As the internet of things (IoT) develops,

the issue of security is taking centre

stage. The connectivity and protocol

standardisation that the IoT entails

increases the threat to devices and,

through them, the service-networks to

which they provide access. A number

of threats have already become

apparent, such as the hacking of

motor vehicles through their internet-

connected infotainment systems and a

variety of attacks on industrial as well

as home devices and even toys.

In many cases the hacks were

comparatively basic because of

weak precautions taken by the

manufacturers. Devices are often

shipped with a standard and easy-

to-guess password. The apps used

to program IoT devices often contain

information about their internal data

structures, providing hackers with

useful ammunition.

By focusing on IoT endpoints and

devices, hackers can enable a

number of attack types, from simple

observation for gaining information

useful for a larger infrastructural attack

to direct manipulation of the device

or the network. What is needed is an

architecture for IoT devices that builds

upon a true root of trust.

A root of trust provides a means to

set up secure communication with

only certified users and applications,

reducing the ability of hackers to

send messages to a device that may

compromise its security. The root of

trust also provides a means for the

network itself to authenticate the

device to prevent hackers from using

their own hardware break into systems

by impersonating approved devices.

The keys and certificates used by

secure protocols need to be stored

in memory. But this needs to be a

memory area that is separate from

that used for application data. To be

trusted, those keys and certificates

need not only be valid but be

protected from inspection by secure

circuits in the hardware that prevent

readout by any unauthorised user.

Cryptographic processors complete

the implementation by providing

direct support for the protocols

needed to securely authenticate and

communicate with the device without

risking the exposure of the full secret

keys and certificates to other software

running within the device.

Although there has been widespread

criticism of the poor security of early

IoT products, infrastructures based

on the root-of-trust concept already

exist and are in mass production. One

example is that of the digital mobile

phone, designed to support the GSM

and later 3GPP standards, that has

Hardware-based trust provides key to IoT

security

Mark Patrick, Mouser Electronics

IoT

Special Edition

54 l New-Tech Magazine Europe