Having billions of IoT devices in the world is of no use if people can’t trust these connected things to keep their sensitive data safe. While the IoT continues to permeate our everyday lives, the security side of the equation has, unfortunately, been less of a priority. Hackers continue to prowl susceptible avenues, often breaching entire networks through vulnerabilities in smart, connected devices. This article presents a smarter way to meet the challenges of IoT design security using technology that provides tamper detection, cryptographic functions, and secure data storage.
Have You Heard About the Hacked Fish Tank?
An aquarium might seem like an innocuous way to set the mood in a room. But for one casino, its lobby fish tank became an entry point into a database of key customers. Hackers managed to access the database via the smart thermometer used to monitor the aquarium’s water temperature. As the CEO of Darktrace, a U.K.-based cybersecurity company, revealed earlier this year, “The attackers used that (thermometer) to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud.”1
Indeed, left unprotected, connected devices can be avenues into the larger network. Yet, in the race to get new products to market quickly, security is often overlooked or an afterthought. Some companies consider implementing security to be difficult, costly, or time-consuming. Others see it as a task they’ll take care of later, yet it doesn’t take much for “later” to become “too late.” What’s more, the costs incurred when a breach occurs are even higher than any implementation costs. Think lost revenue and consumer trust, damage to the company brand and reputation, and even potential personal harm.
It’s time to be smarter about protecting the sensitive data that makes the IoT worthwhile.
Hardware Versus Software Security: Which is Best?
In embedded designs, security can be implemented via software or hardware. Software encryption is deemed to be cost effective and relatively easy to implement and update as it primarily involves coding versus hardware changes. While this may be a fairly easy option, it is also far from failsafe. For one thing, a security flaw in the operating system can compromise the security provided by the encryption code. It’s also difficult to comprehensively ascertain all of the potential interactions that could trigger a security breach. This could leave a system with many vulnerable openings.
Hardware-based security has proven to be much more robust than its software counterpart. A secure microcontroller that executes software from an internal, immutable memory strongly protects against attacks that attempt to breach an electronic device’s hardware. This software is considered to be the “root of trust” because, stored in the microcontroller’s ROM, it cannot be modified. This trusted software can be used to verify and authenticate the application’s software signature. A hardware-based root-of-trust methodology starts from the bottom of the design, enabling you to close off more potential entry points into your design than a software-based approach would allow.
Secure microcontrollers also support challenge-response authentication, which comes in two flavors. Symmetric cryptography-based authentication utilizes a shared secret key, or number, between the host and the device to be authenticated. A device is authenticated when digital signature computations triggered by a random key (the challenge) sent by the host to the device are a match between the two sides. To ensure that results can’t be imitated, a function with adequate mathematical properties—such as SHA-256 secure hash functions—is critical. In asymmetric cryptography-based authentication, there’s a private key as well as a public key. The device to be authenticated is the only entity that knows the private key, while the public key can be shared to any entity that intends to authenticate the device. As with the previous method, the function used to compute the signature should have certain mathematical properties; in this case, RSA and ECDSA are commonly used functions.
Preventing Physical Tampering
The ability to ward off attempts at physical tampering is an important consideration for many types of applications, particularly those deployed in the wild (a.k.a. IoT devices, like the smart thermometers used in the hacked aquarium example discussed earlier). Hackers who physically gain access to an embedded system can try to steal sensitive data, inject malicious code into the system, attempt to gain control of the system, or clone the device. Plugging any accessible ports on the connected device is one obvious deterrent. At the component level, you can integrate security ICs with built-in tamper resistance into your design. These types of ICs would be able to detect when and where a tamper attempt is underway and immediately erase any stored sensitive data. Some anti-tamper security ICs can be used as co-processors in the design, so the existing design doesn’t have to be changed in order to implement protection. This can be an important factor when security is addressed late in the design cycle. When equipped with serial communication buses, the security ICs can then talk to the existing microcontroller in the design.
As an example of an application where this level of security would be useful, consider the digital cinema projector. Inside each projector is a media server with video files of movies, along with a unique cryptographic key that safeguards access to that projector’s contents. At each cinema, a corresponding key would be required to decrypt the video content in order to play the movie. A tamper-resistant security IC can store the keys and protect them from unauthorized access. Another example application area is in transportation, where payment readers and toll way systems can be protected by security ICs. Medical instruments provide yet another example, where encryption of data collected from patients and prevention of counterfeiting are critical to patient well-being. In each of these examples, designers developing the products may not necessarily be cryptography experts. A security IC with built-in cryptography functions eliminates the need for cryptography experts to implement the design protection.
New Anti-Tamper Security Supervisors
Maxim’s MAX36010 and MAX36011 are two of the market’s newest security supervisors, serving as coprocessors to provide tamper detection, cryptographic functions, and secure storage for sensitive information. The MAX36011 also provides countermeasures against differential power analysis on data encryption standard (3DES) for applications that need Payment Card Industry (PCI) or Federal Information Processing Standard (FIPS) certifications, as well as a reset counter function to prevent hackers from getting sensitive information from our devices through continuous resetting. With robust security integrated into both parts, users need not be security experts to protect their designs from attacks. Keys are generated via a true random number generator (TRNG) and, along with certificates and other sensitive data, are stored in battery-backed RAM. These data are erased when tampering is detected, a capability that meets the requirements of FIPS Publication 140-2 at its highest security levels (Levels 3 and 4). The advantage of having battery-backed RAM for data storage is, even if the main microcontroller is powered off, the tamper-sensoring circuit would remain in operation. Both ICs can be integrated into a design at any stage in its development.
Ensuring Consumer Trust
The thought of having an internet-connected oven might have seemed silly a few years back. But today, designers are integrating intelligence and connectivity into an array of products, including kitchen appliances and even those that previously lacked electronic components. Given that these devices are often driven by valuable—and sensitive—user data, it is imperative that they are protected against hacking. Highly integrated anti-tamper security ICs that function as coprocessors make it relatively easy to implement a robust level of protection for a variety of IoT and other security-sensitive designs. By doing so, you can build a stronger level of trust, and adoption, among consumers.