Is the perfect world of IoT secure enough?

Introduction: Security challenges are increasing day by day. The IoT cloud, management and end must be carefully considered. A "defense in depth" system is needed, which requires real-time defense measures and a system for post-event tracking and patching.

[[169710]]

Do you still remember those malicious incidents: Jeep car software was maliciously hacked, smart camera "leakage"... Ubiquitous security threats are hitting the perfect world of the Internet of Things. As the application of the Internet of Things becomes more and more extensive, security issues are becoming increasingly serious. How to provide a strong security system as a guarantee in the process of perception, transmission, and application, and provide appropriate ubiquitous security cloud protection technology and system has become the focus of the industry.

Layer upon layer of defense, challenges follow like a shadow

The application layer, network layer and perception layer of the Internet of Things correspond to the cloud, pipe and end respectively, and their security considerations are also different.

Qinglian Cloud CTO Yao Xi analyzed that the perception layer is manifested as device terminals, including OS systems, protocol stacks, firmware, sensors, etc. Security consideration indicators include the physical destructibility of the hardware itself, whether the storage medium has risks such as removability and illegal reading, whether the hardware debugging interface is secure, whether the firmware logic is secure, whether there are illegal firmware upgrades and downgrades, whether the OS has enabled sensitive services, etc.

At the network level, since there are many types of IoT device access protocols, including WiFi, BLE, Zigbee, 3G, and 4G, and the application protocols are even more diverse, and the application layer protocols of each cloud platform or manufacturer are different, ensuring the security of these network protocols is a must. Yao Xi pointed out that because the network is the highway of the IoT, encryption of communication links and prevention of eavesdropping are all security issues that need to be guaranteed at the network layer.

"The biggest security requirement at the application layer is to ensure the rigor of business logic and to avoid logical loopholes. Both design and implementation require a strong sense of security," Yao Xi further pointed out.

Moreover, the cloud platform plays a very important role in the Internet of Things and is the "brain" of the entire Internet of Things. The "brain" needs to keep working properly at all times, so its security is very important. "The cloud needs to provide a secure connection path, with a complete authentication system and authorization system. At the same time, the setting of security granularity is equally important. Not only should the security of data be guaranteed throughout the entire life cycle, but technical means should also be used to drive security through data. Whether the cloud SDK and API interface are secure, whether there are security risks in compatibility with third-party cloud platforms, and whether there are security risks in the cloud platform itself, etc., are all aspects that need to be considered for a secure cloud platform." Yao Xi emphasized.

Therefore, challenges to IoT security are coming one after another. Liu Yihui, vice president of Bangbang Security IoT, a new generation of cloud security service provider, told the reporter of Smart Product Circle (WeChat: pieeco) that the challenges facing IoT security include: the IoT structure is complex, the protocols and module standards are complicated, and the physical characteristics of software and hardware are very different; the debate and practice of IoT centralization and decentralization are still continuing, and all major giants and alliances are holding high the banner of unity to create division; the value and appreciation of big data generated by IoT are underestimated; IoT security vendors generally replace defensive security with offensive security, with strong offense and weak defense; IoT security vendors have stronger web-side security capabilities than mobile terminals, and stronger endpoint protection capabilities than security system construction capabilities, etc.

Specifically in terms of operations, Liu Yihui believes that the "end" of end-to-end cloud security includes not only the APP end, but also the embedded device end, which involves firmware, PCB, bus data, and wireless security, and requires a three-pronged approach of software and hardware firmware. At present, from chips to operating systems, the design and architecture are complex, the cost of manual evaluation is high, and the degree of automation is low, which is also a common challenge faced by the industry.

Each department has its own responsibilities and strengthens deployment from end-pipe-cloud

Faced with so many ubiquitous security challenges, enhancing security requires corresponding specific security measures at each level, with each level performing its own duties, so as to provide layered defense.

IoT security starts with chip manufacturers, especially at the IP, RTOS and OS levels. Majid Bemanian, Imagination's market segment director, mentioned that isolation is the first step in protecting IoT devices, and isolation methods should be used in embedded systems to ensure security. Imagination's OmniShield includes hardware and software components. The root-of-trust IP module can ensure the security of MIPS CPUs, PowerVR GPUs, Ensigma wireless communications and other technologies, and supports hardware virtualization. Developers can safely develop and debug code in a virtual environment, providing a secure operating environment for different applications. Therefore, OmniShield can not only ensure security and reliability, but also simplify the development and deployment of applications and services.

