Build trust in the IoT

February 14, 2017 // By EDN Europe
Mark Patrick, Mouser Electronics
From smart light bulbs programmed to misbehave, to cars being turned into life-size remote-controlled toys, we are not short of examples illustrating that the shift to the internet of things (IoT) is a potentially risky endeavour. But it does not have to be that way. Many of the mistakes made so far by manufacturers of the first wave of IoT devices are avoidable with some care and attention.

There are examples of embedded systems that do resist hackers and have been proven to be successful. One example is that of the digital mobile phone designed to support the GSM and later 3GPP standards that has incorporated strong security as a key part of its makeup. The subscriber identity module (SIM) common to mobile phones includes a cryptographic processor combined with secure memory. These modules provide the basis – a root of trust – for building security into all phones. The same architecture can be used to help protect the IoT from hackers.

One way that attackers gain access to such secure systems is by attacking and altering the system firmware to give them control over the device whenever they want it. A key factor in the success of security architectures such as that used in mobile telephony is the root of trust, which helps close down that avenue of attack.

Designers can use the root of trust to ensure the device boots and runs only authorised code. When the device starts up and reads code from onboard read-only memory (ROM) it checks that each major segment has been digitally signed by an authorised supplier. A process called hashing is used as part of this signing process. 

A hash is a one-way function that generates a code associated with the message but which cannot be used to reconstitute the message. The receiver runs the same hashing function to check that the two hashes match – if they do not, it indicates that the communication has been compromised.

If the device encounters a block of code that is incorrectly signed, it can block the loading of the affected software. It can raise the alarm after it moves into a recovery state. That recovery process can try to obtain authorised code from the original supplier and let the supplier know an attack has been attempted. For further protection the code block itself may be encrypted to prevent attackers obtaining IP by decompiling the software.

Although it is possible to implement some forms of secure boot without a hardware trust module, it becomes much harder to guarantee that the boot process will halt correctly if the hacker has penetrated far enough into the firmware. A root of trust that includes cryptographic functions can enforce security by refusing to decrypt code as it loads and deny service to any software component that does not have a correct hash or key.

Once the device has booted correctly, it can authenticate itself to the network using the asymmetric cryptography mechanisms in widespread use on the internet. The device can use the cryptography functions in the root of trust to set up secure communications using protocols such as Transport Layer Security (TLS). Conversely, the IoT device needs to be sure that it is taking commands only from other devices or servers that it can trust. The hardware trust module can check the digitally signed certificates of those other devices against keys stored in protected memory the device can ensure it is communicating only with authorised systems.

Services will change over time