When Toasters, Cars, Thermostats and Fridges Attack
Right-Sizing the SoC Security Architecture for the New Connected World – IP-SoC, December 2016
Vulnerabilities in IoT devices are real:
A zero-day vulnerability refers to a security hole that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware of it. This is called a zero-day attack. Zero-day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero-day” refers to the unknown nature of the weakness in the system. Once the vulnerability becomes known, a race to fix the vulnerability begins for the developer, who must protect the device users.
In 2015, the number of known zero-day vulnerabilities was 54, a 125 percent increase from the year before, and more than once a week on average. The market needs to evolve in order to protect against such situations.
As a case study, smartwatches were tested. Zero-day attacks were found to be a severe threat. The following weaknesses were identified:
Insufficient User Authentication/Authorization:
Every smartwatch tested was paired with a mobile interface that lacked two-factor authentication and the ability to lock out accounts after 3-5 failed password attempts. Thirty percent were vulnerable to account harvesting, meaning an attacker could gain access to the device and data via a combination of weak password policy, lack of account lockout, and user enumeration.
Lack of transport encryption:
Transport encryption is critical because personal information is being moved to multiple locations in the cloud. While 100 percent of the test products implemented transport encryption using SSL/TLS, 40 percent of the cloud connections continue to be vulnerable to the POODLE attack, allow the use of weak cyphers, or still used SSL v2.
Thirty percent of the tested smartwatches used cloud-based web interfaces, all of which exhibited account enumeration concerns. In a separate test, thirty percent also exhibited account enumeration concerns with their mobile applications. This vulnerability enables hackers to identify valid user accounts through feedback received from reset password mechanisms.
Insecure Software/Firmware updated:
Seventy percent of the smartwatches were found to have concerns with protection of firmware updates, including transmitting firmware updates without encryption and without encrypting the update files. However, many updates were signed to help prevent the installation of contaminated firmware. While malicious updates cannot be installed, lack of encryption allows the files to be downloaded and analyzed.
All smartwatches collected some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the account enumeration issues and use of weak passwords on some products, exposure of this personal information is a concern.
SECURITY WILL EXPAND THE IoT MARKET:
Device makers and service providers who effectively address people’s concerns about personal security will grow their business. It will in fact become a competitive advantage for such makers who are able to obtain the trust of the buyers. Corporate image will be improved and costs for recovery and liability of attacks will be reduced. A trusting end-user will be more willing to buy new devices and services, and therefore adoption could be accelerated.
Security breaches could be everywhere in an IoT system: sensors / smart objects could be hacked by the insertion of non-authorized devices to its interfaces; gateways and routers could be taken control of and deliver malicious content through a network; pirate applications could be installed in a mobile device and spread damage even before the mobile device owner has become aware that something went wrong. The list goes on. The correct protection of your IoT environment requires the proper sizing of the security need.
Software attacks happen due to protocol weaknesses, weak implementation of cryptography, weak passwords, the introduction of viruses and malware, and others. Device level attacks are software attacks that exploit hardware weaknesses such as an unprotected debug port and others. Finally, chip-level attacks result from a detailed study of the design and may include laser attacks, chip delayering, or reverse engineering of other kinds, and more.
It is critical to build in security from the very start of the design of an IoT system. The definition of the new system must include security and privacy design from the very beginning. Device security will be as strong as the weakest component of the system, be it hardware or software. It is therefore important to architect a layered security strategy, from the SoC and up into the various layers of the device itself.
Inside Secure has defined four main security mechanisms that are combined to provide the proper security to a new device:
1. The protection of access to data:
Protection requires the verification of a true and unique identity of the device on a network. The intrusion of fake devices must be avoided because they could be used as the entry point of an attack. Only trusted devices should send commands or access stored data.
2. The protection of data at rest:
Sensitive data should be encrypted and stored in a secure place. By sensitive data we mean not only cryptographic keys, but also sensitive application data and user-related data and credentials (the "security assets").
3. The protection of data in transit:
The confidentiality and integrity of the communications between peers must be maintained. No dialog can be spied upon, and no one can modify the in-transit information.
