As the Internet of Things (IoT) proliferates, billions of cloud-connected devices are expected to be designed, manufactured and deployed over the next decade. However, the challenges are growing, requiring ever-increasing efforts to prevent hacking of connected devices and protect critical data and intellectual property. The industry is rapidly converging on best practices for keeping next-generation IoT devices safe by demanding a robust “chain of trust” across the entire product lifecycle.
At Secure Thingz, we believe there are three critical areas to consider when applying trust across the supply chain to create a chain of trust:
Security needs to be architected into devices from the moment of inception, and there needs to be an ability to provide secure updates to the device across its lifecycle. The model we have adopted is based on establishing a strong root of trust in the processor system and delivering an encrypted application image to the processor, where it is decrypted in place under specific locking conditions, thereby inhibiting both intellectual property theft and over-production or cloning.
Initially devices need to be architected and implemented with the correct security frameworks, encompassing the root of trust, management of secrets and secure services offered to the operating system and application. In an ideal world, primary keys and certificates are provisioned at the moment of device creation ensuring that bad actors cannot siphon off devices and that every device has a known providence. Alternatively, intrinsic identifiers, such as physically unclonable functions, may be used to provide an internal unique seed.
While secure authentication devices, such as SIMs (Subscriber Identification Modules), MIMs (Machine Identification Module), exist today, their very strengths as “hard bound” devices are also their weaknesses, as they lack the flexibility to execute applications. Instead, a new generation of flexible and low-power microcontrollers are a key factor in the secure foundations required to host secrets effectively while also running robust control applications.
The new generation of end devices requires a complex balancing act from the device platform, including the implementation of a robust root of trust to hold critical private key material securely, and a systematic approach to architecture that delivers confidentiality, integrity, and availability while maintaining application flexibility.
The solution begins with a Secure Boot Manager (SBM) which is injected into microcontrollers at birth, alongside the provisioning of secure keys and certificates, to provide a robust root of trust. Early in the development phase, the OEM programs the SBM into the microcontroller using its preferred method (SWD, JTAG, other, etc) and provisions the microcontroller’s certificates, keys and security lock bits (although this is in itself a major area of development and innovation for many organizations). At this point, the SBM is immutable and any subsequent "application programming" for the processor must be delivered via the secure process utilizing the boot manager that ensures the application code is signed and encrypted correctly.
The Secure Boot Manager has a connection protocol via a communication interface which will look for an image to load from the programmer when there is no signed application available to execute. The programmer feeds the Update Protection Key (UPK) and encrypted application image to the SBM, which validates the UPK, decrypts the image, programs the Flash and updates the application signature table in secure memory.
Every time the processor transitions through a device reset process, the SBM calculates the hash signature of the application and compares it against the values stored in the signature table (in protected memory) to ensure nothing in the application memory has been tampered with, before running the application.
The SBM also enables a secure software update process. The customer application will download the software update to a separate memory location and will make an software update API call to the SBM. The SBM will reset the MCU, and after reset, it will process the requested update by verifying it and programming the flash with the software update.
This framework is the start of a more robust solution to deliver trusted IoT devices that can be securely manufactured and updated across the product’s lifecycle. Runtime security services are provided by the boot manager to process software updates, and enable certificate access, validation and authentication for customer applications. This combined with a secure software encryption and delivery mechanism enables software to securely be manufactured and/or updated over the web for the lifecycle of the product.
The reality is that hacking and intellectual property theft are all too common, and ransomware is rapidly growing as a threat to the cyber-physical domain. The only solution is to implement a "zero trust" design philosophy across the supply chain to minimize vulnerabilities and continually authenticate and individualize deliverables, from the start of development through to the deployment of millions of devices into our systems.
Secure Thingz is a founder member of the IoT Security Foundation where many "Best Practice" guidelines are currently being deployed.
This article is written by Secure Thingz, a leading provider of advanced security solutions focused on the IoT.
For more information about Secure Thingz, go to www.securethingz.com