Worldwide management consulting firm McKinsey & Company recently asked a group of experts–including the Director of MIT’s Media Lab and the Deputy Director of Google’s Advanced Technology Projects—what was the biggest risk associated with the Internet of Things (IoT). There are no prizes for guessing the answer.
“We’re creating vast new attack surfaces,” said one of McKinsey’s respondents. “IoT can [scale up] the attack surface for any kind of cyberattack,” said another. A third said: “I’m worried about people taking my information or causing the devices to physically do something wrong.” And a fourth replied succinctly: “The security risk.”
Knowing that the IoT brings security risks is hardly a revelation; for example, the data gathered by connected sensors—whether they’re monitoring traffic, weather, or building occupancy—or information transferred across networks—such as medical, financial, or security details—is valuable. And that value attracts both the law-abiding and those who are a little more laissez-faire with the rules. But the magnitude of that risk is only now becoming apparent. The “attack surface”, cited by the experts above, already comprises tens of billions of nodes and is set to expand to trillions in the not too distant future. (As soon as 2025, according to Japanese technology conglomerate SoftBank.)
The connected, consumer-grade security camera perfectly illustrates the challenge engineers face in adequately protecting every single device connected to the IoT, from a modest wireless sensor to a powerful server. Consumers want cheap security cameras, and that brings compromises—markedly a lack of security. Security camera makers assume no one will be bothered to put much effort into hacking the devices and thus cut corners. But that’s a mistaken belief because, according to research from cybersecurity firm SAM Seamless Network, a lot of people are very interested in breaking into security cameras, and a lot of other people are interested in helping them. The devices currently account for almost half of the IoT devices compromised by hackers. And the miscreants don’t even have to start from scratch; it turns out that connected security camera hacking is an industry with its own support community. In fact, there are many web-based tools and example code designed specifically for cracking the devices out there. Few hackers actually want access to a view of the parking lot or building lobby afforded by the security camera. Rather the hackers appreciate that the camera is a weak link in a network, and by breaking into it, they can potentially open up access to better-protected devices—such as all the smart locks in the building.
The challenge then is to adequately protect a trillion IoT devices without adding too much complexity and cost (and to do this with a fairly limited number of developers across the globe). One way engineers can get started is to focus solely on the protection of the critical data and information while leaving everything of little or no value unprotected. This brings three key benefits:
Trusted Execution Environments (TEEs) offer a proven technical solution for protecting critical data. TEEs are secure areas inside the IoT device’s embedded processor that runs software in parallel but is isolated from the main operating system (OS). The TEEs rely on a “root-of-trust”; this is a set of functions used within the secure environment that’s always trusted by the processor’s OS and comprising everything needed for a secure boot and system recovery.
The key to the technology’s success is that valuable code and data—such as security functions and cryptographic credentials—operate inside the TEE and are maintained with a very high level of integrity and confidentiality while less valuable code and data run unencumbered on the main OS. Crucially, operations inside the TEE can be hidden from normal processor functions, making it hard for outsiders to access them. Such a system is simpler (and thus less expensive) to implement than trying to lock down everything yet makes it very difficult for a hacker to break into (making it likely they’ll turn their nefarious attention elsewhere).
While other commercial TEE solutions are available, perhaps the most viable option for the developer—with the company’s technology powering around 45 percent of the efficient processors at the heart of IoT devices, according to analyst IPNest—is embedded IP vendor Arm’s “TrustZone.” The technology enables a freely-programmable ‘trusted platform module’ by establishing a secure TEE within the Arm processor in addition to its normal operational mode.
When operating in the secure mode, for example to perform a secure boot, the processor runs software from secure memory and interfaces with secure peripherals. Upon completion of the boot up, the processor runs software such as the application and wireless protocol stack in normal mode. Elements in normal mode can access functions in the secure area, but only those that the developer has made available for normal operation. Everything else remains hidden. Activities are completed in series so that the processor is never simultaneously in secure and normal modes.
To understand how everything works in practice, consider a wearable used for collecting exercise data and performing mobile payments. When operating as a fitness device, the wearable operates in normal mode, limiting latency and maximizing battery life. But later, when the hard-working amateur athlete wants to purchase a well-deserved soft drink, the wearable needs a secure mechanism for identifying them so that payment details can be securely released to the vendor without risk of interception. To do this, the embedded processor switches from normal to secure mode and enables the payment application. Authentication, such as a biometric check, ensures the device can only be used by the trusted owner.
But while TEEs provide a basis to protect the most important aspects of an IoT device, they aren’t the last word in security. To design the most secure device, an engineer needs to ensure that protection is considered at every stage of the design process; otherwise, there’s a risk vulnerabilities will be baked in. And because hackers don’t sleep, if there’s any weakness in the product, they’ll find it in short order.
Steven Keeping gained a BEng (Hons.) degree at Brighton University, U.K., before working in the electronics divisions of Eurotherm and BOC for seven years. He then joined Electronic Production magazine and subsequently spent 13 years in senior editorial and publishing roles on electronics manufacturing, test, and design titles including What’s New in Electronics and Australian Electronics Engineering for Trinity Mirror, CMP and RBI in the U.K. and Australia. In 2006, Steven became a freelance journalist specializing in electronics. He is based in Sydney.