The challenge of providing heavyweight security for lightweight IoT devices
Guest blog post by William Adams, CENTRI Technology.
I’ve always enjoyed hearing about the early days of computing—especially about the early game developers, artisans who could create magic by writing captivating coin-operated arcade games in machine code that would fit within perhaps just 8KB of ROM.
Today I’ve got the same respect for the pioneers who are bringing heavyweight security to the lightweight world of IoT. Security has always been—and perhaps will always be—a challenge. The challenge is even greater when working within the resource constraints inherent to IoT devices.
Those outside the embedded industry might think: How hard could it be to secure a small device like that?
Of course the answer is: The smaller the device, the harder it is to protect. Whether you’re dealing with a sensor that hangs from a lamp post or protecting back office servers, there’s an unavoidable need to provide the same baseline security capabilities like authentication and secure communication. But with IoT devices you don’t have the luxury of measuring memory in gigabytes, nor measuring processing power in terms of cores. Most devices have an MCU rather than a CPU, and that MCU is running at speeds measured in megahertz, not gigahertz.
Needed: Strong (Not Big) Solutions for Small Devices
Unfortunately, security is often something that is tacked on as an afterthought, which can lead to developers trying to drop TCP/IP-based solutions onto devices that can’t begin to handle a TCP/ IP stack. I sometimes compare this to placing a steel I-beam onto a flatbed truck, which works just fine. However, if you try to place the same I-beam onto a car, the weight will crush it.
IoT security must be carefully crafted to provide strong protection, while fitting within an acceptable footprint—sometimes measured in just kilobytes, not megabytes. If a device has 96KB of ROM, your security needs a footprint that will still leave room for the embedded OS and your application code. Similarly, if you have 32KB of RAM, you need security that can operate within that constraint, while leaving plenty of room for the other resources. Even devices with the comparatively generous provisioning of 512/64, would be buried by solutions ported from conventional security tools.
Seamless & Secure Encryption
All data captured and transmitted by IoT devices should be encrypted, but it isn’t enough to rely upon network-based solutions. For example, Bluetooth Low Energy uses AES encryption, yet BLE 4.1 or earlier (and BLE 4.2 operating in legacy mode) suffer from key exposure and other vulnerabilities, as detailed by the National Institute of Standards and Technology.
Data can also be exposed during transmission when it is decrypted and re-encrypted at gateways and other control points, for example when transferring from TLS to MQTT.
These vulnerabilities can be mitigated by immediately encrypting the data upon capture, so that it is encrypted from the device onward. This provides a layering of security, so if the AES-protected BLE is breached, all a hacker would find would be another layer of encrypted data. I sometimes compare this to a thief opening up an armored truck, expecting to find bags of cash and instead seeing a big heavy vault.
Compression: The Beauty of Small
IoT devices also benefit from the ability to compress data. Compression is important for a few reasons:
- Encryption tends to expand the size of data, and compression more than compensates
- Compressed data takes up less storage space, always a tight resource with IoT devices
- Compressed data reduces bandwidth demands, which reduces bandwidth costs, as well as drain on the device battery.
Ideally the device is able to simultaneously compress the data at the same time it is encrypting the data.
A Growing Need for Securing IoT
So, doing IoT security properly is a challenge. But it is a challenge that must be met. The research firm Gartner estimates that 8.4 billion IoT devices have already been deployed, and that the number will more than double to some 20.4 billion by 2020—just two years away. And nearly all of these devices exist beyond the firewalls and other layers of protections that secure enterprise resources. Unfortunately, the billions of IoT devices already in existence, and the billions more heading our way, represent an enormous collective attack surface for hackers and other bad actors.
Wired magazine recently published an update on the Triton malware attack discovered last December in an unnamed industrial plant in the Middle East. The article, titled “Menacing Malware Shows the Dangers of Industrial System Sabotage” notes that “Triton contains a deeper lesson in the need for more robust security review within all industrial control and embedded device systems.” And the article concludes: “Though malware targeting these platforms has been rare up to this point, it is appearing more and more, and critical infrastructure organizations need to prepare.”
This is why we need heavyweight security for the IoT world of lightweight devices.
P.S. I hope you enjoyed this blog post. If you’re interested in delving more into this topic, please join CENTRI and Arm as we explore these issues in a joint webinar on February 13th at 9 am PT. Register here.
About the Author:
William is Senior Director of Products and Customer Advocacy at CENTRI Technology. With a degree in physics from Carnegie Mellon University, William has founded and served as CEO for a number of software companies, with specialties in artificial intelligence and cybersecurity. Getting an early start in computing, William published his first computer program at the age of 11 with the National Science Foundation, and it was distributed nationwide. He became an Honorarium Professor at the University of Colorado at age 16, teaching graduate level computer science classes. Connect with him on LinkedIn.
About CENTRI Technology:
CENTRI provides a complete, advanced security solution for the Internet of Things. Our flexible, software-only platform enables thing makers and developers to quickly get to market with purpose-built IoT security to protect their data from chip to Cloud. CENTRI eliminates your risk of data theft and delivers device integrity with modern, standards-based technologies for the connected world. For more information visit centritechnology.com or email us at firstname.lastname@example.org.