The properties of secure IoT devices
At Open Source Summit North America 2019, David Tarditi from Microsoft gave a talk on seven different properties for highly secure Internet of Things (IoT) devices. The properties are based on a Microsoft Research white paper [PDF] from 2017. His high-level summary of the talk was that if you are creating a device that will be connecting to the internet and you don't want it to get "owned", you should pay attention to the properties he would be describing. Overall, it was an interesting talk, with good analysis of the areas where effort needs to be focused to produce secure IoT devices, but it was somewhat marred by an advertisement for a proprietary product (which, naturally, checked all the boxes) at the end of the talk.
Internet connected
He set the stage by noting that there are nine billion microcontroller-based devices deployed every year—many of which will be connected to the internet. He showed a microcontroller from 2014 ("forever ago") that had radios on the die with the CPU. He believes that most devices will be connected to the internet in the coming years and that it will lead to a "profoundly better experience" for users.
![[David Tarditi]](https://static.lwn.net/images/2019/ossna-tarditi-sm.jpg "David Tarditi")
He gave the example of an internet-connected refrigerator, which would allow better prediction and diagnosis of compressor problems. Instead of a customer detecting that the compressor has broken by finding spoiled food or melted ice cream, the manufacturer could proactively alert the owner that a problem was imminent. Because the performance of a large number of compressors in the field can be monitored, the manufacturer can observe patterns that indicate an upcoming failure in the field.
But, the internet is a "cauldron of evil", as Dr. James Mickens put it, so there are real dangers when devices get connected to the internet. He noted a bunch of different headlines regarding IoT security but, "to make it more concrete", spent some time describing the Mirai botnet.
In October 2016, the Mirai malware infected a bunch of web cameras, baby monitors, and other devices running Linux. It turned them into a botnet that more or less shut down the internet on the east coast of the US for a day. That attack only involved around 100K devices and exploited a well-known weakness (default administrative passwords). But there was no early detection of the attack and, worse yet, there was no remote update capability for the devices, he said.
Mirai highlighted some of the risks of internet-connected devices, but it also showed that the effects are more than just technical. Tarditi noted that Mirai appeared in the New York Times, on the "Technology" page for the first day, but on the "Politics" page on day two. Device security is a socioeconomic concern; governments will be paying more attention to these issues going forward.
In addition, the Mirai attack was just a small taste; future attacks could be much larger (imagine 100-million devices, he said) or could have much worse effects (e.g. "bricking" an entire product line or attacking critical infrastructure). Connecting a device to the internet is a "serious and challenging issue". There is a moral issue there too, he said, because people could get hurt; this isn't "turn off your PC and reboot, this is more serious".
Building a secured device
Microsoft has been on the front line for more than 25 years in terms of protecting customers and their devices, Tarditi said. In his slides [PDF], he had a timeline of some developments in internet attacks against computers, along with Microsoft projects and initiatives to combat them. He said that Windows has long been a target for attackers. He believes that attackers find Windows 10 to be a pretty difficult target these days.
Over that time period, the company has learned some lessons. The first is that "your code is going to have bugs". It is "really easy to get code wrong", Tarditi said. Also, "your device will be hacked"; attackers are smart, creative, and persistent so they will get through the defenses. It is important to recognize that "security is foundational"; it must be built in from the start, not grafted on later as an afterthought.
There are some concrete things you can do to ensure that a device is highly secured, rather than simply having some security features. There are seven properties that the white paper identifies as being crucial to that process. If anyone has another property that should be added to the list, he is interested in hearing about it. The properties are:
- A hardware root of trust: Using cryptographic keys that cannot be forged will protect the identity of the device. Storing private keys in the hardware means that an attacker needs to mount a physical attack in order to subvert the root of trust. That can provide a secure boot process to ensure that only trusted software is being run on the device and can be used to attest to the integrity of the software running on the system to remote servers.
- A small trusted computing base: The trusted computing base is the software that ensures the security of the system, so it should be as small as possible to reduce its attack surface. A complex kernel (e.g. Linux) should run atop a much smaller security monitor or hypervisor.
