by Marc Vauclair, Senior Security System Architect, NXP Semiconductors
The IoT (Internet of Things) devices we use in our homes, cars, mobile communication devices, and payment systems are also becoming increasingly accessible across healthcare and industrial domains. These billions of connected devices – some forecast 75 billion IoT devices by 2025 — will be a prime target for hackers. That’s why we must work hard to make it not only an Internet of Things — but a safe and secure Internet of Trust.
Recent well-known attacks, including Mirai, Meltdown/Spectre, Roca, Heartbleed, and Rowhammer, undermine the confidence in the future of the IoT. The potential impact of those attacks are financial and also life-threatening because IoT devices are not only sensing the environment but also acting physically in it. For example, an IoT device can act on an insulin pump of a human based on a measure of the sugar concentration from yet another IoT device: a glucometer.
Those billions of connected devices represent a tough challenge to ensure trusted security, safety, and privacy. These devices are equipped with sensors and actuators: they act on the real physical world. For example, a “smart” implanted insulin pump is an IoT device that can, within certain predetermined limits autonomously make the decision to inject insulin into the body of a patient when certain conditions are met; in other circumstances, the request to inject insulin could come from monitors elsewhere in the IoT network. If hackers succeed in endangering the proper function of these pumps, it becomes life-threatening. Security must ensure that hackers do not succeed in their malevolent plans. Safety ensures that no matter whether they succeed or not, any misfunctioning does not result in a life-threatening situation. Privacy ensures that the zettabytes of data handled by these billions of devices are not publicly accessible to one and everybody.
Other examples are the future autonomous vehicles: if hackers succeed in remotely taking control of the drive-by-wire functionality, they would be able to change the driving direction of vehicles at inopportune moments. The actions of those devices are semi-autonomous. After registration, configuration, and initialization, they do their job with as few interactions as possible with the end-users. It is part of the ease-of-use experience of those smart IoT devices.
Both the data sensed by the devices and the decisions derived from the data must be trustworthy. This must be true through the entire lifespan of the device. This lifespan is unpredictable. Some IoT devices will be used for more than ten years. Hacking techniques are improving with time but new attacks are unearthed every day. The attacks are now covering the four quadrants of the “local” versus “remote” and “logical” versus “physical” matrix of attack families.
Local attacks are performed by gaining physical access to a device, while remote attacks are performed by sending commands remotely over network connections. Knowledge gained from performing a local attack may lead to mounting future remote attacks. Although developing a remote attack may require significant expertise, it may be possible to automate the attack and have it executed by unsophisticated adversaries on a large scale. This implies that remote attacks are scalable.
Remote attacks have the potential to be initiated from one device and impact millions of target devices in a short time. Logical attacks on devices, internet services, or organizations occur by exploiting weaknesses in the implementation, which are mainly in the software. They are performed by accessing standard interfaces, both wired and wireless. They can be automated and, once known, do not require many competencies to be mounted on a large scale.
Physical attacks hack devices by exploiting known, or learned, physical characteristics during device operation and breaking a critical piece of security (for example, a cryptographic key). Remote physical attacks, implemented in software, such as Rowhammer, Meltdown/Spectre, cache attacks, and power domain controller remote attacks, have emerged in the past few years.
This means that devices designed today should already be able to withstand the still unknown attacks within more than ten years from now. This is a difficult exercise. It implies that all those devices must include capabilities to perform secure authenticated updates during their lifespan.
A path to the safe and secure Internet of Trust
Strong principles must be applied to move from the Internet of Things to a safe and secure Internet of Trust comprised of “security by design,” “safety by design,” and “privacy by design,” all harmoniously combined to achieve this ultimate goal of the Internet of Trust.
“Security by design” means security is a system property anchored in all features of all parts and subparts of the system. It means that security is taken into account from day zero of the conception of a new IoT device. Security is based on confidentiality, integrity, and authenticity for the data but also for the processing of the data. This implies the presence of mechanisms like runtime monitoring, secure boot, and secure updates. It also encompasses the availability of detection mechanisms that will spot the attacks – remember there exists nothing like a 100% secure system – and that will trigger the necessary recovery mechanisms.
