Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

What you need for IoT security (Part 3): IoT devices security

Manoj Kumar Rai, Head of M2M Solutions, South Asia & Japan, Gemalto | Aug. 15, 2016
Gemalto's Manoj Kumar talks about securing IoT devices from both the hardware and software aspects.

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

Part 1 | Part 2 | Part 3 | Part 4 | Part 5 Part 6 | Part 7 | Part 8 

A connected device presents an interesting target to the hackers. In the last year, we heard many stories exposing the vulnerabilities in devices, from security researchers hacking into consumer vehicles, to malware infecting medical devices such as radiology and X-ray equipment, and brute-force dictionary attacks exposing connected cameras such as baby monitors and CCTV systems. After all, security of a connected device is only as good as the security of its components - hardware and the embedded software. If each of these components is not secured, the device can easily become the subject of malicious attacks and unauthorized access, resulting in criminals, hackers and even rogue governments being able to modify and control the device, collect our data, listen to our calls, and see through our cameras. The above mentioned cases could have been avoided with building trust into the hardware and the software.  They reiterate the common theme - the traditional perimeter based controls and network security are simply not enough to secure the IoT system.

A vast number of IoT devices are embedded devices, especially in industrial applications, with a typical product life cycle of 10-15 years. Security for the Internet of Things will depend on our ability to trust that the hardware and software of the devices, securely identifying the devices and their masters, and protecting the data that those devices and masters manage and share.  To achieve such security, the device and the system needs to be designed from the beginning with security in mind from the start.  Unfortunately, this is often overlooked if market launch of the product is put at a priority.

Establish trusted devices with hardware-based anchor of trust:

A trusted device is a device that the manufacturer or the service provider that is using the device can verify that 1) the hardware and software has not been tampered with, 2) the device is an authentic device, 3) and that the data generated from the device is authentic.

It is possible to cryptographically prove that the device has not changed since a certain stage (such as production time) by taking a fingerprint of the critical identifiable subsystems and digitally signing the fingerprint to prove its authenticity.  In practice, the digital signature of the device footprint is created using PKI technology.  It is essential that the hardware has a secure element to generate and store the cryptographic keys for the PKI operation.  Hardware secure elements can be dedicated for hardware protection or the secure elements used for communication purposes such as embedded SIM (used in consumer devices) or Machine Identification Modules (used in industrial and automotive applications) can be used for this purpose.  The secured key will become the root of trust for the hardware, which can be used for building up the trust layers above the hardware.  Using hardware secure elements protects the keys from malicious hardware attacks such as Differential Power Analysis (DPA) and reverse-engineering via electron microscopy. 

 

1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.