Security Assurance of IoT Systems

This is the second article in a four-part series based on a whitepaper published by Intrinsic ID that explores the risk of low-cost IoT attacks and how to mitigate them. The series aims to dive into the origin and types of the low-cost attacks, security assurance methods, ensuring IoT platform security, IC lifecycle, and how it impacts IC's safety. This article explains various IoT attack surfaces and relevant security assurance techniques.

The world has seen a revolutionary shift to the Internet of Things (IoT) ecosystem, with workplaces, industries, homes, and cities integrating extensive networks of IoT devices. This massive adoption of IoT has created new opportunities for cyber attacks - many of which use low-cost methods to attack device and network weaknesses. Dedicated defense systems are essential for IoT to reach its full potential and agility. This article introduces the types of susceptible attack surfaces and examples of protection measures

IoT Attack Surfaces

An IoT system is susceptible to attacks from various attack surfaces. An IoT attack surface refers to all the potential security vulnerabilities in an IoT network, including the device infrastructure and associated software. Some of the most prominent of these are discussed here.

Devices

These are forefront attack surfaces through which cybersecurity breaches are attempted. The devices include sensors, actuators, and end devices with which the users are connected directly. The major components of a device are memory, firmware, web interface, physical interface, and network services. The attackers launch attacks by exploiting the vulnerability of any of these places. 

Communication Channels

Another frequent attack surface is the communication channel used in the IoT infrastructure. Commonly used communication channels include Wi-Fi and Bluetooth. Attackers exploit network services through direct attacks (DoS, buffer overflow, and replay attacks) as well as passive breeches (surveillance of network traffic). They hinder the privacy, confidentiality, and integrity of exchanged data.

Cloud Interfaces

The next most common attack surface is the cloud’s web interface. These are vulnerable to attacks using SQL injections. 

Cloud interfaces are security-sensitive interfaces. Attacks on cloud interfaces aim to access user credentials and passwords, disrupt password recovery and two-factor authentication, and attempt cross-site forgery and scripting.

Application Interfaces

IoT attack surfaces also include the mobile/web interface. Attacks on these interfaces occur mainly because the device and the cloud implicitly trust mobile applications. As a result, they provide a potential security breach through misuse of password recovery, two-factor authentication, and a no-account lockout mechanism.

Application interfaces are attacked to access the data storage, log file information, and unencrypted traffic

Security measures against low-cost IoT attacks

Having discussed various attack surfaces in IoT networks, let’s now explore the second part of the article, i.e., the methods of security assurance for the vulnerable attack surfaces in the following lines.

Firmware integrity protection

A common attack surface is replacing genuine device firmware with rogue firmware. A protective measure against this attack is to have all firmware in embedded ROM. However, this is not viable due to the need for security updates in the field. To allow in-field updating and upgrading of devices, including security patches, firmware upgrade mechanisms are required.

Mechanisms such as a robust cryptographic digital signature scheme can validate digitally signed images prior to the update allowing to boot from them, ensuring overall integrity.

Runtime memory protection

Runtime memory protection is a security service that can be used to check the integrity of application code and data at runtime. Memory integrity checks are triggered at regular intervals or by events. The service can be used to protect code and data from unauthorized changes, not only at trunk time but throughout the application runtime.

Runtime memory protection can be used to verify the integrity of critical application code or data. In general, runtime memory protection is useful for memory whose contents remain unchanged for long periods of time.

Runtime integrity protection

Integrity protection is a means of providing assurance that information has not been altered in an unauthorized manner since it was created, transmitted, or stored. Additional protection mechanisms may be required to maintain a safe state after trunk, i.e., during application execution, to ensure that code is not only read correctly from memory as in runtime memory protection but also executed correctly. Modern security subsystems may therefore have runtime integrity protection mechanisms, such as periodic verification that code execution is proceeding correctly to validate the integrity of the platform or, for baseline security, environmental security sensors to monitor IC.

Isolation of processing environment / sandboxing

Sandboxing refers to isolating an executable code block inside a safe environment. It runs untrusted software within an environment where it can observe and detect malicious components and activity to block malware from spreading within the network. IoT networks implement sandboxing by segmenting systems into smaller subsystems to isolate them from each other. This prevents malicious attacks from distributing within the network. 

