Chip-to-cloud security
Kevin Fogarty of Semiconductor Engineering recently sat down with Asaf Ashkenazi, Rambus VP of IoT Security Products, to discuss security in the age of the Internet of Things. As Fogarty notes, Rambus is now offering chip-to-cloud security, which is basically remote security as a service.
The idea, says Fogarty, is to install a key, a chip or third-party security engine, so that whenever a device is powered up and connected to the Internet, it automatically communicates with a server to identify and authenticate the device.
“The problem is there are so many areas of security that nothing can address all of it,” Ashkenazi told the publication. “But starting at the root of trust and adding chip-to-cloud communication is a big piece of [solving] this [issue].”
Indeed, as Ashkenazi points out, approximately 70% of IoT devices do not use encryption, while many can be accessed from the internet with the same password.
“So far, most of the attacks we’ve seen with the IoT haven’t been very sophisticated,” Ashkenazi elaborated. “Simple security features could have prevented those. But for an IoT product there is a real risk because there is less margin, a weaker CPU, less memory and the operating systems aren’t as robust. Devices are getting simpler, but security is getting more complicated.”
Implementing a comprehensive IoT security solution
As we’ve previously discussed on Rambus Press, the widespread use of connected devices has created an attractive target for cyber criminals and other unscrupulous operators. IoT security should therefore be viewed as a primary design goal, rather than a tertiary afterthought. To be sure, consumers increasingly expect their devices to be protected out of the box, with seamless over-the air-updates (OTA) implemented securely.
However, OEMs need to be assured that securing smart home devices is not an insurmountable goal that negatively impacts profitability or time to market. As such, smart home devices should be protected by a turnkey security solution that can be easily implemented, maintained and upgraded to meet the evolving challenges of a dynamic threat landscape. More specifically, a comprehensive IoT security solution should include the following capabilities:
Secure boot: Secure boot utilizes cryptographic code signing techniques, ensuring that a device only executes code generated by the device OEM or another trusted party. Use of secure boot technology prevents hackers from replacing firmware with malicious versions, thereby preventing attacks.
Mutual authentication: Every time an IoT device connects to the network it should be authenticated prior to receiving or transmitting data. This ensures that the data originates from a legitimate device and not a fraudulent source. Cryptographic algorithms involving symmetric keys or asymmetric keys can be utilized for two-way authentication.
Secure communication (Encryption): Protecting data in transit between a device and its service infrastructure (the cloud). Encryption ensures that only those with a secret decryption key can access transmitted data. For example, a smart thermostat that sends usage data to the service operator must be able to protect information from digital eavesdropping.
Monitoring and analysis: Captures data on the overall state of the system, including endpoint devices and connectivity traffic. This data is then analyzed to detect possible security violations or potential system threats. Once detected, a broad range of actions formulated in the context of an overall system security policy should be executed, such as quarantining devices based on anomalous behavior.
Security lifecycle management: The lifecycle management feature allows service providers and OEMs to control the security aspects of IoT devices when in operation. Rapid over the air (OTA) device key(s) replacement during cyber disaster recovery ensures minimal service disruption. In addition, secure device decommissioning ensures that scrapped devices will not be repurposed and exploited to connect to a service without authorization.
Interested in learning more? You can check out our CryptoManager IoT Security Service product page here and download our eBook below.