Securing systems and data in the domain of IOT
The explosion of the Internet of Things (IOT) has led to a proliferation of connected devices. These vary from small sensor devices, medical wearables, and connecting existing electronic industrial and consumer equipment. Many of these are connected ultimately to the internet and use one or more wireless channels.
This opens up many interesting possibilities to manage systems and assets more efficiently, but at the same time, such connections become a potential channel for malign attacks. Here we look at the core issues in securing such systems.
By Nick Wood, Sales & Marketing Director, Insight SiP – experts in RF circuit miniaturization, System-in-Package and Antenna-in-Package.
Core IoT security issues
The first point to note is that there will never be 100% security. Therefore, the key is to analyse what risks one is trying to address, the severity of the possible consequences – and the costs of prevention.
Attacks can take many forms; here we will concentrate on a few types. The first is malicious code being placed on a device. If a hacker has physical access to a device, it is very difficult to prevent them from replacing the software on it. However, what can be done is to prevent them having easy access to security keys that would allow the hacker to further penetrate the larger system. There are several options now for either processors with secure zones, or for the strictest security, including a secure element to hold trusted information.
Physical access is not an easy attack channel. A greater vulnerability comes through the possibility of Over the Air Updates. If a malicious update can be injected, a device can be compromised remotely, with possible serious consequences, particularly in the case of medical devices.
Digital signing of software can be a way to mitigate this threat and provide an end-to-end secure method of ensuring the right update arrives at the end device. This in turn requires a robust key management system, and the ability to store such keys securely on the end device. A secure boot mechanism is then also required to ensure the software is checked prior to being executed.
A different type of risk is that of malicious monitoring data sent from IOT devices. The consequences here could be someone gaining access to sensitive health data from a medical device, but also data from a connected home could reveal if an occupant’s absence.
Although wireless links may seem insecure, in general, the point to point links are encrypted with reasonable security. What is harder to be sure of is the security of the end to end travel, via an internet where one has little control. The only way to isolate oneself from this dependency is to provide end to end encryption. This may sound simple, but as with the software signing above, it requires a robust key management and storage process. A hacker can buy a device and analyse it, so any keys or encryption processes need to be secured against spying.
Another more subtle risk is spoofing. Imagine some kind of distributed data collection system. A hacker could create “rogue” devices and inject false data into the system. In such a way, they could create imaginary faults and in extremis cause operators to take harmful actions based on false information. The rogue device could just be a genuine article rigged to generate certain data.
To prevent this kind of attack, a robust authentication process would be required. Data could be signed via individual device keys, so that any rogue devices would not present correctly authenticated data.
Security cost and risk balance
Of course, all of the above does not come cost free. Processes to distribute and manage security keys are complex. A final decision on an IoT security strategy will always have to balance cost and risk when considering the measures to be taken.
Security cannot however be a “last minute add-on”. It needs to be designed in from the start, using components designed to provide the security features required. The more tightly they are integrated in, the harder it will be for a malicious actor to enter the system.