Protection against side-channel attacks

There is a wide range of countermeasures to combat side-channel attacks ranging from special hardware designs that balance power consumption to a selection of software countermeasures that often involve sophisticated mathematics. Because IoT devices are typically built with off-the-shelf hardware components, countermeasures for side-channel attacks focus on software methods. Essentially, all of these methods attempt to decouple the logical digital information (e.g., the key) from the physical bit representation it has.

Protection against fault attacks

The basic remedy against fault attacks is to add redundancy and resilience to the hardware and software at all levels. With IoT, we assume that most countermeasures will need to be added to the software, which means running critical code twice or performing important security checks multiple times. Often it's as simple as defining return values that are not just zeros or ones but two non-trivial bytes. This makes it harder for a glitch attack to produce the desired correct return value. It is also helpful to add measures that monitor whether certain critical blocks of code have been executed - and in the correct order. The countermeasures also depend on whether the error is temporary or quasi-permanent.

Readout protection

Firmware is not only critical for system integrity but also a valuable asset that requires confidentiality protection in addition to integrity and authenticity protection, e.g., to prevent it from being used in clones. In devices that store firmware in an on-chip flash area, the firmware must be protected from many non-invasive attacks as well as invasive attacks on the on-chip flash through readout protection. When using an external flash, the security subsystem may need to provide additional protections such as on-the-fly encryption/decryption and verification services to protect the integrity of the firmware stored in this non-volatile memory (NVM).

Conclusion

The adoption of IoT technology has been exponential during the last decade. Safeguarding it from substantially developing cyberattacks is still a challenge.

The security assurance of all potential attack surfaces, including devices, memory, cloud, and application interfaces, must be kept at the highest priority while installing IoT infrastructure. 

IoT networks must ensure the inclusion of security measures like firmware integrity, memory protection, runtime integrity protection, sandboxing, and fault injection shielding to make the system resilient to security breaches maximally. 

This article is based on the whitepaper titled “Preventing a $500 Attack Destroying Your IoT Devices”. Learn more about the risks of low-cost attacks and how to ensure your devices are safe, secure, and protected.

 Download the paper here.

About the sponsor: Intrinsic ID

Intrinsic ID is among the world’s leading providers of security IP for embedded systems based on physical unclonable function or PUF technology. The technology provides an additional level of hardware security utilizing the inherent uniqueness in each and every silicon chip. The IP can be delivered in hardware or software and can be applied easily to almost any chip – from tiny microcontrollers to high-performance FPGAs – and at any stage of a product’s lifecycle. It is used as a hardware root of trust to validate payment systems, secure connectivity, authenticate sensors, and protect sensitive government and military data and systems. Intrinsic ID security has been deployed and proven in millions of devices certified by EMVCo, Visa, CC EAL6+, PSA, ioXt, and governments across the globe.

References 

1. Callum Cyrus, iotworldtoday.com. [Online] Available from IoT Cyberattacks Escalate in 2021, According to Kaspersky (iotworldtoday.com)

2. Anand P, Singh Y, Selwal A, Singh PK, Felseghi RA, Raboaca MS. IoVT: internet of vulnerable things? Threat architecture, attack surfaces, and vulnerabilities in Internet of Things and Its Applications Towards Smart Grids. Energies. 2020 Jan;13(18):4813.

3. GrammaTech Whitepaper: A FOUR-STEP GUIDE TO SECURITY ASSURANCE FOR IoT DEVICES.

4. Qin Y, Liu J, Zhao S, Feng D, Feng W. RIPTE: runtime integrity protection based on trusted execution for IoT device. Security and Communication Networks. 2020 Sep 23;2020.

5. Intrinsic ID, intrinsic-id.com, [Online] Available From Physical Unclonable Function – Intrinsic ID | Home of PUF Technology (intrinsic-id.com)

6. Geert-Jan Schrijen, design-reuse.com. [Online] Available from SRAM PUF: A Closer Look at the Most Reliable and Most Secure PUF (design-reuse.com)