Best practices for protecting IoT devices
By Philip Attfield, CEO, Sequitur LabsElectronics IoT Cybersecurity Editor Pick IoT security
More effective security solutions for corporate IP at the Edge
Over the last several years, humanity seen significant technological innovation across nearly every business sector, including retail, manufacturing, consumer products, healthcare and more. The adoption and integration of digital technologies into products at every level has become pervasive, with interconnectivity speeding the rise of IoT (Internet of Things). Practically every modern device we use today is now connected, allowing greater automation, control and analytics-based insights. The growth of this new area in device and computing interconnectivity is not only calling for better network and internet infrastructure, but also stronger and more effective security solutions.
The primary object of attention and protection is the intellectual property in the form of Trusted Applications (TAs) that include artificial intelligence (AI) and machine learning (ML) algorithms at the edge. While the communication and management of devices from a single place has become possible, this has made it possible for IoT device vulnerabilities to be exploited – causing enormous damages to businesses worldwide as these TAs are stolen. To confront this challenge, security-enabled IoT platforms are leading the way to counter this threat, providing the means to securely interface with and control a wide range of sensitive connected devices and systems such as home/business video camera and alarm systems, healthcare devices, as well as industrial systems that require secure supervisory control and data acquisition (SCADA) environments such as utility switching and operations.
Many IoT products incorporate artificial intelligence (AI) or machine learning (ML) to conduct complicated tasks that require some level of intelligent functionality with access to sensitive code or data sets, allowing some level of decision making without pre-orchestrated programming. The algorithms and models that deliver this functionality represent critical intellectual property (IP), and create significant value for the products and their vendors. While there are a vast number of potential IoT security threats designed by hackers for any number of reasons, not the least of which is financial gain, manufacturers and integrators remain focused on their search for best in class security strategies and products for locking down their products as these algorithms and models simply cannot be compromised. Such theft of the organization’s intellectual property can create long-term damage to a company’s revenue and brand and must be protected.
IoT security attacks
There are countless examples of IoT security attacks and their impacts on some of the most well-known brands in the world. In a case that occurred in March of 2020, criminal hackers cracked the Xbox Series X graphics code and AMD’s future computer GPU’s data and leaked the information on the Internet. According to one report, “AMD has been having a particularly rough few months, apparently. The chip designer revealed that a hacker stole test files for a “subset” of current and upcoming graphics hardware, some of which had been posted online before they were taken down. While AMD was shy on details, the claimed intruder told TorrentFreak that the material included source code for Navi 10 (think Radeon RX 5700 series), the future Navi 21 and the Arden GPU inside the Xbox Series X.”
A best practice for securing system applications is to move these trusted applications and housing them in a secure area with restricted access. One example involves using ARM TrustZone architecture, where a system-on-chip’s (SOC) memory can be partitioned into a rich (non-secure) environment and a secure environment. The rich environment is larger in memory size—typically hundreds of Megabytes—and houses known (public) software, such as Linux kernels and open source supporting applications (e.g., OpenSSL). The secure environment has a small memory size—less than a Megabyte—and houses a Trusted Execution Environment (TEE) secure operating system. Applications that need to be protected are included here along with applications that support the securing process (e.g., key / certificate management and secure data storage). These are known as Trusted Applications (or TAs).
Linux kernel is suspended on one of the SoC’s cores
In such an architecture, the secure application process works by allowing the IoT device’s application, running in the rich (non-secure) environment, to make a request to the Linux kernel to access the secure environment. The Linux kernel is suspended on one of the SoC’s cores, giving access to the TEE; The TEE then resumes from suspension and invokes the requested TA. The TEE then accesses the non-secure memory (RAM) and acquires data through the shared memory between the two environments. A layer of trusted applications can also reinforce security to further harden the environment, including:
- Cryptographic Trusted Applications: The deployment encryption and hashing algorithms
- Certificate Management for Trusted Applications: for managing credentials
- Secure Storage Trusted Applications: for storing critical data in the Secure Environment
- TLS Trusted Applications: secure sockets for communication with external servers
“Major factors driving the growth of the IoT security market are the increasing number of ransomware attacks on IoT devices across the globe, growing IoT security regulations, and rising security concerns over critical infrastructures,” noted analysts at Research and Markets in a recent report titled Global Internet of Things (IoT) Security Market Forecast to Grow to USD 36.6 Billion by 2025. “New variants of IoT threats, lack of awareness, costly IoT security solutions, and budget constraints may limit the market growth.”
While the industry is becoming increasingly burdened by the growing number of threats, manufacturers and integrators are aware and incorporating next generation security into their products and solutions. This is the right move as it both enhances security and speeds time to market. These solutions bring IP protection to the edge while streamlining the design of manufacturing processes for a new era of solutions and devices that are connected and secure.
Philip Attfield is CEO of Sequitur Labs Inc. He brings a strong background in computing, networking, security and systems modeling. Attfield has more than 20-years of industry experience in large enterprises and small entrepreneurial firms. https://www.sequiturlabs.com/