Dramatic growth of the Internet of Things (IoT) has brought us to the point where the promised ‘connected world’ is now a reality. With the infrastructure largely in place, businesses are seeking out ways of delivering valuable services based on networks of connected devices, enhancing existing offerings and creating new ones.
Security is the key to this new world, especially with respect to delivering the essential software updates that keep IoT-based services at the cutting edge. This article looks at the process for updating software and the value of hardware technologies in assuring high levels of security.
New services and the need for security
While there is value in IoT hardware, most of the excitement comes from the services that can be delivered by the billions of IoT nodes that are already deployed and the billions that are yet to come to our smart homes and smart factories.
Both existing businesses and IoT-focused start-ups are rapidly developing new services to gain new customers and increase value for existing customers – with the goal of growing profitable businesses by providing ever-increasing benefits to end users.
To achieve the twin objectives of delivering new services via existing hardware and keeping already installed services relevant through continued updates, there is an ongoing need to remotely update the software of connected devices. Thus, IoT devices must be able to accept Over-The-Air (OTA) updates to their software (including firmware). Opening up devices to updates brings new opportunities and new features, but also means that the devices are susceptible to malicious interference if they are not properly secured.
Software updates are essential not only to add features and services but also to fix bugs and vulnerabilities. Just as today’s PCs and phones must be updated to stay appropriately secure, the same is true for IoT devices. These updates must happen automatically, securely, and reliably so that the devices continue to satisfy consumers and businesses alike.
Secured software updates
Performing a software update can be as challenging as brain surgery. One wrong move can fatally injure the patient (in the case of IoT systems, a failed update can fatally brick the device). When the risk of malicious attacks is added to the mix, the importance of providing a safe and secured update process cannot be overstated. Here’s a look at an effective process to securely create and install software updates.
A typical secured software update process is shown in Figure 1. It is divided into two phases: preparation (steps A & B) and execution (steps 1 through 4).
In step A, the device vendor takes the software image for the update and adds metadata to that image to generate a Software Update Data Set. The metadata is essential to security as it includes a digital signature or similar mechanism that the device will use to distinguish an authorized update (issued by a manufacturer or service provider) from a malicious or otherwise unauthorized update. The metadata may also include a version number used to identify the update and prevent rollback, a file list, and other fields.
In step B, the Software Update Data Set is broadcast to target connected devices or made available to them on a server. During this process, attackers may attempt to block the process to prevent updating or try to alter the updates in transit to corrupt the updates. Attackers may also copy the updates and reverse engineer them to find weaknesses or steal intellectual property such as firmware, or keys. Countermeasures must be employed against such attacks, including digital signature to protect update integrity and encryption to protect update confidentiality.
The execution phase starts with step 1, where the remote device downloads the software update data set. Once the software update is downloaded to the device, installation can be triggered locally. Depending on the device configuration, installation can be triggered automatically or manually.
In step 2, the downloaded update is checked for authenticity and integrity, confirming that the update came from an authorized source (e.g., with a digital signature). Decryption of an update would also be done at this point. Once these checks are complete, the new software is ready for installation.
In step 3, the update is installed. The exact steps used will vary depending on the design of the device. In all cases the update process should be designed to recover from power failures and other problems.
In step 4, the installed update is activated. Simple devices may just reboot to activate the new software. Critical devices may be able to transition seamlessly to the new software without any gap in service. And resilient systems are designed to detect faults in the new software and recover automatically.
Despite structured methodologies and extensive testing, all software has weaknesses that can potentially be discovered and exploited. These exploits may allow attackers to run their own code or discover secrets stored on the device. As a result, security experts recommend that all critical functionality should be implemented in secured hardware. This approach is particularly valuable for assuring the security of OTA updates. Properly secured hardware allows code and data to be stored securely and can include encryption as well as the ability to detect tampering and attempted manipulation of code or data.
While the process for secure updates is not dramatically different when secure hardware is included in the system, there are several added steps, as seen in Figure 2.
The software update data set is generated, broadcast, and downloaded in the same manner as before so steps A, B, and 1 from the previous figure are omitted here. There are changes to the update process on the device, as security critical functions are outsourced from the MCU to a separate Security IC.
Instead of using only software to check the update, the Security IC is used to verify the digital signature on the update and to decrypt the update. The Security IC provides protected key storage and on-chip signature verification. This addresses several potential vulnerabilities such as the public key of the device vendor being replaced on the device or the risk of tampering to the verification algorithm. Secured key storage is also used to store the decryption key that is used to decode any encryption of the software image. That key is especially sensitive so it must be carefully protected.
Hardware-based security also allows for a final hash to be performed on the decrypted software as an encapsulated function within the security IC to confirm update integrity before installation is triggered.
Infineon’s OPTIGA hardware for secure software update
The OPTIGA family from Infineon illustrates the functionality of hardware security ICs. This easy-to-integrate, scalable and turnkey solution simplifies the process of developing secured IoT solutions. Drawing on Infineon’s 30 years of security know-how, OPTIGA devices establish a hardware-based root of trust supported by three key security-critical functions – authentication, encryption and integrity.
The OPTIGA family includes multiple devices, such as dedicated cryptographic solutions for embedded systems, a high-end turnkey security controller for high-value goods, a programmable trust anchor for embedded systems, and a Trusted Platform Module (TPM) that protects the integrity and authenticity of devices and systems in embedded networks. For more information about the OPTIGA family, see http://www.infineon.com/optiga.
Specifically optimized for IoT security in industrial automation, smart homes, consumer devices, medical devices and more, OPTIGA Trust X supports secured software updates and protects the authenticity, integrity and confidentiality in IoT devices.
The IoT will touch many aspects of everyone’s business and personal lives and will continue to grow rapidly as businesses devise new ways to deliver services to customers. Each of the billions of IoT nodes also is a potential point of attack for malicious parties, creating a risk of compromised data, unauthorized control of machinery, or worse.
As such, security must be high on the agenda of anyone involved in IoT design. While software-only solutions provide a degree of protection, security works best when it’s based on a solid foundation of hardware-based security such as Infineon’s OPTIGA products. With hardware security as a reliable base, IoT device designers are able to take security to another level, thus improved customer satisfaction and safety while assuring that devices will continue to function properly for years to come.
Steve Hanna is a Senior Principal at Infineon Technologies. He currently co-chairs the TCG Embedded Systems Work Group and is involved in the TCG’s automotive, IoT, and industrial security efforts. He’s a member of the Security Area Directorate in the Internet Engineering Task Force and an author in the Industrial Internet Consortium. Hanna is an inventor or co-inventor on 47 issued U.S. patents. He holds a Bachelor’s Degree in Computer Science from Harvard University.