Keeping the IoT Safe from Hackers
July 24, 2018
|By: Kristopher Ardis
Executive Director, Micros & Security Business Unit, Maxim Integrated
For the internet of things (IoT) to really begin to thrive, we need to design devices that we trust enough to manufacture and that people feel comfortable enough to buy, install, and use.
We are surrounded by an invisible intelligence. Yet, freeing that intelligence comes with risks because any security flaws can expose your IP and your valuable data to attackers for their use, while also turning public sentiment against connected devices. But it isn’t all about fear, uncertainty, and doubt. We can also think of security as an enabler: enabling new business models, enabling innovative applications, and enabling invisibly intelligent products to become trusted parts of a new economy based on data.
The concept of 'invisible intelligence' rests on three key principles:
- The things we interact with and have relationships with have data, and when enabled by technology they shouldn't fundamentally change the way in which we interact with them.
- We shouldn’t notice that the smart device is fundamentally different from its ‘dumb’ counterpart. That’s why it is invisible.
- The data from our smart device needs to have value. Invisibly intelligent things will inherently be more expensive than their dumb counterparts.
Now, let's take a look at how these principles relate to IoT security.
- Interaction: As critical as security is, managing it shouldn’t fall to the consumer. Devices should not need special setup to function properly or be properly secured, nor should they be subject to attacks where their behavior changes in a way that changes our interaction with them.
- Appearance: Building security into the devices won’t change their appearance significantly and can help ensure the device continues to appear as designed.
- Data: We need to be able to trust the data we are making decisions on, so it’s important to secure the value of the data and the device.
Protecting mobile devices and other IoT products from security breaches can be as straightforward as integrating a security IC into the design.
Security as an Opportunity
For all of the talk that we hear about IoT security, the industry remains slow to adopt protective measures. Many believe that implementing security is too expensive or complicated, or feel that it is something they’ll do later (especially when they’re under time-to-market pressures). True, hardware that can efficiently generate and process digital signatures isn’t free. But, the per-unit cost for security technology isn’t unreasonable, as the technology is integrated into microcontrollers or in standalone coprocessor ICs. Security is also a complex topic—the algorithms are difficult to implement, the math is hard to understand, and there is no perfect answer. Here, semiconductor products can assist with the math and implementation, so you don’t need to be a number theory expert to use elliptic curve cryptography to secure your application. As for the do-it-later mindset? What we need is a way to integrate security from the beginning without hampering rapid application development.
But what if we begin to think about security as a way to create new opportunities? For example, security can support lower cost manufacturing. Some companies choose more expensive but local manufacturing because they believe they will have more control over their IP and manufacturing runs. Using microcontrollers with secure bootload capabilities can enable these companies to move manufacturing to the most cost-effective and efficient locations available. A secure bootloader can be customized for a particular customer, and it would allow the designers to send encrypted firmware—which can’t be copied or reverse-engineered—to the manufacturer. Unique identification numbers in the microcontrollers could be used to ensure that only the intended number of devices are manufactured. This is just one example of how security can bring new opportunities.
While encryption might readily come to mind when considering security for embedded devices, also important are techniques such as authenticity, confidentiality, and integrity. Hashing and signatures are also important tools in the security toolbox. In my white paper, "Securing the Next Generation of Smart Devices," I discuss each of these techniques in greater detail and highlight the types of security ICs that are available. Read the paper to learn ways that you can protect your next IoT design.