Originally published in u-blox Magazine, May 2020. Re-published with permission.
It’s one thing to implement IoT security in friendly environments – with unlimited power, plenty of computing capacity, ample bandwidth, and a team of security experts present and prepared to catch and patch up any security flaws. But these conditions are rare in real-world IoT deployments, where droves of battery-powered devices scattered far and wide run on stripped down operating systems, with minimal computing power, and tightly rationed data plans, often beyond the physical reach of tech support.
The task is made more challenging still by the fragmented mix of technologies, protocols, and vendors that are thrust together into dedicated solutions. A domestic air quality monitor, for instance, might combine multiple particulate matter sensors, a host processor, and a wireless modem, each from a different supplier. After sensing and processing, the data may be sent to a smart home hub, then to a router, and finally up to the cloud, passing at each hop through products made by different suppliers from all over the world.
In this specific case, confidentiality might not be a high-stakes concern. But given the psychological cost of raising false alarms, data integrity might be. And because nobody wants their smart home devices to be recruited into a botnet and pulled into a nefarious online conspiracy, so might access control. Pet trackers, domestic surveillance cameras, smart TV boxes, connected thermostats, and coffee machines – the list of exposed devices is long and getting longer by the day.
The stakes are far greater in the industrial IoT, where compromised smart sensors, smart meters, or smart devices might expose confidential data of thousands to millions of devices. Public and private utilities rely on hundreds of thousands of such devices that are expected to work in the field for a decade or more. And it goes beyond protecting confidentiality. Compromised devices can be a conduit for hackers to bring operations to a halt, leading to downtime that can cost companies millions of dollars.
Respect for data privacy is absolutely critical to build public trust in connected health applications. Because of the sensitive nature of the data involved, patients count on eHealth service providers to treat their data with as much or more care than their doctors. And because smart health devices such as cardiac pacemakers and connected insulin pumps interface directly with the body, the consequences of being hijacked by hackers can be dramatic, both for the patient and the producers of the device.
Municipal authorities are also developing and deploying applications that aim to positively impact their residents’ lives. To be successful, they need to be able to count on the authenticity, integrity, and confidentiality of the data they sense.
In each of these settings, the ability to patch and update firmware to address inevitable vulnerabilities is vital for a connected business to stand the test of time.
Ultimately, the end-goal is always the same. Devices must be secured so that users can trust and control their devices. The privacy of the data should be protected both on devices themselves and as it transits from the devices to the cloud to ensure authenticity, integrity, and confidentiality. Access to the devices, their data, and their features needs to be restricted to authorized users. And measures should be put in place to detect and respond to intrusions, mitigate their effects, and correct the vulnerabilities at their source.
Because their businesses depend on it, major cloud service providers such as AWS, Microsoft Azure, and Google Cloud Platform are constantly building out their services to offer a solid security baseline. But for entire solutions to be secure, the end devices at the periphery of the network also need to pull their weight. To hackers, vulnerabilities at the network’s edge can be an open door into the protected portions of the network. They can exploit them unnoticed to sniff or manipulate data as it transmits to the cloud. Or they can modify a device’s firmware to make it serve their own needs.
Building a foundation of core protection – services capable of withstanding attacks from all but the most sophisticated actors such as nation states – requires establishing a chain of trust, from the device end all the way up to the cloud, even as data travels through poorly secured, or even hostile, environments. This requires taking security seriously from the design phase through manufacturing, all the way to operations. While there is no one-size-fits-all security solution, there is a general script that helps ensure that the important boxes are checked and that best practices are followed.
In their draft recommendations for IoT device manufacturers, the US National Institute for Standards and Technology (NIST) lays out six voluntary but recommended activities to tighten cybersecurity of commercial IoT devices. The GSMA, which represents the interests of mobile network operators, has laid out its security guidelines in a series of reference documents. And we have outlined a four-step path to developing and deploying IoT ecosystems that are resilient to evolving cyberthreats in a white paper.
Such a secure solution needs a rock-solid foundation to build on. In this case, this foundation is provided by an immutable chip ID and a robust root of trust, which is best explained as a source that enables a trusted set of advanced security functionality. These can include the ability to securely execute user applications, protect against and detect tampering, and securely store and handle encryption keys and other security assets.
