Here are five quick takes on securing the Internet of Things (IoT) from Intel, BlackBerry, Wind River, Silicon Labs and CEVA Inc. Together, they cover everything from global network management to gateways to embedded systems, ICs and low-power semiconductor intellectual property (IP).
Security is an issue all the way up the line; from a fitness device to a smart phone to the Internet (See Figure 1). The threats come at every stage, from endpoint to network, but Gary Davis of Intel espouses with a solid end-to-end platform, such as Intel’s IoT Platform that was launched in December of 2014.
Key to the platform are the use of gateways and the Wind River Edge Management System (EMS). Among other features, it allows configuration of IoT devices, file transfers and data analysis and response. At the same time, Davis is a strong advocate of use-case analysis as users themselves can inadvertently introduce the biggest risks, such as downloading poor or malicious software.
From BlackBerry’s perspective, Dave Kleidermacher says it is very much about infrastructure and device management on a massive scale. BlackBerry has long been experts at this and therefore has the experience and platform to do it, though it is new to the IoT space.
Recruited recently by BlackBerry from Green Hills Software, known for its military-grade security, Kleidermacher believes that IoT requires an integrated platform solution for over-the-air upgrades and other device management tasks. “You have to manage it down to the gateway then it [the gateway] handles the devices. If you can’t manage it, it’s not going to be secure,” he says. “The mobile market has solved that problem, with a proven, reliable, worldwide data infrastructure.”
“From the IC perspective, what's interesting is that we spent all this time developing these devices and protocols, but no one spent time attacking them!” says Skip Ashton of Silicon Laboratories, referring to ICs. The reason, he says, is that it is easier to attack a phone, gateway or cloud interface, instead of an IC, “so I do not really have to attack your device; I can send perfectly legitimate messages because I hacked the other thing,” referring to a weaker link along the chain.
However, it is important to, “keep your side of the street clean.” So he suggests IC manufacturers to make sure they test for systematic weaknesses, such as debug ports that can be tapped using power swings or clock glitching, and from which tht code can be extracted.
From an embedded systems point of view, “We’re putting stuff online that was never supposed to be online,” says Jakob Engblom, product line manager at Wind River (now Wind, by Intel). “It was created by people for whom security just wasn’t a concern.”
Engblom suggests making sure to, “only listen to the right things; you need to check authentication of message for integrity, then implement encryption for confidentiality.” However, “authentication and integrity are way more important.”
He adds that gateways should be protected from long-range attack by using robust firewalling, while Flash memory should not be readable by making sure debug ports—as well as serial lines—are not open.
Eran Briman, vice president of Marketing at CEVA Inc., looks at it from the end-node point of view, and suggests trying to limit the amount of information shared with the cloud.
“Instead of sending raw data, whether video streams from camera, or sensor data out of smart bracelet, you can process it locally on your IoT device and then send only pieces of information.” “In that way if there is a successful attack, only a limited amount of data is compromised. This also lowers power consumption,” he adds.