Security starts even before establishing the root of trust to secure devices and the data they generate, store and transmit from the chip right through to data hitting the cloud, writes Annie Turner.
We are heading towards a predicted one trillion connected devices by 2035, but security remains a big fear for many companies and consumers who are thinking about deploying IoT. It is such a big issue that some pundits think it could slow IoT’s promised growth and associated economic benefits: in October 2018, research published by Bain & Company stated that securing IoT was the biggest concern among 45% of executives from enterprises it surveyed.
Importantly, the research identified securing devices as a key factor in securing the data they generate, store and transmit, and predicted that customers would be willing to pay 22% more for secure devices and buy 70% more of them. This would, according to Bain, grow the IoT cybersecurity market by US$9 billion in 2018 to US$11 billion in 2020. An article in The Economist about IoT security in September highlighted Arm and Intel as having moved to fortify devices by building security into their chips.
IoT applications will run on cellular and non-cellular infrastructure for years to come, but Francis D’Souza, the vice president of strategy, analytics & IoT at Gemalto, points out, “When it comes to the data transmission between the device and the backend server, cellular transmission is inherently more secure than other means because of the inherent authentication and encryption present due to the subscriber identity module (SIM) and telco networks. And new, dedicated cellular IoT networks such as CAT-1, CAT-M and CAT-NB IoT are being rolled out by customers – they make adopting cellular a lot more cost-and-power efficient than previously, along with all the in-built security on the device-to-cloud path.”
Clearly the evolution of SIM technology will play a critical role in helping to secure cellular IoT devices, primarily in the shape of the GSMA’s embedded SIM (eSIM) standard and Arm’s integrated SIM (iSIM). Yet as Vincent Korstanje, the vice president and general manager, Emerging Businesses at Arm, highlighted in August, a survey of 650 executives indicated there is considerable resistance to and a lack of knowledge about them.
The survey found that the three greatest obstacles to large commercial eSIM deployments were resistance from established stakeholders (69% of respondents), the perceived complexity of delivering eSIM deployment (40%) and concerns about being locked in (40%).
Further, although 90% of respondents knew about eSIM, 43% were unaware of iSIM technology. The respondents came from mobile operators, chipset and module makers, original equipment makers (OEMs), IoT service providers, enterprises, consultants and SIM vendors.
So what are eSIM and iSIM?
eSIM stands for embedded subscriber identification module and is a standard drawn up by the global mobile network operators’ trade body, the GSMA. This universal approach will grow the Internet of Things by allowing manufacturers to build a new range of products for global deployment based on this common eSIM architecture.
Moving away from providing a pluggable SIM slot and adding the eSIM into the device adds complexities in sourcing, manufacturing and requires knowhow which all act as a barrier to adoption. In addition, even an eSIM can consume precious space in a device and could be the make or break of being able to serve a size sensitive use case. An iSIM solves the space conundrum as it resides within the footprint of the System on Chip (SoC), which is already a necessary IoT device component. It also removes the technical integration angst from the device manufacturer at device assembly.
An iSIM runs within a security enclave, implemented as an integral element of a SoC. The security enclave introduces dedicated, protected processing and isolation for the execution of eSIM functionality whilst residing alongside other system on chip components including microprocessors and the cellular module. Arm’s integrated SIM (iSIM) implementation offers full compliance with the GSMA’s eSIM technology.
The advantages of this approach are greater security – in part by reducing the attack surface to one component – a smaller footprint and reduced power requirements for operating cellular IoT devices in remote locations and at an economically feasible cost.
The first part of securing a device is using a secure boot to activate it. D’Souza stressed that only a hardwarebased root of trust should be used to provide an immutable source within the cryptographic system and it must be isolated from the wider operating environment. Secure boot ensures the code that runs on the hardware platforms is authentic and unmodified, from the first piece of code – the microloader – that boots to establish a root of trust, on which all the next interlinked measures build.
He warns that if secure boot is not implemented properly, a hacker could inject malicious code and change what the device is meant to do, without the device owner even knowing, with potentially devastating consequences. This is what happened in October 2016 when a huge distributed denial of service (DDoS) attack disrupted about a third of all US and some European internet services.
Millions of IP surveillance cameras, printers, baby monitors and other apparently innocuous devices were infected with the Mirai virus by hackers who had correctly assumed that the devices’ default usernames and passwords were unlikely to have been changed when they went into use and used them to carry out an orchestrated attack on Dyn, the domain name server which maps browsers to web sites.
D’Souza adds, “The implementation is as important as the technology, if not more important because if you have [badly implemented] technology in place, you might be more confident than you should be and less vigilant.” No wonder the consulting firm EY’s recent study about the Smart Home found that 71% of the 2,500 consumers it surveyed were worried about hackers gaining access to smart gadgets.
On the other hand, done properly, the secure boot procedure with a protected root of trust ensures all the devices are linked and hackers cannot intervene. An industry certified security enclave, realised within the SoC, can offer such root of trust protection and is in line with Arm’s PSA.