A secure boot sequence and secure updates ensure that only authenticated firmware runs on the device. A secure client library generates keys and crypto functions needed to securely connect devices to the cloud, and encryption keys derived from the root of trust protect the confidentiality and integrity of all data, whether at rest or in motion.
If all that sounds extremely resource intensive, well, it can be. But, with the right expertise, u-blox, a global provider of leading positioning and wireless communication technologies, and Kudelski, the global leader in digital security, are proving that it is possible to fit best-in-class security onto a 16 by 26mm module designed to transmit data for years on end under a tight power budget. It combines Kudelski’s unique security architecture and sophisticated lightweight algorithms to offer a highly scalable key management system aligned with the needs of the IoT.
Root-of-trust-based encryption means that customers no longer always need to incorporate a dedicated, separate Secure Element – also referred to as a crypto-chip. End-to-end encryption from the device to the backend or cloud applications means that all the gateways, routers, and other intermediaries on the journey remain blind to the data being sent. And a unique LPWA-optimized key management solution can reduce data overhead eight-fold over standard public key infrastructure (PKI) certificate-based solutions.
What makes the solution unique is the way in which the root key of each device is known to Kudelski’s hardened secure servers in the cloud. Both the device and the cloud also contain the proprietary, battle-tested algorithms that generate ephemeral, one-time use keys to provide critical IoT functions like the encryption of data, the authentication of commands, and the validation of new firmware updates. This provides the highest possible level of data confidentiality, device security, and finite access control while limiting bandwidth and power usage.
Most devices designed for secure communications are assigned multiple, usually two or three, root keys during production. If one key is compromised, they can cycle through the remaining ones until they are all used up. Thanks to the pre-shared keys connecting our secure modules to the cloud, users can effortlessly create any number of encryption keys. As a result, every single communication to and from each individual device can be uniquely secured.
This can be invaluable in common IoT use cases. Take, for instance, a device that uses machine-learning-generated algorithms to identify suspicious data traffic suggesting the device is being exploited by unauthorized users. Because the devices themselves have limited computational power, the algorithms are typically trained on the cloud using oodles of data before being transferred to the devices.
The resulting algorithms, often the more valuable intellectual property, can then be sent over the air to the deployed devices using an encryption key that is unique to the device and to the session. This is but one example of how tying each device’s physical root of trust to the cloud raises the level of security users can leverage to protect their business and their data.
And in the event that these keys are disclosed, the same scheme can be used to transparently renew all of the security of the system without impacting the backend or cloud applications, ensuring that active security is available throughout the lifetime of the IoT devices. Another one dovetails with the growing popularity of OSCORE, a lightweight security protocol designed specifically for highly resource constrained IoT end devices. OSCORE decreases security overhead and bandwidth usage by encrypting only the sensitive portion of messages being transferred, so that the gateways, routers, and servers the data travels through do not need to decrypt the data to reroute as it travels towards its destination.
Furthermore, OSCORE uses pre-shared keys rather than a resource intensive key negotiation process. The protocol, however, leaves open how the keys are shared between the IoT end device and the destination server. Again, the Kudelski key management scheme from the end device’s root of trust to backend applications offers an ideal solution.
By aligning the solution with the IoT SAFE standards and working group, overseen by the GSMA, we are ensuring that our solution runs seamlessly on all GSMA networks. In addition to leveraging existing security hardware resources to securely store and manage keys and enabling remote management of deployed security applets, abiding to IoT SAFE makes it easy for device manufacturers to develop solutions using an immutable identity pre-provisioned in the SIM.
As the IoT continues to expand deeper and deeper into our lives and our businesses, securing devices and encrypting communications are becoming ever more critical. With the right technology, security architecture, and expertise, enabling a foundation of core protection for the IoT with minimal resources in terms of battery power, CPU power, and bandwidth is becoming possible.
Learn the background, vocabulary and key concepts necessary to develop and deploy IoT ecosystems that are resilient to evolving cyber-threats.