- Dynamic compartments: Providing hardware-enforced boundaries between components in the system in order to isolate them and limit the damage a successful attack can do.
- Defense in depth: Tarditi showed a photo of a castle as the prototypical illustration of defense in depth. The castle has many layers to its defense: multiple walls, moats, gates, and so on. For IoT devices this means having multiple mitigations in the system: firewalls on internal buses and on the network, no-execute protection of memory, address-space-layout randomization (ASLR), etc.
- Certificate-based authentication: Passwords have multiple problems, they can be stolen and they require someone to handle their administration (e.g. set a good password for the device). With a hardware root of trust and remote attestation, the device identity and integrity is known. Certificates can be issued to the device that will allow it to access services; those certificates can be short-lived, so that a compromise only has a limited time to operate.
- Failure reporting: Gathering information from many devices in the field can help detect when an attack is starting or something else is going wrong. Unknown attacks using zero-day flaws can be detected early because they cause crashes in some devices. Those crashes are an indication that something is wrong, so if that information is gathered centrally, it can be analyzed to help determine where the problem lies.
- Renewable security: There is a need to be able to provide software updates from the cloud and for the device to be able to apply those updates to protect itself against vulnerabilities. It is also important to have a hardware mechanism to prevent rollback attacks, where a device is tricked into installing a previous signed update with known vulnerabilities.
Achieving those seven properties is challenging, he said. The security of the system is only as good as the weakest link, however. Threats evolve over time, so it is important to be able to recognize and react to those threats when they occur. And, in order to reduce the effectiveness of those attacks, device makers need infrastructure that can get updates to the devices in short order.
Ad time
At that point, Tarditi launched into a thinly veiled advertisement for the project he works on at Microsoft: Azure Sphere. While Azure Sphere is meant to provide an end-to-end solution for device makers that embodies the seven principles, it is a proprietary product that simply uses the Linux kernel as part of its Azure Sphere OS. Certainly "open source" was not a major component of the sales pitch, which was rather surprising at a conference called "Open Source Summit".
Beyond that, Tarditi did not address an elephant in the room with regard to devices that operate under the seven principles. Those devices may well be highly secured, but they are also completely controlled by the device vendor, not the putative owner of the device. Software updates can (and presumably will) fix security flaws, but they can also take away features that users want, add anti-features that users don't want, and, effectively, cause the device to act in ways that are directly contrary to the best interests of the person who paid for it, installed it, and runs it. Balancing between security and ownership needs is a difficult, largely unsolved problem, but it does seem like something that should at least be mentioned in a talk of this type at an open-source conference.
This kind of semi-infomercial talk is all too common at many conferences in our industry, but it is decidedly uncommon at open-source technical conferences. It may be that companies chafe at that restriction, but it seems like ground we don't really want to cede, at least for the technical side of our conferences. There are other outlets at some events, keynotes for example, where sponsors can pay to present their commercial solutions to a, seemingly, receptive audience. Keeping that kind of talk out of the main tracks of a technical conference is something worth pursuing. Or so it seems to me.
Interested readers can check out the video on Vimeo.
[I would like to thank LWN's travel sponsor, the Linux Foundation, for travel assistance to attend Open Source Summit in San Diego.]
| Index entries for this article | |
|---|---|
| Security | Internet of Things (IoT) |
| Conference | Open Source Summit North America/2019 |
Posted Sep 17, 2019 23:45 UTC (Tue)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
Simple devices should use a standard protocol like ZigBee or ZWave and stay away from IP entirely. They also don't need to be field-upgradeable, just make them as simple as possible. The worst case scenario will be attackers randomly turning off the lights. Meh.
Complicated devices can be connected to the Internet but realistically most of them shouldn't.
Posted Sep 18, 2019 5:02 UTC (Wed)
by smurf (subscriber, #17840)
[Link] (1 responses)
In contrast, if your device has a stupid (in fact, too stupid to be cracked over the network but perfect to be modded locally) ESP8266 it can immediately talk to your existing WLAN and, if you do your own home automation instead of relying on some designed-to-be-broken cloud provider, immediately talk to your MQTT bus, and your HA system might even autoconfigure them.
