Object Security And The IoT

What is a thing, and how do you prevent it from becoming a problem in a hyper-connected world?

popularity

Objects of the IoT will be anything and everything. It is conceivable that, eventually, almost every animate and inanimate object will have a cybernetic umbilical cord to it.

IoT “things” take on virtual representations. They have intelligence. They are able to interact with each other as well as mine and store data about what and how objects are being used, what their status is, who and what they have interacted with, who or what they are connected to, and much more. Someday, they may even have unique, holographic representations that have familiar shapes we can interact with, just as we interact with each other.

What to Expect
Initial devices on the IoT will be made up, largely, of the current crop of smart devices—mainly phones, tablets, computers of various configurations and the autonomous devices that are already connected to the Internet in one fashion or another. As the IoT evolves, it will integrate things we have only seen in Star Trek, or other futuristic fantasy.

Expect to see things such as smart medicine bottles that will let you know when you need to take your dose and prevent you from double dosing. Medical devices than are worn, or implanted will interact with providers to report any number of conditions, even call for an ambulance if it detects you are having a heart attack or have been in an accident. They will also transfer critical data to emergency personnel, in real-time advising them of your condition.

Other items such as construction equipment and heavy machinery will be aware of each other’s presence and be able to, automatically, schedule the equipment to be exactly where it needs to be, with what is needed, and when. Smart traffic signals will function in real time and communicate with smart vehicles and other signals to optimize traffic flow.

In the home, refrigerators will communicate with you that you are missing an ingredient or two for tonight’s meal and notify the grocery store to have them ready as you walk up to one of the many autonomous checkout lanes that simply scans you, and you are done. Then, as you are precisely six minutes out (because the smart home talks to the smart vehicular grid) the oven comes on and is exactly at the right temperature for the thawed foods that the refrigerator prepared. The devices and scenarios go on and on. By some estimates, there will be as many as 50 billion “things” on the IoT by 2020.

Regardless of how the development of the IoT plays out, there clearly will be security implications, likely at orders of magnitude larger than what we face now. The challenge is that security requirements will vary, depending upon how those objects are used.

“Particular objectives and solutions can differ widely as there is a broad range of different systems, and security typically has not been a specific design objective from the start, said Jerome Schang, authentication segment marketing manager for NXP.

Experts say the security threats in the IoT will be broad and potentially crippling to systems unless security of objects is a first priority. To design in chip-level security will be another challenge because, according to Schang, for the immediate future, “the IoT will be mostly the Internet of existing things.” And, in most of these cases, these things are really just small devices that had no forethought of security or connectivity.”

“If you think about it, much of what will be the first generation of objects on the IoT will be leveraging the existing objects and trying to patch the security vulnerabilities that they have,” he said. “Looking at the IoT in general, everybody would love to think that it is a clear, blue ocean where everything will be built from scratch. But the reality is that most of the devices will have very aggressive cost structures that leave little or no room for security at the chip level. So our challenge is for this, and to some degree, even the next generation of products, to find ways to add security with minimal impact to the BOM.”

National and Global Security
Because the early IoT will be made up of many objects that are vulnerable, a top priority is to protect high-value targets. Vulnerabilities in segments such as the security and communications infrastructure, and the energy grid, will have to be made impervious to attack. The risk is just too great.

Other globally damaging events that could occur are industrial espionage and large-scale denial of service and other attacks. It isn’t inconceivable that a tiny sensor on an oil rig could lead to the complete disruption of a part of the oil supply because, with everything connected to everything else, a hacker could shut down all the refineries, for example. That may be a stretch, but it does indicate just how the vast the potential risks are—and the scenarios being considered by security experts.

A second tempting area that causes some uneasiness in regard to its relationship with the IoT is the “cloud.” Today, enormous volumes of critical and secure data reside in cloud servers across the globe. Despite reassurances from cloud guardians, security breaches occur almost daily. And that is for what is supposed to be, in many cases, highly secured data. One can only imagine what potential worm holes are available for benign data on non-critical clouds such as personal cloud servers.