Arm’s Platform Security Architecture (PSA) framework provides a reference against which IoT developers can realise product with security inherent. It has been formulated to provide an industrywide, standardised approach to building secure multi-vendor ecosystems of IoT hardware and software. It comprises a set of application programming interfaces (APIs), best practices, threat models and opensource reference firmware. The PSA methodologies are available to all vendors and developers to build products against.
Arm also believes that this root of trust can be co-located with the iSIM, within the security enclave, without compromise due a SIMs security architecture. An iSIM, running a SIM OS such as Arm Kigen eSIM OS, offers full industry standardised functionality and complaint, accredited and certified remote management. Arm is working within the industry standards community to realise the delivery of IoT device root of trust at point of manufacture.
iSIM also runs on Arm’s Kigen operating system software stack which provides a highlevel of isolation and security, suitable for stringent certifications.
Devices’ identities (see below) are typically in the form of keys, which are used to derive various things, including certificates to enable the encryption of data from device to the cloud or to sign and verify data. The certificate is inextricably linked to the encryption algorithms themselves, and typically has a limited life span of three to four years.
This is deliberate as otherwise, given enough time, a hacker could listen in to transmissions and with sufficient compute power – the cost of which is falling all the time – eventually crack the encryption. D’Souza says that in “the normal world” this is not such a big issue, but in IoT, where devices could be in place for perhaps 15 years, the need for “hygiene and best practices” is acute and constant.
He explains, “You need to stay ahead of hackers – you always have to assume the worst. If I have one million smart devices out there and someone is waiting to carry out an attack from them all at the same time they could cause terrific damage. Updating the identities, that is the keys, on devices every month or two, reduces the risk and the hacker is back to zero.”
A unique identity
Identity is another piece of the security jigsaw. Each device needs a unique and secret identity, according to D’Souza, as it must always be clear which device is communicating. He recommends implementing a diversified identity, which he acknowledges is, “not rocket science”, but adds, “doing it well is critical: if, for example, you have a secret identity for a million connected devices, those IDs need to be stored securely on the devices to avoid being cloned, but also secure where the identities are generated from and stored, whether on a server or the cloud, or they could be spoofed.”
He refrained from revealing the company in question, but reported a recent conversation he had with an organisation that explained it did not need diversified identities as it used the same identity on all its devices. As D’Souza notes wryly, in such a situation, how would it be possible to know which is an original device and which is the clone?
During such a long operational lifetime, there are bound to be updates to applications, which again is a potential source of incursions. If upgrades are not properly managed, there could be an attack from the internet.
Again, design is foundational: D’Souza says the device must be designed so that it only accepts secure updates from a trusted server and the updates are signed and scheduled. There must be authentication between the server and device, via a public key infrastructure (PKI), that ensure the device won’t accept an update from anywhere or anyone else.
He stresses, “If you implement right, then you can update – security is a constantly moving target” as was so painfully shown by the the massive, so-called side-channel attacks, Spectre and Meltdown, in 2017.
Simon Segars, the chief executive of Arm, noted in the Arm Security Manifesto 2018/19, “What the researchers found [when they investigated Meltdown and Spectre] went to the heart of decades-old perceived wisdom about processor design. It under-lined how ‘secure’ is not a permanent state, only a judgement at a point in time that must be constantly revisited.”
Security is collaborative
As Yossi Naar, chief visionary officer and cofounder of Cybereason, which provides a cyber defence platform for endpoint prevention, detection and response and active monitoring, observed, “While cybercriminals can succeed even if they act independently of each other, our industry will only win if we act together.”
Segars concurs with this, adding in the same article, “In the case of these new sidechannel attacks, an in-house team at Google found the threat, and our industry’s response – in particular Intel, AMD and Arm as lead partners – was immediate and carefully handled. Cost was never a factor, and companies across the sector collaborated at a depth and scale that I’d never seen before.”
Complexities of cost
D’Souza notes, “The cost of hacking keeps going down”. He says that a hack that would have cost US$30 million to execute 15 years ago can now be carried out by a ‘script kiddie’ (a person with limited knowledge) who can buy the software for US$300 from GitHub or any other such repository.
To counter to this, the only pragmatic approach is through a multi-layered approach and collaboration to make attacks on a system uneconomic. By increasing the cost, time and difficulty of attacks, it is likely that fewer will succeed. In addition to the other measures, this must include being able to detect and quickly identify threats in the field, so that threatened devices can be isolated, maintained and updated as necessary, to defend the integrity of the trusted firmware and the overall infrastructure and the applications that run on it.
However, these elements are typically handled by separate parties and it can be challenging to implement and coordinate their operation to guarantee continuity and trust. Again, collaboration, multi-layers and platform models come to the fore.
Cybereason’s Naar said in his contribution to the Arm Security Manifesto 2018/19, “As an industry, we need to support defenders in taking a proactive approach to security. Instead of waiting for security tools to generate alerts (how security is traditionally done), we need to focus on threat hunting – looking for attackers already lurking in an environment.
“Now that we are working with Arm and its Pelion IoT Platform, we will have an ability to take an overview of any device in a connected network that is running the Arm Mbed OS,” he added. “This means remediation action can be taken if a threat is detected anywhere in a network. Detecting threats across a deployment is vital as hybrid networks made up of IoT devices and non-IoT devices become more common.”