IoT Security – Hardware way to address the rise of IoT Botnets
IoT Security threats has seen a raised high level since Reaper botnet was widely reported in Oct’17. Reaper (aka IoT Troop) botnet is a new breed of botnet, evolved with more lethal capabilities compared to the earlier ones. While the earlier botnets like Mirai, Hajime were using default password vulnerabilities, Reaper bot adopts innovative exploitation mechanisms.
With more superiorly weaponized capabilities such as Infection Mechanism & Updatation , Reaper bot exploits atleast Nine security loopholes. . The Reaper bot targets specific firmware vulnerabilities across a host of widely used connected devices. Observers estimate the number of affected devices to be about 1 million, while the potential to be affected devices could go beyond 3 Million, considering devices which are compatible for the Reaper attack. This makes Reaper most capable, potential & Evolved IoT botnet compared to earlier botnets such as Mirai which were targeting DDoS Attacks.
Given this rise of IoT Botnets, We need to find ways how we could effect a Secure IoT implementation. The Hardware Security approaches can help address some of these vulnerabilities at Embedded Device & Communication networks.
IoT Devices - End Nodes - Constraints
IoT Systems will comprise of smart street lights, smart homes, Surveillance systems (IP cameras), Industrial process control systems, connected cars, healthcare devices and more. These are typically microcontroller based embedded systems , which will be deployed remotely ( and in many cases battery powered ). These are the end nodes which are forecasted to get into billions in numbers. These devices are to be low cost, being microcontroller based – they are Resource constraints with limited memory & capabilities. This presents a challenge to implement implementing advanced security methods on such resource constrained devices.
Semiconductor solution providers have security chips being offered, that can help address some of key security aspects – Authentication, Encryption & Platform trustworthiness .
Authentication : Digital Signatures have been widely used for financial and business transactions. Digital signing techniques can also be adopted at IoT end node devices to ensure Authenticity and Secure Booting. There are SHA-based crypto authentication chips available that can be easily incorporated by embedded designers The crypto elements integrate SHA 256 Hash Algorithms with EEPROM. These crypto-authentication devices have tamper protection mechanisms and secure key & data storage. These devices offload microcontrollers from crypto algorithm execution and key storage . These authentication chips interface through I2C, SPI or single wire protocols. Costing less than $0.60 for small quantities, authentication chips are affordable options.
Encryption : Encryption methods using Public Key Infrastructure ( Asymmetric cryptography) is being popularly used for several applications- they use encryption algorithms such as SHA, AES, ECCA This necessitates a proper key management and storage which is implemented as hardware .
Trusted Platform Modules (TPM): Trusted Computing Group (TCG) is a consortium of technology companies that promotes trust and security for computing platforms - mobiles - computers, and now extending relevance to embedded platforms for IoT devices. TCG proposes a Integrated circuit - IP core specification to be designed-in computing platforms to enable Trusted computing. The ISO has standardised Trusted Platform Module specification under ISO/IEC 11889-1:2009.
Trusted Computing Group define a TPM (Trusted Platform Module) as a ‘computer chip (microcontroller) that can securely store artifacts used to authenticate the platform (your PC or laptop). These artifacts can include passwords, certificates, or encryption keys. A TPM can also be used to store platform measurements that help ensure that the platform remains trustworthy. Authentication (ensuring that the platform can prove that it is what it claims to be) and attestation (a process helping to prove that a platform is trustworthy and has not been breached) are necessary steps to ensure safer computing in all environments.’
( image source : Wikipedia)
The potential to use these TPM’s for devices beyond computers is well accepted and today leading semiconductor companies provide TPM chips. TCG has a IoT Sub group and focuses on Hardware Root of Trust (RoT) approach for IoT Security.
TPM have been used widely in computer markets, Now TPM chips make great relevance for IoT devices and typically feature below:
- Compliance to the Trusted Computing Group (TCG) TPM Version 1.2 Specification
- Hardware Asymmetric Crypto Engine
- Microprocessor core
- Internal EEPROM Storage for RSA Keys
- Secure Hardware and Firmware Design and Device Layout
- FIPS-140-2 ( federal Information Processing Standard) Certification
- High-quality Random Number Generator (RNG),
- HMAC, AES, SHA, and RSA Engines
- NV Storage Space of User Defined Data
- Interfaces I2C & SPI for embedded applications, LPC interface for computers
TPM chip costs about $3.00 per unit chip for low volumes. For those applications where security itself is of utmost importance and large amount of data has to be processed, such as Point of Sale (POS) machines , using TPM hardware solution can address the security concerns.
In many emerging connected device applications, where we are seeing the rise & Evolution of IoT botnets, Its necessary every embedded design for IoT considers the Hardware Security and software implementation as well. With availability of low cost authentication chips, Secure microcontrollers & TPM modules, Hardware approach could be a better choice & in some cases the ONLY choice!
Author : Suniel Kumar G , Nexiot® - Accelerating Innovation®
The author is a experienced IoT & Semiconductor Industry professional.