Fortunately, for higher-end systems, such as those that protect national security and critical cloud servers, there is a better prognosis for bulletproofing. Such systems are powered by equally high-end hardware.

For one there are already organizations watching out for security threats, such as ICS-CERT. Second, standardization efforts have been taken to add security to those systems. Typically that security hardening requires the addition of dedicated security processors.

“Such hardware has the computing power to generate cryptographic keys and handles the mathematical computations that are necessary to run though and complex security algorithms in a tamper resistant environment,” said Schang. Similarly, the high security-ICs used in today’s contactless passports and banking cards contain tamper-resistant security ICs with specific hardware acceleration to generate complex keys and encryption. “In our ICs are found the acceleration methodologies along with all the encryption libraries to facilitate public key cryptography.”

The chip holds these private keys and other critical information in secure memories that can be interfaced to the application. Added Michael Poitner, global segment marketing director at NXP: “These ICs are architected from the ground-up to provide these security features.” They are dedicated security ICs with physical and logical security features, including features such as encrypted memory and buses, as well as different types of tamper sensors such as temperature, voltage, and light which, if alerted, will shut the IC down. NXP also has a variety of physical shielding methodologies that make physical attacks and reverse engineering more difficult, Poitner said.

ARM takes a different approach, approaching IoT vulnerabilities as “solutions for problems.” According to Haydn Povey, marketing director for security at ARM, “Security is really defined by the things you are protecting and the threat you are protecting against.” ARM uses a “trust zone, which segregates various functions of the chip, such as an Android operating system, from the secure data.

“That approach allows for the security to be extended throughout the SoC, and offers the unique ability to control these peripherals,” said Povey. For example, the keypad or screen can be killed if malicious activity is sensed, and the secure data is protected. “ARM can create, on an SoC, secure peripherals so tablets and smart phones have the open access of Android but can also constrain the environment. This allows code writers to develop software that is secure and bounded, and the programs can be certified. Ultimately, a lot of security is around proving what has been done, in addition to the obvious security measures, so certification is critically important in the security sector.”

When it comes to the emerging IoT, there are a number of higher-end objects that can benefit from this enhanced isolation design. For example, the Cortex A8 processor is used in some of the high-end thermostats, including the complex self-regulating environmental control applications at airports. As such, they need to be hack-proof.

These kinds of applications are generally prone to software-type attacks or exploitation of security breaches, as was the case with the heartbleed code. There are also physical attacks that have to be thwarted. Physical attacks are more prevalent in devices that contain sensitive data, such as smart cards, tablets and secure cards, which can be mined and used for any number of theft or other illegal activities.

Physical attacks can come in a number of ways. “For example, people taking a focused ion beam and machining down the substrate to the metal,” said Povey. “Then they physically probe the metal to find the signals and try to extract the keys – a process commonly called ‘fibing’.”

The fibing process has become highly sophisticated. Computer-controlled probing stations are capable of attaching wires to the smallest of devices – all the way down to 40nm chip architectures. And there is real value in hacking into these chips, which can be anything from a bank card to a secure access card. They can provide a way into financial accounts, buildings, utility grids, communications and transportation networks, customer credit card records, and just about any other type high-value asset. And with physical attacks, the perpetrator is much harder to catch, because there is no audit trail as is the case with many of the software-based attacks.

As the technology to mine chips physically ratchets upwards, one method of securing the chips is something that has been implemented into sensitive physical data for decades — self-destruct mechanisms. Many of the chip manufacturers have programs that address precisely such techniques. Some are well known, others are extremely secretive. Countermeasures that can be used to defeat tampering range from simply flushing secure data to burning out components. Of course, the more complex the countermeasure, the more it adds to the chip, both in cost and physical footprint.
Some methods are more successful than others,” said Povey. “One very successful method is to add additional metal layers to create a wire mesh over the chip layers. If there is an attempt to compromise the package, and one of the wires is broken, an alarm is triggered and whatever specific action is programmed occurs.”

