keys, credentials, profiles, etc.), thus making developing secure system software a lot easier.
How does the ARM Connected Community ecosystem enhance or drive the integration of security features?
[RR] The single largest advantage that ARM has at this time is the unparalleled depth and breadth of its ecosystem. There is no more effective method of securing hardware and software then to have it exercised, attacked, and defended across an enormous installed base. Every aspect of ARM devices, from encryption facilities to the ARM Trust Zone®, has been extensively tested in real world situations. At the current time, the critical mass of the ARM environment is only increasing in size.
[SS] The ARM Connected Community ecosystem enhances and drives the integration of security features through collaboration across a very broad spectrum of industries. From traditional PCs to smartphones, from industrial and embedded controls to entertainment content delivery enablement, the ARM Connected Community leverages an open-standards approach in a collaborative online environment to connect new ARM partners and developers with established players for innovation in areas such as SOC innovation, OS and programming models, and consumer use cases. Benefits of this open-standards approach includes greater interoperability, improved efficiency, more resiliency, and avoiding the potential for being locked-in to a particular proprietary technology or vendor.
[RC] There are hundreds of silicon partners and thousands of Connected Community partners offering solutions to the market. IoT is a diverse market where one size does not fit all, and the ARM ecosystem provides solutions for every conceivable use case from wearables to smart meters.
[AK] ARM has helped highlight the need for security through its TrustZone initiative, and bringing the issue of device security to the forefront of new technologies—including the connected device ecosystem—is imperative to creating a secure landscape. While CRI’s security IPs are designed to provide maximum security by themselves, they can be combined with the TrustZone to be more effective.