Ian Smythe, marketing director of ARM's processor division, also believes that IoT security covers terminal nodes to the cloud. In terms of terminal nodes, ARM provides a new security foundation - the ARMv8-M architecture. The ARMv8-M architecture brings TrustZone security isolation to the Cortex series processors. In addition, ARM also provides TrustZone Cryptocell IP, which provides hardware with a root of trust, key storage, secure storage, TRNG and secure encryption engine, providing additional hardware security for SoC developers. TrustZone technology and TrustZone Cryptocell technology can continuously access the cloud through a gateway based on the Cortex-A processor. In terms of IoT software, ARM mbed OS provides a platform that helps software developers create secure IoT systems.

With these underlying safeguards, secure control can be achieved at the device level, and a trusted operating environment can be activated through secure startup to protect the system from attacks. However, Yao Xi also emphasized that device manufacturers need to have a strong sense of security and add security logic to the design and implementation of both hardware and software.

The role of cloud service providers is also very important. "Not only must they ensure the provision of secure and reliable communication links, secure data transmission, storage and sharing, but they must also ensure the strong security of the hardware SDK, module firmware and API provided, because often smart devices are cracked and maliciously controlled starting from the SDK and API," said Yao Xi.

Bangbang Security believes that with the development of the Internet, mobile Internet and the Internet of Things, security is also evolving from border security, borderless security to micro-border security. Liu Yihui mentioned that Bangbang Security was the first in the industry to propose the idea and strategy of micro-border defense, focusing on micro-point self-defense, self-deployment maintenance, and self-perception of threats, creating the following security service system: on the end, it strengthens application security (triple reinforcement of apps, six protections), device security (firmware, hardware PCB, bus data, wireless), and chip-level protection solutions (source code protection, white box keys, etc.). On the management side, it provides OTA firmware security, communication protocol protection, etc.; on the cloud side, it realizes endpoint threat perception, risk big data analysis, etc.

As the first IoT BaaS cloud platform with strong security attributes in China, Qinglian Cloud is also working hard to provide secure "pipes" and "clouds" for the "ends". "We provide equipment companies with functional modules such as equipment network configuration, command push, data upload, configuration distribution, OTA upgrade, M2M linkage, etc. Equipment companies only need to use the SDK and API provided by Qinglian Cloud to safely use cloud services. Qinglian Cloud also provides fine-grained security authentication levels, providing a unique token for each connection of each device, and the token has a life cycle. After the token expires, the cloud will actively disconnect and require the device to reconnect to obtain a new token, thus avoiding replay attacks, horizontal forgery attacks and other difficult-to-prevent attacks." Yao Xi mentioned.

Comprehensive approach, openness becomes the key point

With the explosive growth of the IoT market in the future, the development of security will also change from quantitative change to qualitative change. Yao Xi analyzed that on the one hand, the number of connected devices is huge, the types of devices are numerous, and the data is generated frequently, which will reach an unimaginable level. On the other hand, "light terminal, heavy cloud" is inevitable. The value brought by a single device is far from enough. The data information of all devices is priceless, and the security issues that follow are even more complicated.

"The development trend of the Internet of Things is to connect all those that are not yet connected. Cars, refrigerators, health devices, etc. are all such ubiquitous networked endpoints. As the environment and carriers change, security is generalized to each endpoint. The risks brought by a security vulnerability on a perception terminal will be geometrically magnified to millions of terminals of the same type." The security risks mentioned by Liu Yihui cannot be ignored.

Therefore, security issues should be considered comprehensively and should not be biased. The cloud, management and end must be considered carefully. A "defense in depth" system is needed, real-time defense measures are needed, and a system for tracking and patching leaks afterwards is needed. Yao Xi concluded: "How can all devices be securely connected to the Internet of Things and maintain long connections? The communication link is the basis of the connection, and it needs to be stable and indestructible. How to ensure the security of huge amounts of data? The security of data is no longer just about ensuring its security during its life cycle. With the practice of big data technology, security issues that cannot be discovered at a single point can be analyzed online or offline. How to determine the security of the Internet of Things cloud is also a very critical factor. Cloud security needs to focus on business security, logical security and the security of the platform itself."

To ensure the security of all the above, openness will be the most effective "pass". Majid Bemanian mentioned that openness is the key to achieving security, which will bring the highest transparency to the IoT ecosystem and minimize security risks. Therefore, the entire industry needs to cooperate in developing interoperable open APIs to ensure security. This involves chip manufacturers providing open source code to promote the improvement of a series of open source APIs and achieve hardware-level security control.

However, when it comes to opening up related resources such as chips, modules and other underlying technical data, chip manufacturers may have their own unified considerations of ecology and security, and generally open SDKs, but not the core, so true opening up will take some time.

With the transformation of the IoT industry and model, security also needs to keep pace with the times. With all parties doing a good job of security in advance, in the process of integrating "end-pipe-cloud", it is not easy to ensure the security connection and ensure the security of the border. The industry needs to "unify knowledge and action". "In general, IoT security is still in the stage from 'awareness' to 'implementation'." Yao Xi finally pointed out.