The only problem here is that if you plan to sell ten million connected switches, replacing the ESP8266 with a non-moddable SoC that only talks to some Chinese cloud thing and costs five cent less suddenly sounds like a winning proposition.
Posted Sep 18, 2019 5:15 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link]
> In contrast, if your device has a stupid (in fact, too stupid to be cracked over the network but perfect to be modded locally) ESP8266 it can immediately talk to your existing WLAN and, if you do your own home automation instead of relying on some designed-to-be-broken cloud provider, immediately talk to your MQTT bus, and your HA system might even autoconfigure them.
The problem with "just use WiFi" is that it just doesn't scale at all with different device types without having a hub or running some automation somewhere in the cloud anyway. Besides, it's awfully power-hungry and is less reliable than ZigBee/ZWave mesh routing.
Posted Sep 18, 2019 6:06 UTC (Wed)
by weberm (guest, #131630)
[Link] (2 responses)
In the context of Microsoft, I would never get behind proposition #6. IoT devices can be used for pretty invasive surveillance, and to determine whether a device starts acting out of spec, just sending home crash reports isn't cutting it. So one can expect vendors such as Microsoft send home more than just that.
And even less so I can get behind #7. So without my approval you want to update my device that I've configured? With code that I do not control? "from the cloud"? No, thank you.
If #6 & #7 are the answer, then I don't want to indulge the question.
I'd personally never hook up an embedded device to the internet, period. I believe it is a really bad idea and harmful in the long run, no matter what.
Posted Sep 18, 2019 16:25 UTC (Wed)
by NightMonkey (subscriber, #23051)
[Link] (1 responses)
Please please please tell this to the oligarchs who run our critical infrastructure grids! (Electric, gas, oil pipelines, nuclear facilities, battleships, etc.) WHY are they putting devices that control our grid ON THE INTERNET? They are rich enough to build their own robust, resilient *private networks*, and they know how to string wires to sling the packets! It's like inviting the world's spy agencies and the mafia to have a coworking space in your local electrical substation or grid control room.
The Internet is a wondrous creation But it doesn't solve every problem, and creates its own.
Posted Sep 23, 2019 12:03 UTC (Mon)
by cpitrat (subscriber, #116459)
[Link]
Posted Sep 18, 2019 6:49 UTC (Wed)
by Archimedes (subscriber, #125143)
[Link]
Certificate-based authentication vs Renewable security
Either one chooses to have certificates with a validity period, and implements a "never fail" (which is already kind of impossible, or never shown) update of the certificates, then security renewability is possible to e.g. move away from rsa 1k or md5 hashes but that requires long software support for Devices (and these Devices will live long, I have no clue where the median would be but devices (especially when they are integrated into infrastructure like houses) will live 10-30 years .... Until now Ive not seen "proper renewable security support" in time frames like these) and hardware which can also cope with "new security". **
** And there is the false assumption that it is guaranteeable that all devices share a trusted and correct clock.
Posted Sep 18, 2019 14:30 UTC (Wed)
by psadauskas (subscriber, #46534)
[Link]
But that’s not what’s going to happen at all, is it? Instead, the fridge will be phoning home so the screen can deliver me more targeted advertisements.
This is happening even now, with the fridge I nearly bought 18 months ago, where it demands you replace the water filter for the ice maker every 6 months whether it needs it or not, and refuses to make ice until you do. It also validates the RFID code on the filter to ensure you bought the “genuine” $50 manufacturer one, instead of the $15 generic one with the exact same internals.
I’d be happy to allow manufacturers to record diagnostic information and send me alerts about maintenance issues, but right now they’re just using it to make my experience as a customer *worse*, not better. Until that changes, all my network-connectible appliances get their own WiFi and VLAN that’s firewalled from the family computers, and is prevented from unlimited access to the internet. It’s a PITA that I have to whitelist specific domains (Netflix.com, etc...) to allow them to do the function I bought them for.
