Securing extremely low power IoT devices: Challenges and perspectives

Recent years have seen a rapid proliferation of Internet of Things (IoT) security regulations around the world- most notably, the European Union Cybersecurity Resiliency Act (CRA), the UK Product Security and Telecommunications Infrastructure Act (PSTI) and the US CyberTrust Mark. The emergence of these regulations was motivated, among other things, by the sheer number of cybersecurity threats originating from IoT devices in these regions.

While some of these regulations, such as the US CyberTrust Mark, are voluntary, others, such as the CRA and the PSTI, are mandatory meaning that every IoT device entering those markets need to comply with all the requirements set forth in those regulations. This means that IoT devices are now required to meet a minimum level of security standard for global market acceptance across multiple regions.

Complying with these regulatory requirements is particularly challenging for battery less or ambient powered IoT devices (such as sensors or monitoring devices) given the energy and computational constraints characterising these devices. Securing ambient powered and battery less IoT devices to comply with regulatory requirements calls for a complete change of paradigm: security must be considered an integral part of the IoT device design process. Processes involved in the design, manufacturing, and deployment of IoT devices must be security-aware and the chain of trust must be clearly established [1].      

Overview of regulatory requirements

Most of the recently published regulations share a set of commonalities. Most notably, the default device configuration should be secure, meaning that no user intervention is required to ensure a high level of device security. Additionally, each device is required to have its own unique password. Two devices should not share the same password. It is also a common requirement that access to devices should be secured and authenticated. Furthermore, most of the regulations mandate that the confidentiality and integrity of stored, processed, and transmitted data should always be guaranteed. Undoubtedly, the most challenging requirement from a low power IoT device perspective is the ability to securely update software and firmware given that this process often requires transferring high volumes of data that exceed the communications bandwidth of low power IoT devices and requires devices to be powered for periods longer than their usual duty cycles. 

Successful development of secure IoT devices relies on good practices grounded in sound development methodologies and standards that together mitigate the threats and reduce the risks associated with IoT deployment [2]. In this context, risk assessment and thread modeling are essential steps that should be performed before design start.    

Threat modeling and risk assessment

Threat modeling helps identify security objectives and vulnerabilities and define countermeasures to prevent, mitigate, or respond to threats. Similarly, risk assessment helps compute the probability of attacks as well as assess the impact and cost of attacks. Ultimately, every new design should start by answering the question: How much security is good enough?

Security by design 

It is not practical and can be very expensive to add security later in the product development cycle. Simply selecting off-the-shelf secure hardware and software components is also not enough to build a secure IoT device. The power implications of the chosen security hardening solution should be taken into consideration since it can account for a significant fraction of the total power consumption of the device. Similarly, cost and availability of secure components, whether software or hardware, should also be considered early during the design process. Besides secure components, identifying secure suppliers is equally important to guarantee the overall security of the end product. Furthermore, the product development should happen within a well-defined framework such as the Secure Development Life Cycle (SDLC) that guides the steps required to develop a secure IoT device [3].

Cryptographic best practices

The strict observance of well-established cryptographic best practices is fundamental to guaranteeing a high level of protection for the data being processed. This includes always using the strongest encryption algorithm available along with the most recent version of security protocols. The encryption level should always be commensurate with the sensitivity of the data being processed. Only industry-standard algorithms and cipher suites should be considered [3]. However, the power consumption requirements of any chosen algorithm should be well understood, and care should be taken to ensure that it remains within the device total power budget. For example, while Post Quantum Cryptographic (PQC) algorithms offer long-term protection and the highest level of security available today, the power requirement of even the most optimized hardware implementation of these algorithms lies far beyond the realm of what current extremely low power IoT device can sustain.

Cryptographic keys should be unique per device and should be remotely replaceable. A device’s keys should be stored in a secure way and only authorized software should have access to them.    

Building the chain of trust 

Building a robust chain of trust ensures a high level of trust between hardware and software components, in turn contributing to a more secure IoT device. To this end, an integrated hardware root of trust (RoT) serves as the foundation for all secure cryptographic operations. The RoT is the foundation on which higher-level protection mechanisms such as firmware signing for remote updates and secure boot heavily rely. The secure remote software/firmware update capability is a critical requirement for any IoT platform since it provides a means to apply patches and address vulnerabilities discovered once the device has been deployed. The security of the software/firmware update mechanism prevents misuse and malware injection.

Secure service provisioning

A robust provisioning methodology is an important part of secure IoT device deployments. This should include a means to exchange initial end-user credentials during the last phase of the deployment and subsequent end-user operation. This step is critical given that it marks the time the device enters a non-controlled environment for the first time.

HaiLa Technologies is focused on designing and delivering radio communications solutions for battery less and ambient powered IoT devices which are also secure. The BSC3000 system-on-chip supports modes that are backwards-compatible to existing Wi-Fi and Bluetooth protocols while also including hardware encryption, an RoT, and secure provisioning.

Future communications protocols focused on ambient powered IoT devices are under development in various standards bodies, including the active 802.11 task group, TGbp, for Wi-Fi. Along with defining efficient radio communication approaches, HaiLa’s industry efforts also include the definition of security protocols for global standards development for ambient powered devices. Protocols that support IoT devices that are both power-aware and that support security as cardinal design principles offer the most successful path forward.   

References

[1] ENISA Report – Guidelines for Securing the Internet of Things Nov 2020

[2] IoT Security Foundation. 2019. “Secure Design Best Practice Guides.” Release 2.

[3] IoT Security Foundation. 2021. “IoT Security Assurance Framework.” Release 3.0