Another method of attack is differential power analysis, which is done by measuring minute fluctuations in power levels during key probing. If there are enough signals at a sufficiently fast resolution, eventually a statistical analysis can be made of the data, and the keys can be retrieved just by looking at the power signature.”

When all is said and done, the type of security really depends upon the type of requirements the application or installation demands. Because the IoT isn’t here yet, this type of chip-level security is mainly used to secure high-value assets in the current infrastructure, both in and out of the Internet. However, there is much discussion on how, and how much, and what level of security will be applied to the untold masses of low-end IoT objects as the IoT evolves.

For non-critical objects, and those where cost is much nearer the center of the radar screen (a connected toothbrush, for example), such bulletproofing is impractical and way too expensive. Therefore, these devices will have to be secured in other fashions because they can be a back door for attacks if not accounted for in the global security scheme. How that will shake out is still somewhat fuzzy.

IoT Threats Now – Worms and Other Malicious Presences
Much of what has been discussed in this article has to do with the upper echelons of security on critical data. What will occur in the IoT is still subject to much conjecture because there is not a deep well of data available. However, the world is catching a glimpse of things to come. Last December there were reports of a malicious “worm” that was spreading on the Internet. It was specifically coded to attack embedded devices running Linux and had IoT written all over it.

The worm is called Linux.Darlloz and was largely transferring between PC systems, but it is capable of attacking a “range of small, Internet-enabled devices as well as traditional computers.” When analyzed by Symantec’s anti-virus team, they found variants of it that could attack chip architectures used in devices such as home routers, set-top boxes, and security cameras, all of which are core objects of the IoT. The worm exploits a known PHP Hypertext Preprocessor (PHP), which allowed malicious code to be executed on vulnerable systems, using specially formatted query strings.

Another instance of IoT hacking also occurred during the last year’s holiday season. A security firm by the name of Proofpoint found that 100,000+ typical low-end, IoT consumer appliances—mostly TVs and refrigerators—running a variant of Linux, were sending email solicitations for fake pharmaceuticals. Email recipients who clicked on the links would run a worm that exposed the computer to hostile software designed to steal sensitive data.

The fact that such invasions have been documented implies that the compromise of IoT objects is gaining traction quickly. So far, they have been of low impact. However, as the sophistication level increases, and if the industry doesn’t take these hiccups seriously, attacks on Internet-enabled devices will have a tremendous impact on people’s lives. Scenarios can range from simply turning off power and communications to your home, to causing potentially catastrophic air, communications, or infrastructure chaos, and even disaster.

On PCs, software is available that can thwart most if the viruses, bug, and worm holes. But exactly how to install a comprehensive software suite on a smart toaster might be a bit of a challenge. IoT devices cannot be too complex. Consumers won’t buy these devices if they are required to do much more than input a username and password for every intelligent widget and gadget ends up on the IoT. Economies of scale have to be considered, as well. Few consumers would be willing to pay $30 or more to add security to a $20 toaster.

Conclusion
This article has taken a look at some of the issue that will face us as the IoT takes shape. For highly sensitive and critical data, there is much less of a learning curve, since the practice of securing such data is already well along the experience roadmap. Most of that, today, is simply staying ahead of the malfeasance curve with new methodologies and technologies.

The simple “smart toothbrush” side of the IoT is, to parrot a well-worn adage, a horse of a different color. This segment is much nearer the inception stage. Plus, economies of scale, user interaction and the technological logistics are huge obstacles that we just don’t have a good handle on yet. Moreover, there is a diverse set of perspectives on exactly what, when and how the IoT will really look, feel and function when it finally becomes apparent there is a clear and present danger.

Most likely it won’t be an attack on Fort Knox that will bring Internet Armageddon on the virtual world. It will be the smart doorbell with the java-size UNIX applet that some tired programmer simply forgot to secure the call block on.