Security for the Internet of Things

Can you trust your IoT?

The Internet of things (IoT) is here, billions of things are already out there and 100x more devices are going to be deployed in the next few years. They improve our life and reduce cost in areas like Lighting, Health, Sensing, and Connected Video (see more here), however privacy, security, and authenticity are often just assumed. While we all want our personal health monitors to be private and secure, a simple temperature sensor seems not to deserve the same level of security. The picture changes though if we start to act and rely on the data coming from this temperature sensor. For example, a hacked temperature reading might turn on the AC in your house resulting in extra cost or, if it is widespread, cause power outages if a whole neighbourhood is attacked. A hacked temperature sensor in a power plant can be much worse. The consequences can range from costly to disastrously, for example, causing a piece of equipment to overheat and fail. As we stride to build these devices as single chips, security has to be architected in upfront. Security is paramount for any IoT, even for a benign device like a connected temperature sensor.

IoT security needs to be guaranteed on several levels: access to the IoT, communication with the IoT, and authenticity of the IoT. In the simplest case an attacker just listens to the communication between the IoT and the user. For example, an attacker could collect data from your health monitor and resell it. Getting more disruptive, the attacker could access the IoT and tinker with the controls. The resulting problems could range from outages in the IoT to potentially destruction of the device. Even worse, equipment and people that are associated with the IoT can be harmed. An another possibility would be for the attacker to pretend to be the IoT, feeding false data back to the user. An example here is a fake video stream from a surveillance camera so that the attacker can enter a place undetected. The user therefore has to be sure he is communicating with the right device and the data is authentic. Similarly, the IoT device itself needs to be sure the communication is secure and that the control commands received from the user are authentic. In the remainder of this article we will look at how to provide the necessary security for IoT in these areas.

Communication between IoT and user is no different to any other data communication link. It has to be encrypted with proven algorithms using good encryption keys with high entropy that were securely exchanged between IoT and user. Securing the communication channels is typically done through known good symmetric encryption algorithms like AES that use secret keys. As the recent NSA revelation have reinforced, these algorithms need encryption keys with high entropy, keys that make the brute-force decryption of the datalink very costly.These secret keys are generated on the user side. They can be exchange using a direct physical connection or transmitted to the IoT over the communication link using the public key infrastructure (PKI). Public key encryption using the algorithms like RSA or Elliptic Curve are about 100-1000x more compute intensive than symmetric algorithms. PKI is therefore only used for low data rate communication, like exchanging secret keys. In an IoT chip, these functions are ideally implemented in a crypto co-processor. Such a crypto co-processor performs the encryption tasks as well as the key management. This avoids overloading the main processor and does not rely on system encryption software running on the main processor which is much more vulnerable to attack.

While encryption on the data link also enables secure access control, it cannot guarantee authenticity. If an attacker has broken the encrypted link he can pretend to be the IoT and deliver corrupted data. To protect against IoT identity theft a signature, similar to a fingerprint, is required to confirm that the user is connected to the right device. One way to implement a  signature in a IoT chip is a so called PUF - a Physically Unclonable Function. To authenticate the IoT the user sends a challenge. The IoT then sends back a response provided by its hardware PUF. PUF are challenging to implement in silicon - they have to be as little as possible affected by environmental conditions like temperature, power supply, or any other variations. In addition, they have to be non predictable. If an attacker collects several sets of challenges and responses he should not be able predict the next response, i.e. the PUF needs a high entropy. S. Katzenbeisser from TU Darmstadt tested out different PUF systems implemented in 65nm silicon. Designs based on differential functions (SRAM, ring-oscillators) performed best when considering robustness against environmental changes as well as being least predictable.

Security and authenticity are key to make the Internet of Things reliable and trusted. They need to be taken into considerations in any IoT architecture upfront - not just as an afterthought. A minimal implementation requires data encryption as well as proper key management, while authenticity using PUF has to be included in any more advanced IoT system. 

Robert Rogenmoser, CEO Securosys