How to better IoT security

1. Secure your Radio Communication Channel

The typical communication interface of IoT devices is a radio channel, therefor the logical firts step for a proper internet of things security architecture is to secure exactly this interface. For my opinion it is also one of the most important steps. The reason is very simple, hacking a radio interface can be performed without any physical access to the iot device. The attacker has infinite time and also access to the equipment he needs.

Dependent on the radio technology there are surely differences e.g. BLE has a limited range, therefore, the attacker must be located close to the object. Sigfox and LoRa have a very limited data bandwidth. Nevertheless, good RF communication security concept will increase the time required for an effective attack and therefore lower the risk.

2. Sign your Data

Good, known technique from the “old” cybersecurity areas like network security but still valid also as a part of your internet of things security strategy.

Digital signatures are not the right technique to provide data confidentiality but very useful to verify whether the data is

• manipulated or not and
• originate from the one you expect

Sure signing the data is not a foolproof technique at the end and a system using signatures has to fulfill certain conditions. Here are the main ones:

• The signatory has to protect his signing key as good as possible to keep its trustworthiness
• The auditors has to protect the integrity of his validation key to remain the ability to distinguish between trusted and non-trusted signatory
• Proper technologies must be chosen

Signing sounds complex at the beginning, especially for not technical circle, but creates an “aha-experience” as soon as the advantages and the basic mechanisms are understood.

Creating a digital signature consists of two steps

1. create a fingerprint of the source (hashing)
2. sign the fingerprint to enable authorization of the signature (encrypt with private key)

To create a fingerprint of digital data, hashing mechanisms are used. For security reasons cryptographic hashing functions are in place and their ability is to create a data block of a fixed size from data of various size. The fixed size data block itself do not disclose any information about the original one, it is just unique like a fingerprint of a person. Changing only one character or a bit in the original data lead to a totally different fingerprint.

The fingerprint, afterward, must be encrypted. For encryption, asymmetric mechanisms are used which can also provide authorization and authentication.

Even for iot devices with a limited number of flash memory, libraries are available for hashing as well as for signature verification. Therefor this should not be an excuse to provide proper IoT security.

3. Store Data in Internal Memory

Not a cryptographic technique but one from the area of system hardening, which is working great in combination with strong security measures.But utilizing the described method only, without using any cryptographic techniques to secure your IoT’s data is not recommended while the protection system of common microcontrollers are not that strong to resist to any serious physical attacks. Here are your options for your IoT security portfolio.

Do your microcontroller provide the possibility to store the complete firmware in the internal memory and the amount of data you collect and needs to store persistently requires only some bytes or may be a small number of kilobytes? In this case, the internal memory is maybe the best place to store the data. The difference to external memory solutions like flash or EEPROM components is, an attacker has a very limited access to the communication interface from external, means:

• no wires which can be probed using an oscilloscope or logic analyzer
• JTAG interface can be disabled or secured
• read operations via JTAG can be disabled
• depends on the components package, pins are located in the way that they can not be used without removing the microcontroller

4. Use encryption techniques

One of the most indicated requirements, if the security topic is touched in a meeting, is encryption. Encryption methods can be used to provide both data protection and authorization. Choose the right methods and creating a solid infrastructure around your product can let you forget that you are using encryption methods at all and provide a great user experience. Doing it somehow just because someone said we need to without understanding the reason and the impacts, let your developers and users struggle with the usability.

Just to give a rough overview. In the security world, yes the general one not only the one for IoT security, we are talking about two main types of encryption.

1. Symmetric Encryption
2. Asymmetric Encryption

Thereby symmetric and asymmetric addresses the keys. In the symmetric world, you have the same key for encryption and decryption. If one of the key instances is stolen, all other instances are also compromised and untrustworthy. The asymmetric world is a little bit different. You have two types of keys public and private with following characteristics.

1. Every data which is encrypted using the private key can be decrypted using the public key.
2. Data which is encrypted using the public key can only be decrypted having the private key.

Characteristic one fulfills the requirements for signing, one sign all other checks. The second characteristic fulfills the requirements for encryption if you have the public key of someone you can send him an encrypted message and only the owner of the private key can decrypt it.

5. Use standard methods and common crypto libraries

You have a team of great software development experts with some spare time, allow them to do some creative stuff, experiments, let them play or just give them a day off but do not implement your own crypto library to save some budget. Use libraries from the market, in the best case, use an open source one and contribute to the project.

Depending on your IoT security requirements there is also a big chance to find the functionality already build in your target hardware e.g. an AES hardware module or an ECC library in the ROM.

But not only for implementing security functionalities in your internet of things device, also for the standard tasks e.g. command line interpreter, use proven techniques and methods. This gives your team and your company the ability to react faster on upcoming bug reports and vulnerabilities and is in parallel also a nice hardening technique for your device. The intelligence of a crowd is in the most cases higher than the one of a single expert.

Bitcoin tip jar: bc1qgpl6lhf09j6kcdvkh8cz90p4cfxuyfec3ecjrd

Ethereum tip jar: 0x7e0Bf6D50b5F5fcbf76A16Bd5285CE0c74C063a9