Posted Sep 18, 2019 17:20 UTC (Wed)
by nilsmeyer (guest, #122604)
[Link] (7 responses)
All it needs to warn the user is a Display. All it needs to diagnose and predict problems is a small computer, which it has anyways. All this is about is planned obsolescence or additional rent seeking over the life time of the Device. Most devices simply don't need to be connected to the Internet.
> Tarditi noted that Mirai appeared in the New York Times, on the "Technology" page for the first day, but on the "Politics" page on day two. Device security is a socioeconomic concern; governments will be paying more attention to these issues going forward.
Unfortunately that usually results in the types of suggestions Microsoft peddles here. Lock down the devices, take away user freedom and governments love Security by Obscurity. Instead, vendors should be required to support the device during its lifespan, perhaps even be required provide the source code. They should also be held liable for negligence, and require some sort of proof of insurance.
No more shifting the burden of negligence, greed and short-sightedness onto others. How about that instead of "the cloud"?
Posted Sep 18, 2019 17:29 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
Posted Sep 19, 2019 14:22 UTC (Thu)
by nilsmeyer (guest, #122604)
[Link] (1 responses)
Posted Sep 19, 2019 18:23 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Sep 20, 2019 6:57 UTC (Fri)
by tao (subscriber, #17563)
[Link] (3 responses)
For instance, my parents have several freezers (for storing berries, meat, etc.) that they only visit maybe a few times per month. If such a freezer breaks all the food is potentially ruined--and worse yet, unless you at the very least have an independent min-max thermometer in it you won't even notice. The bacteria build-up might've happened already and spoiled the food.
Or consider a summer cottage; finding out about a water leak when it happens, instead of next spring after the water has frozen, thawed again, and caused water damage for thousands of euros makes a huge difference.
Posted Sep 20, 2019 7:26 UTC (Fri)
by bosyber (guest, #84963)
[Link]
Medical devices for home use nowadays often have an option to send data to a doctor, but that asks for a) a doctor that can safely handle, and deal with that, b) a secured connection. The latter condition usually is a not a given at all, and the first point is questionable. But, for now, and because of the sensitivity, it usually is an option that can be, but does not have to be, activated, and/or requires a separate action to make it happen.
My biggest problem with a lot of the IoT stuff is that the connection is not optional, or at least very hard to impossible to just not use (smart TV's and such are terrible, in a lot of ways, for example, even if they aren't hacked, they end up being an extra source of unasked for advertising), and the security is often questionable - being able to update would be a potential advantage, but without much control or influence by the owner that's not a great trade-off.
Posted Sep 20, 2019 8:32 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Sep 20, 2019 13:48 UTC (Fri)
by rgmoore (✭ supporter ✭, #75)
[Link]
In which case you could set it up to send an email or text message when there's a problem. There's no need for the system to be constantly sending information to a central server. Being able to communicate problems to the owner is a helpful feature. Communicating information to the manufacturer (or any other third party) without the owner's expressed consent is spying.
Posted Sep 18, 2019 17:29 UTC (Wed)
by rriggs (guest, #11598)
[Link] (1 responses)
Companies would require liability insurance. There would be standards set by the insurance industry which would impact insurance rates. And then at least the cost for producing insecure products would eventually be borne by the producer.
Posted Sep 19, 2019 14:23 UTC (Thu)
by nilsmeyer (guest, #122604)
[Link]
Posted Sep 19, 2019 20:28 UTC (Thu)
by dps (guest, #5725)
[Link] (1 responses)
Things being difficult to change is not always a bad idea. I think that the limited attack surface of my heart pacemaker, which is not an IoT device, is a good thing. I don't know enough cardiology to make is sane to even want to change the software, which almost certainly exists.
Maybe this just marks me as a technophobe from the pre-internet age.
