New-Tech Europe Magazine | July 2017

IoT Special Edition

Hardware-based trust provides key to IoT security

Mark Patrick, Mouser Electronics

As the internet of things (IoT) develops, the issue of security is taking centre stage. The connectivity and protocol standardisation that the IoT entails increases the threat to devices and, through them, the service-networks to which they provide access. A number of threats have already become apparent, such as the hacking of motor vehicles through their internet- connected infotainment systems and a variety of attacks on industrial as well as home devices and even toys. In many cases the hacks were comparatively basic because of weak precautions taken by the manufacturers. Devices are often shipped with a standard and easy- to-guess password. The apps used to program IoT devices often contain information about their internal data structures, providing hackers with useful ammunition.

By focusing on IoT endpoints and devices, hackers can enable a number of attack types, from simple observation for gaining information useful for a larger infrastructural attack to direct manipulation of the device or the network. What is needed is an architecture for IoT devices that builds upon a true root of trust. A root of trust provides a means to set up secure communication with only certified users and applications, reducing the ability of hackers to send messages to a device that may compromise its security. The root of trust also provides a means for the network itself to authenticate the device to prevent hackers from using their own hardware break into systems by impersonating approved devices. The keys and certificates used by secure protocols need to be stored in memory. But this needs to be a

memory area that is separate from that used for application data. To be trusted, those keys and certificates need not only be valid but be protected from inspection by secure circuits in the hardware that prevent readout by any unauthorised user. Cryptographic processors complete the implementation by providing direct support for the protocols needed to securely authenticate and communicate with the device without risking the exposure of the full secret keys and certificates to other software running within the device. Although there has been widespread criticism of the poor security of early IoT products, infrastructures based on the root-of-trust concept already exist and are in mass production. One example is that of the digital mobile phone, designed to support the GSM and later 3GPP standards, that has

54 l New-Tech Magazine Europe