Connected devices, commonly referred to as the Internet of Things (IoT), potentially represent a large risk to the safety and security of the internet as a whole, if not properly secured.
That was the key message that David Tarditi, principal software engineer lead for Microsoft Azure Sphere, conveyed during a session at the Open Source Summit in San Diego, California on August 22. Tarditi’s message wasn’t all doom and gloom either, as he outlined seven key properties that can be leveraged by manufacturers and users alike, to help sure IoT devices.
While there are risks from IoT devices, Tarditi noted that lessons have been learned in recent years by Microsoft and others about how to improve security. Fundamentally, he said that all code has bugs and it’s also likely that any given device can and will be hacked eventually, but that doesn't mean that all IoT needs to be insecure.
“Security is foundational, you have to build it in from the beginning,” Tarditi said. “Trying to bolt security on as an afterthought isn’t going to work.”
In Microsoft’s experience, there are seven key properties of highly secure IoT devices, with the first item being having a hardware root of trust. Tarditi said that it’s a good idea to have hardware that can provide the ability to protect a device's identity.
“So in practice, what this means is that on your hardware you want unforgeable cryptographic keys that are generated and protected by the hardware,” he explained. “You also want the hardware to secure software booting.”
Tarditi added that having a secure boot involves the use of some form of boot ROM that ensures that the operating system loads as expected without interference or potential malware. Once a user or vendor has ensured that the operating system software loader is secure than it is possible to ensure the integrity of everything else that loads on a given system, as it enables a foundation for a hardware root of trust.
Defense in Depth is the second key attribute for securing IoT, which basically means that there is more than one security control or mechanism that is responsible for keeping a device secure. The third key attribute identified by Microsoft is having a small trusted computing base.
“It’s pretty simple, less code equals fewer bugs,” Tarditi said. “You want to reduce the attack surface and make it harder for attackers to get in.”
Having dynamic compartments was the fourth key attribute outlined by Tarditi. He noted that compartmentalizing software also helps to limit the reach and impact of any single security breach.
A primary weakness on many IoT devices are passwords. Tarditi said that often it’s hard to get consumers to change the default password for IoT devices and even when they do, passwords are easily stolen by attackers. That leads to the fifth key property, which is to use certificate-based authentication, to help mitigate and even remove the risk of passwords. Tarditi said that with a hardware root of trust, it's possible to know if a device is in a good state when it is booted. A trusted authority can be setup which communicates with the hardware root of trust to validate a given device and then issue a certificate to enable access to services.
The sixth key property of highly secure IoT devices is to have some form of integrated failure reporting. Tarditi said that failure reporting is all about having the ability to gather reports from devices to be able to detect potential flaws and attacks.
Finally, the seventh key property is something that Microsoft refers to as, renewable security.
“You need to be able to update the device to address security threats,” Tarditi said. “You need to have cloud infrastructure that allows you to update device and you also need to have the technical ability to prevent a rollback attack.”
In a rollback attack, an attacker seeks to 'rollback' or revert a device update in order to exploit a known vulnerability. Overall, Tarditi emphasized that IoT security is only as good as the weakest link and it can often be challenging to get it right.
“Device security is like a stool that requires three legs, if you remove any one of those legs, you’ll end up on the floor,” he said.