This is yet another security pillar: resilience. And this where “safety by design” comes into the picture in this context. No matter how far the attacker succeeds in corrupting the device or the system, it must be the case that the behavior of the device or system does not become life- or financial threatening. “Security by design” and “safety by design” imply that vendors of devices, systems, or solutions must go through external test laboratories and certification bodies to assess objectively the security and safety level achieved. Companies like NXP have track records in Common Criteria certifications for the products used for governmental and payment solutions. But the landscape of the security certifications for IoT devices is changing. The existing industry-recognized schemes that have already been adopted have been deemed inadequate for the emerging IoT ecosystem. To help raise the criteria across the industry, one initiative that NXP, STMicroelectronics and others, with the support of GlobalPlatform, are introducing is a new certification scheme “Security Evaluation Scheme for IoT Platforms” (SESIP), which inherits some of the properties of the well-established and trusted Common Criteria scheme while making it affordable for the whole spectrum of IoT devices.
Another important feature of “security by design” is that both hardware and software are to be considered because it can be shown that there is no ideal way to implement a software-only based approach to IoT security that would match the system security expectations now and in the future.
“Privacy by design” means that the product/system/solution is designed to be privacy-preserving. Among others, the anonymity and the non-traceability of the user is guaranteed where mandatory and/or appropriate as well all of his/her personal data. “Privacy” is more and more part of the agenda: new laws and regulations like the GDPR in Europe are being put in place in many parts of the world. The purpose is to protect the privacy of the end-users of among others, the IoT devices.
It is important to notice that the security, safety, and privacy offered must be matched against the result of detailed risk and threat analysis that gives a reliable valuation of the cost of the additional features against the value to be protected.
The “making of” and the follow-through
Delivering products that are secure, safe, and privacy-preserving is not only a checklist on a datasheet. It is also a consistent and mature secure approach to the architecture, design, implementation, manufacturing, testing, provisioning, and distribution of those products. The end-of-life of the product must also be managed.
It’s no longer possible to just sell “secure and safe” products. Products must continue to be supported with transparency and fast security incident response teams.
In Figure 2, security objectives can be met by combining several products with different levels of capabilities: compact nodes built around MCUs are enabled with secure boot, and secure update capabilities; edge nodes built around MCUs and MPUs are foreseen with multicores and trusted subsystems (e.g., a high-end automotive gateway uses a processor to integrate vehicle-to-infrastructure communications (V2X)); communications or multicore applications processing for high-end computing-intensive mobile devices include tamper detection, software and hardware isolation, hardware secure storage, and hardware cryptographic acceleration. Hardware tamper resistance security features across high-end MCUs and MPUs can be supplemented with highly secure discrete embedded secure elements. The external secure element is preferably connected directly to the sensors and the actuators to guarantee the authenticity of the sensing, and the actuators are only acted upon if the commands are authentic. Those security features are summarized in Figure 5.
Additionally, RFID-based tagging products help in the deployment of secure logistics chains to fight against counterfeiting and cloning.
Trust provisioning services and cloud onboarding services are also needed to integrate MCUs and MPUs harmoniously in design-ins of manufactured devices so that they can be developed not only in non-specifically secure environments but integrated into secure systems.
Figure 3 illustrates an artistic view of a smart door lock, and Figure 4 sketches an architecture to make it secure.
The embedded industry must continue to raise the bar and push things forward towards an Internet of Trust by taking a holistic approach to security and safety aligned with industry standards and best practices.
About the author
Marc Vauclair is a senior security system architect with more than 35 years of experience in research and development who focuses on innovative security architectures for embedded systems at NXP Semiconductors. NXP offers a security portfolio for IoT, Industrial, and automotive markets and participates in security standardization bodies, consortiums alliances to promote security, safety, and a cyber secure world. For more information on this topic, see From the Internet of Things to the Internet of Trust.