Protecting Connected Devices Long Before They Were Called “Things”
The Internet of Things (IoT) market is generating new services and devices that need protecting against a range of existing and novel threats, as a few notable breaches or staged attacks have already shown. The recent distributed denial of service (DDoS) attacks against various ISPs, which appeared to have been mounted at least in part from a botnet of IoT devices including Wi-Fi routers and IP video surveillance cameras, highlighted the potential level of risk.
Such incidents also illuminate the high level of consumer naivety about the risks posed by their own IoT devices, which is widely recognized as an issue that has to be addressed if the IoT market is to take off —in the home at least. Technology alone cannot counter the threats without buy in from consumers and also other relevant parties potentially including governments (e.g., FCC or FTC in US).
But there is one other important point that is widely misunderstood even by many security experts, which is that the IoT is not really a new problem for the security industry. There is a widespread misconception that the IoT will raise new threats that can only be met by emerging technologies, such as artificial intelligence methods and blockchain technology associated with Bitcoin.
What we learned from securing the set-top box
While such technologies will indeed come to play an important part in the IoT as its threat landscape evolves, the challenges we face in the immediate future can be met by existing techniques, especially those already widely deployed and well proven in the pay-TV revenue security industry. The point here is that we have had things connected to the internet for many years now, most relevantly for us being the set-top box (STB).
We have been defending the STB against piracy, revenue theft and general hacking for a long time and have worked out how to stay ahead in the arms race through renewable security. While the goal was to defend the video content rather than the underlying delivery infrastructure per se, this was impossible to achieve without protecting the STB itself against direct attack and comprise. Without that it would be possible for pirates to get at the content by first circumventing the box where video decoding occurred.
Such measures begin with hardware root of trust, secure boot and other techniques to make sure that when the system starts up it is loading known authenticated software and not some malware or Trojan invading from the internet. We have also developed technology for updating the software securely during operation.
More recently device makers and their system-on-chip (SoC) providers started deploying Trusted Execution Environments (TEEs), enabling more vulnerable aspects of a pay-TV service to be isolated from the underlying operating system and therefore from the apps running on top. With the help of Trustonic, as discussed in a previous blog post, it has been possible to replicate over-the-air, downloadable security upgrades available for the STB, on mobile devices such as smartphones, via its Trusted Application Management (TAM) technology. Verimatrix has licensed TAM so that security options provided by VCAS™ for Internet TV can protect premium video content when delivered over the internet to connected devices.
Applying lessons learned from video to IoT
Such a solution is more relevant for IoT devices, such as IoT gateways, that utilize high-power ARM processors. Smaller devices, such as sensors, will tend to run on small embedded chips such as ARM Cortex-M rather than say the powerful Qualcomm Snapdragon processors found in many smart phones.
To bridge this gap in processing and storage capability, ARM, in collaboration with Intercede, Solacia and Symantec, introduced the Open Trust Protocol (OTrP) in July 2016. OTrP is really more than a protocol since it extends the security techniques already proven on smartphones and tablets to IoT devices, incorporating the same sort of trusted code management. Verimatrix supports OTrP and believes it provides the foundation for extension of code isolation and secure update to low power and resource-limited devices.
Additional solutions that may be borrowed from the pay-TV industry include mutual authentication between devices and servers based on X.509 certificates which leads to the ability to provision keys and other secrets, create trusted communication channels, and powerful authorization and entitlement frameworks that enable rich services making individual IoT devices so much more valuable.
Who’s going to pay for it?
This still leaves important issues to resolve, notably over financing of IoT security, given the low cost of the devices themselves and unclear revenue models for IoT services. It is likely that governments are going to mandate a certain level of security and certification given that IoT services can potentially threaten national security if the devices can be subverted remotely and synchronously on mass scale.
Consumers themselves will also start to be concerned if, as seems possible, they could be deemed liable for attacks on third parties from botnets in which their devices played a part. Users might start putting pressure on IoT service providers to assume responsibility for such breaches, or alternatively it could be that indemnity against claims gets written into household insurance policies. In the latter event, insurers and their underwriters might be the ones to mandate specified security as a precondition for household coverage.
A collection of these well-known techniques – starting with secure boot and secure software update, unique device authentication and secure communication – is leading towards a framework where the IoT ecosystem can enjoy the same protection as pay-TV services, where there is also a need to satisfy third parties over security, in that case rights holders. Indeed it is because the experience of pay-TV security transfers naturally to the IoT that Verimatrix has identified this as an important sector for our technology in years to come.
We’d love to get your thoughts on how you feel this type of proven security technology can be applied to IoT – along with its limitations.