Posted Sep 19, 2019 21:49 UTC (Thu)
by excors (subscriber, #95769)
[Link]
Does it support any kind of remote access for monitoring or configuration? If so, it could have vulnerabilities like https://www.fda.gov/medical-devices/safety-communications... and still require firmware updates from the manufacturer.
> The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.
Posted Sep 23, 2019 8:29 UTC (Mon)
by ber (subscriber, #2142)
[Link] (3 responses)
Otherwise a unique root certificate installed by the device manufacturer is a root for imposing restrictions on the device later. Together with a unique ID it would also
Posted Sep 23, 2019 8:51 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link] (2 responses)
> Together with a unique ID it would also become a precondition for surveillance.
Posted Sep 23, 2019 14:45 UTC (Mon)
by micka (subscriber, #38720)
[Link] (1 responses)
Posted Sep 23, 2019 16:36 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Sep 26, 2019 15:26 UTC (Thu)
by frostsnow (subscriber, #114957)
[Link]
Posted Sep 27, 2019 22:05 UTC (Fri)
by ejr (subscriber, #51652)
[Link]
The Things Network ( https://www.thethingsnetwork.org/ ) *may* be an alternative built on LoRa, but it has minimal adoption in the US. And the LoRaWAN duty cycles are a pain to obey.
And then security. Right now even deploying anything is such pain that security is an afterthought.
Posted Sep 28, 2019 8:17 UTC (Sat)
by oldtomas (guest, #72579)
[Link] (2 responses)
For humankind, replaceable batteries for smartphones would be the real advance, not this.
I've got the impression that we left the realm of "problems in search of a solution" and are smack in that of "solutions in search of a problem": bigcorps and venture capital in a desperate quest for relevance.
(And yes, I do acknowledge that there are useful applications for IoT).
Posted Sep 28, 2019 18:10 UTC (Sat)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
It saved me quite a bit of money this year when it detected water near my fridge and closed the water supply. Turned out that the fridge's ice maker water supply line failed and started leaking at several liters per hour (not enough to trigger the in-line water safety switch).
Posted Sep 30, 2019 11:35 UTC (Mon)
by tao (subscriber, #17563)
[Link]
The properties of secure IoT devices
1) Simple actuators and sensors (temperature and water sensors, light switches, fire alarms, shutters) that have stable functionality.
2) Complicated custom devices with displays, cameras, etc.
The properties of secure IoT devices
The properties of secure IoT devices
Yes, a hub. Just one cheap device that can be properly secured and replaced with minimal fuss if needed.
Nobody stops you from running fully local setup with ZigBee/ZWave, I'm using Hubitat for that. Before that I was using HomeAssistant on RPi.
The properties of secure IoT devices
The properties of secure IoT devices
The properties of secure IoT devices
The properties of secure IoT devices
Or certificates live "forever" but that would contradict "Renewable security" but then certificates are at least as usable as passwords.
The properties of secure IoT devices
The properties of secure IoT devices
The properties of secure IoT devices
This is actually a GOOD idea for most of IoT devices. I would even prefer for them to be non-reprogrammable or with software on a changeable cartridge that can be replaced.
The properties of secure IoT devices
The properties of secure IoT devices
Sure. But why would you _need_ it if it's a lighting switch or a temperature sensor?
The properties of secure IoT devices
The properties of secure IoT devices
The properties of secure IoT devices
The properties of secure IoT devices
For a fridge, freezer, or even worse water leak you want a notification when the problem occurs, not when you next check the display.
The properties of secure IoT devices
The properties of secure IoT devices
The properties of secure IoT devices
The properties of secure IoT devices
Hardware root of trust can be a simple switch
become a precondition for surveillance.
Hardware root of trust can be a simple switch
Then just throw out the device. There are plenty of competitors.
Yawn. Surveillance doesn't need your lighting switches and smart fridges.
Hardware root of trust can be a simple switch
Hardware root of trust can be a simple switch
The properties of secure IoT devices
Thank you.
We're seeing a new era of attempted balkanization and lock-in.
About refrigerators and consumerism
About refrigerators and consumerism
About refrigerators and consumerism