(Source: Tierney - stock.adobe.com)
Of all industries and technologies, none have grown in scale as fast as the Internet of Things (IoT), and what started out as a handful of experimental internet-enabled microcontrollers in the early 2000s has grown to more than 21 billion devices worldwide. While Ethernet allowed devices to connect to the internet, Wi-Fi® really fueled the IoT industry as it enabled very small devices to have internet connectivity no matter where they were.
The first devices were used for trivial applications such as wireless thermometers or humidity sensors—Interesting gizmos as opposed to practical products. With limited use and an extremely small market, virtually no security measures were used for these seemingly low-risk devices. But, as microcontrollers became more advanced, these simple IoT products started to do more and eventually could be used to stream video and audio. Even though these devices became increasingly more advanced, security was seriously lacking, with many IoT devices not using passwords, using insecure connections, and even storing private data unencrypted.
Fast forward to 2022: Billions of devices around the world are potentially vulnerable to cyberattacks, and hackers frequently target IoT devices for their private data and abilities to perform denial-of-service attacks. Protecting these devices with strong security practices has never been more important.
As the first generation of IoT devices was based on extremely simple microcontrollers with limited capabilities, any heavy data processing had to be done remotely on servers (i.e., cloud computing). While this is advantageous from an energy perspective, it comes with some major challenges: Latency between submitting data and receiving a response, and the fact that potentially private data have to be streamed across the internet where they may be intercepted.
With edge computing, however, some or most of the heavy computation is done either on IoT devices or on a computer local to the IoT device. Such a system not only reduces the latency but also minimizes the risks associated with sending private data over remote networks. Edge computing can even be used to preprocess data (e.g., video camera feeds) so that any data that are sent to a remote connection will have private information obscured or removed.
Even with edge computing, IoT devices are still vulnerable to a wide range of attacks, and engineers must understand these attack methods in order to defend against them.
The most important concept to be understood is the three states of data: In storage, in transit, and in processing. Data are vulnerable in all three of these states, but data are particularly vulnerable during transitions between these states. For example, data stored in memory can be accessed, data being transferred between the central processing unit (CPU) and memory can be peeked, and data inside a CPU may be accessible via side-channel attacks.
Poor protocol implementation is often a cause for concern. For example, although the theory behind OpenSSL is perfectly adequate for protecting data, its implementation revealed a major bug called Heartbleed that allowed for buffer overflow attacks to return private data in a server’s memory.
Many devices on the market require a programming port for flashing program read-only memory during manufacture, but hackers can access this port to gain access to the main microcontroller (Figure 1). From there, program memory can be dumped, IP stolen, and keys obtained.
Some devices use complex security operations centers capable of running operating systems such as Linux. While this allows designers to create complex applications, these operating systems may have exposed ports that are not closed by default, use well-known root passwords, integrate software packages that are not needed but contain bugs, and are not kept up to date.
IoT designs that need to use a remote server for data storage and communication rarely contain a certificate system to authenticate the IoT device. Any device pretending to be an authentic IoT device can potentially access an IoT server. Even worse, a device could be cloned with inbuilt malware and infect a remote server.
Figure 1: Microcontrollers often have easily accessed pins and programming ports. (Source: zdyma4 - stock.adobe.com)
Unfortunately, with so many attack vectors, no catch-all solution to protect devices exists. However, common sense and the use of hardware security measures can dramatically improve the security of a device.
The first line of defense is to use encryption whenever possible, as encrypted data cannot be read without the key. Encryption can be applied to memory, to data in transit between system components, and to data being sent across the internet. The second line of defense is to use strong security algorithms and routines (e.g., true random number generators and encryption algorithms) that do not have poor implementations.
Of course, these two methods of defense require that encryption keys are kept safe from hackers and that algorithms are immutable. Fortunately, hardware security coprocessors exist for this very purpose, and a good example of such a device is the EdgeLock SE050 by NXP. This coprocessor integrates true random number generation, relies on multiple encryption algorithms including AES, RSA, and DES, can be used to store keys, and supports trusted platform module capabilities (Figure 2).
Figure 2: The EdgeLock SE050 offers multi-layered protection against attack. (Source: NXP Datasheet)
As cyberattacks on IoT devices continue to increase, the need to secure these devices with strong security practices has never been more important. Software security measures can only go so far and trying to use software implementations for encryption can lead to disaster if not kept updated. Hardware security solutions such as the NXP EdgeLock SE050 are ideal for securing devices.
Robin Mitchell is an electronic engineer who has been involved in electronics since the age of 13. After completing a BEng at the University of Warwick, Robin moved into the field of online content creation developing articles, news pieces, and projects aimed at professionals and makers alike. Currently, Robin runs a small electronics business, MitchElectronics, which produces educational kits and resources.