4. The protection of data in process:
The device must run the software the exact way it was intended to at boot time and after secure updates, without information leakage at any time. The execution of the application must happen in a secure environment from which leakage of information or reverse engineering of any kind cannot happen.
Figure 1 – achieving a complete secure architecture
The security requirements therefore include:
A secure cryptography implementation, certified by NIST via FIPS 140-2 certificates.
A variety of configurable solutions that adapt and protect varying design requirements.
A Trust Anchor.
Detection and countermeasures against tampering and attacks.
Only authenticated device upgrades and reconfiguration, during its entire life cycle.
SECURITY MODELS FOR IoT :
Figure 2 – security models for IoT
Inside Secure defines four different models for IoT Security:
1. Software – the security solution is very fragile, reverse engineering is possible and at most obfuscated; the evaluation of such a solution is limited to FIPS140-2 level 1.
2. Protected – software isolation protects the device against logical attacks, but applications requiring security are run at the same execution environment as all others.
3. Trusted – the security solution provides a hardware isolation of the secured domain, therefore protecting against logical attacks, non-invasive side-channel attacks and some fault injections. Dedicated security services run in a virtualized execution environment. Such solutions can be evaluated against the TEE Protection profile, up to EAL2+.
4. Secured – the security solution provides a physical isolation of the secure domain to protect against logical attacks and invasive attacks. Secure applets run in a secure element in the form of a separate chip or hard macro; such solution can be evaluated against a wide spread of protection profiles, up to EAL6+
According to the various security needs of the different models above, different security solutions are defined:
The VaultIP family of trusted execution environments provide complete physical isolation between the security assets and the rest of the device;
The Core & Software Protection software security element protects the application and secures data in process or at rest;
The Secure Communication tools are tiny software protocol toolkits including SSL / DTLS, IPsec and MACsec.
EXAMPLE: INSIDE SECURE's VaultIP
Figure 3 – IoT device with Vault-IP
Vault-IP isolates and protects key material and crypto operations. In the example above, it ensures that the main CPU can never access the key material, be it at rest (stored) or in use. All operations that involve the keys are done internally by Vault-IP, thus an attack that compromises the CPU will not access the keys or modify the key materials on the device. Vault-IP prevents the keys from being stolen, modified or damaged.
MANAGING SECURITY END POINTS :
Figure 4 – provisioning use cases
IoT business scenarios require a platform to secure root of trust seeding in the device, secure credentials and assets management, secure updates for applications and firmware, and secure data transfers. IoT security is a significant concern in businesses and governments. Measures are being taken to bridge the gaps and prevent breaches at the device level, and efforts are being made to avoid major disasters before they are able to happen.
After the Jeep Cherokee hack, automaker Fiat fixed the problem quickly and issued a safety recall for 1.4 million U.S. cars and trucks to install a security update patch. This served as a wakeup call for the entire IoT industry. Now security firms and manufacturers are working together to secure the IoT world before it spins out of control.
Digital security company Gemalto will use its experience in mobile payments to help secure IoT devices. Gemalto will offer its Secure Element (SE) technology to automotive and utility companies. SE is a tamper-resistant component that gets embedded into devices to enable advanced digital security and life-cycle management via encryption of and access-control limitation to sensitive data.
Microsoft has promised to add BitLocker encryption and Secure Boot technology to the Windows 10 IoT, the software giant’s operating system for IoT devices and platforms such as the Raspberry Pi. BitLocker is an encryption technology that can code entire disk volumes, and it has been featured in Windows operating systems since the Vista edition. This can be crucial to secure on-device data. Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer. Its implementation can prevent device hijacking.
With frequent headlines on cyber security attacks, semiconductor makers, FPGA providers are serious about security, making smart decisions that lead to an optimal balance between security, cost and performance.
Solutions need to be specifically crafted for SoCs or ASICs, for the types of threats that the connected devices will be exposed to. To secure these devices, designers need a comprehensive security IP framework that provides the right level of security with the right functions in these devices.
Inside Secure provides today the largest silicon-proven security IP portfolio for next-generation system-on-a-chip (SoC) and application specific integrated circuit (ASIC) designs for High Speed Networking, Internet of Things, Datacenters and Content Protection, delivering quick time-to-market while reducing design cost.
For more information: www.insidesecure.com.
Thank You !