Establishing the Root of Trust for the Internet of Things

Securing the IoT will require a holistic approach.


The Internet of Things (IoT) is a quickly emerging ecosystem of applications, products and services in which both large and small devices connect to the internet. These new IoT devices will be embedded into diverse applications ranging from home security and home automation to manufacturing—and more. Protecting the data collected from these dispersed IoT endpoints presents a myriad of challenges, but one thing is certain: If you can’t trust the data, there’s no point in collecting, analyzing and making business decisions based on it.

Trust in embedded security refers to an expectation of integrity that an IoT device is operating as designed. Software trusts that hardware is operating as it should be. Applications trust that the operating system is not corrupting files. Remote systems trust in the device’s identity to which it’s connected. This process of establishing trust is called authentication. A device’s root-of-trust is the point where authentication starts and then extends through each layer. For more critical IoT applications, a hardware root of trust is an important building block to secure IoT endpoints and services.

Establishing the root of trust
The first step in securing an IoT endpoint is to ensure it can start under the following conditions:

• It is operating as expected
• The firmware needed to run the system is unbroken
• It has not been tampered with in any way

Ideally, the root of trust is based on a hardware-validated boot process to ensure the device can only be started using code from an immutable source. Since the anchor for the boot process is in hardware, it cannot be updated or modified in any way. When this foundation is combined with the cryptographically secured boot process, there are no easily accessible gaps for hackers to exploit.

A root of trust can be established by a variety of methods. The simplest mechanism is to run start-up code directly from a non-writable location in the processor’s memory map. Alternatively, to allow updates and more flexibility, the code can be loaded from a protected memory region into a protected memory store of some sort set aside for firmware execution, among a number of other methods. The important aspect for a root of trust is to be sure that the initial code is what the manufacturer intended, before execution. When it starts, the root of trust derives its internal keys from supplied device identity inputs and executes self-tests and code validation for itself. If these tests pass, it can move on to validate the first piece of code in the chain of trust. For organizations concerned about maintaining a secure device computing environment, the operating assumption needs to be this: boot securely — or don’t boot at all. Many IoT System on a Chip (SoC) providers across the industry have begun to adopt that mantra and are implementing mechanisms that provide a hardware-based root of trust.

Adapting Roots of Trust to the IoT
IoT is very much a mixed world with a range of high- and low-power devices in the field. To meet the lower computing capabilities of IoT devices (ranging from 8-bit to 32-bit devices), cryptographic operations like encryption and authentication need to be supported on these low compute devices. One such alternative to standard RSA cryptosystems is Elliptic Curve Cryptography (ECC). ECC performs encryption and authentication processes in much lesser time than RSA takes while providing the same security as RSA and with much smaller key-lengths. This means ECC runs well, finishes faster, and uses less battery power, even on slower and less-powerful IoT devices

Application of Roots of Trust in the IoT
IoT devices and services need to adopt code signing. No device should ever run unsigned code. It is dangerous to accept data from unverified devices or unverified services. Allowing devices to run unsigned code means that your devices could become maliciously configured to run someone else’s code, and do it in your name. All software, firmware, boot images, applications, executables, and operating systems should be signed for all IoT applications ranging from industrial to security-sensitive consumer applications. There is sometimes a need for multiple tiers of roots of trust for code signing and other applications in a single device. A chip vendor will need its own root of trust for secure code updates. A manufacturer of IoT devices will need their own root of trust for cross-manufacturer interoperability. And the service provider will need their root of Trust for machine-to-machine communications and trust. The multi-tiered root of trust model enables each entity in the value chain to perform secure functions without having to trust other entities

Bottom line
Moving forward, IoT devices will be used to control hundreds of critical systems and will be exposed to varied threats. Security is a major concern for the IoT and could be a critical factor in the ultimate growth and prevalence of these devices in society. In conclusion, securing IoT will require a holistic approach that offers robust protection against a wide range of threats through carefully thought out system design using techniques like hardware roots of trust. This shift will allow organizations to secure devices throughout the product lifecycle from device manufacturing all the way to end-of-life decommissioning.

Leave a Reply

(Note: This name will be displayed publicly)