December 23, 2016

641 Views

Leveraging Hardware Security to Secure IoT Devices

Co-author- Mayank Babu Rastogi

Various studies have exhibited that there is a wide-ranging agreement to the fact that security is the foremost barricade in the adoption of IoT. Before diving into IoT security, let us first understand why we can’t use age-old security solutions in IoT.

IoT systems have got some specific characteristics. They are inclined to possess a substantial lifetime with seldom in-person management. They are usually resource-constrained devices and possess fixed functionality.  Their connectivity to the outside world is meant for small chunks of infrequent data transmission and reception. This is in contrast to PCs which have significant computing resources, support flexibility to frequently add and remove applications, and have a higher bandwidth internet connection.

Fundamental differences imply that security paradigm for IoT devices has to be different from that of the PC world.

As a matter of fact, the software-only approach for IoT device security is not the best and trustworthy option and it should be complemented with hardware enabled security features to realize fully secure IoT devices. Nowadays SoCs implement security capabilities while sustaining the low power system operation in a small footprint. We will be discussing three facets of security measures enabled by hardware in embedded IoT devices.

Hardware Cryptographic Accelerator

With the vision to move cryptography (encryption and decryption of data) from software to hardware, manufacturers have started to create processors that have hardware-based Cryptographic accelerators in the processor.

A cryptographic accelerator is a co-processor designed explicitly to accomplish computationally intensive cryptographic operations much more efficiently than the general-purpose CPU.

Figure 1: Hardware Cryptographic Accelerator Tier

Cryptography has many unique advantages. Offloading the cryptographic operations onto hardware security modules delivers significant benefits:

  • Increase performance of the device core by offloading the cryptographic operations onto hardware optimized for the purpose.
  • Provide futuristic approach by supporting longer keys lengths and different algorithms

Root of Trust

Secure Boot provides a critical security feature for embedded IoT devices by ensuring that only a validated code from the device OEM is allowed to run.  This helps in preventing attacks on replacing firmware with versions created to perform malicious operations.

High-assurance solutions support a root-of-trust in hardware or immutable memory so that it can't be modified. The secure boot process is used to build a chain of trust wherein at each power on, the Secure Boot process verifies each layer's authenticity. Once the authenticity is established, it is allowed to execute. This ensures that the software is not corrupted and is coming from a valid source. A component is never executed unless proven trustworthy.

 

Figure 2: Building a Trusted IoT device

Root of Trust is provided by hardware services and includes cryptographic support, secure key storage, secure signature storage, and secure access to trusted functions.

Hypervisor

A Hypervisor or virtual machine monitor (VMM) is a piece of computer software, firmware, or hardware that creates and runs virtual machines and aim at providing secure encapsulation by running different OS.

Virtual platforms within a hypervisor comprise of processor and peripheral models necessary to boot an operating system or run bare metal applications. They have a specific purpose like, porting and bringing up a secure software stack.

For e.g. In Automotive industry there are two OS supported for car IVI, one is for Car’s internal network that is a trusted OS and the other is a guest OS that executes Infotainment related applications and has the capability to download third party applications.

Hypervisors provide the advantage of using single hardware to run multiple OS and each will ‘appear’ to have its own processor, memory, Input/Output (I/O) channels, and other resources.

To sum up, as the adoption of IoT is growing in different verticals from healthcare to industrial manufacturing to transportation, engineers and architects are faced with the challenge of architecting truly secure IoT devices. Leveraging security mechanisms enabled by hardware will elevate security level of the devices to a desired level without causing any significant toll on the devices’ performance.

References

  1. https://www.globalsign.com/en/blog/iot-security-hardware/
  2. http://www.eetimes.com/document.asp?doc_id=1275172