With this post, I want to continue from earlier discussions on security posted here and here and focus on Connected Devices or the Internet of Things (IoT). IoT typically represents a network of physical objects (or “things”) embedded with electronics, software, sensors, and connectivity to enable those objects to exchange data with the manufacturer, operator, cloud and/or other connected devices. The IoT devices are typically thought of as “smart devices”, such as networked home appliances remotely monitored or controlled; “smart home” components, such as lighting, heating, or ventilation units with remote management/monitoring access; sensor networks for industrial automation; networked vehicle telematics sensors, and a multitude of other embedded devices that are network-connected and computationally capable.
Watch this video for a quick overview of what I'll touch on in this post:
If securing your connected devices interests you, don't hesitate to contact Qt straight away to learn more about how you can integrate Verimatrix' solution with Qt. If you would like to find out more, please read on.
Security of Connected Devices
The huge number of devices connected through heterogeneous infrastructures increases the risk of attacks. The potential attack of an IoT infrastructure (network or end devices) generates risks, including loss of control of the application, denial of service, switching off (e.g. smart grid application), user privacy loss, fraud, terrorist attacks... with heavy social consequences such as loss of revenue, liability issues, brand damage, people’s health, job destruction.
When implementing an IoT infrastructure, I recommend conducting a security analysis in order to evaluate the effect of a successful attack and to define the best security solution to be implemented. Hackers or malicious users are motivated by various considerations, such as money, having fun, technical challenge, terrorism, etc. To achieve their goals, they deploy solutions to abuse the functionalities of a device or extract information from it.
Usually, hackers put in perspective the reward of the hack vs. the “cost” and the “risk” of the attack: the time he spent to perform the attack vs the cost of equipment needed to perform the attack (economical barrier). The expertise required to perform the attack is a good example of “cost”. An example of “risk” includes a legal penalty if caught (fine, prison, etc.).
I want to highlight that it’s important to size security according to the consequence of a hack, not to the value of the device itself.
Attacks
Connected devices are potentially open to a huge number of attacks. Attacks may be performed at different levels:
- At the network level, the hacker has only access to the device through the network
- At the device level, the hacker has also access directly to the device
- At the CPU level, the hacker can physically perform attacks on chips located in the device
Here are some examples:
- Software attacks: the attacker finds and exploits vulnerabilities in protocols, crypto-algorithms, or in their implementation to bypass security mechanisms.
- Exploitation of Test features: the attack path aims to enter the device in test mode to provide a basis for further attacks
- Attacks on Hardware as an example, attacks on RNG (Random Number Generator): random numbers are at the basis of cryptography.
Cryptography
Cryptography is the practice and study of hiding information. It is the science used to keep information secret and safe. Cryptography can be divided into three main functions:
- Authentication: how to establish the true identity of a peer
- Confidentiality: how to keep information secret
- Integrity: how to detect if data was modified
These three functions can be used individually or combined to create a solution.
Finally, I want to emphasize that the security of any cryptography is depending on keeping sensitive keys secret.
Security functions
Regardless of the use case, the Connected Devices share common basic security needs which stand as pillars of security:
- Authentication: confirming the identity of the communication peer
- Secure Communication: protecting data in transit
- Secure Execution of code: protecting data in process
- Secure Storage: protecting data at rest
Cryptography is the foundation of these four pillars, as it is used to authenticate, encrypt/decrypt information, sign, and check data integrity.
Authentication: confirming the identity of the communication peer
Authentication is the process in which the communicating peers identify each other and assure each other of their identities. Each endpoint must be controlled in order to make sure each peer is genuine and to avoid insertion of fake devices into the network.
The most common form of authentication is based on sharing a common secret. AES or SHA-256 are typical examples of algorithms used for authentication with a symmetric key. But remember, this methodology is highly vulnerable because if the shared secret is compromised, the entire security mechanism collapses.
A better authentication method relies on the use of asymmetric, public key cryptography. Public key authentication is commonly used in Internet-connected servers and devices to provide strong authentication. ECDSA is a typical example of an asymmetric algorithm used for authentication.
Authentication and Root Keys
The challenge in communication is to create an initial trust to make sure that the received public key belongs to the intended communication peer and can be trusted. A device needs to obtain the “trust” that the public key it uses to verify a signature indeed belongs to the device it “wants to talk to”, and/or belongs to a device it can trust.
This invariably requires the storage of some public key in the device. Although the public key does not need to be kept secret, it must be immutable – it must not be possible for an attacker to modify the key or cause the device to use another key instead.
Provisioning, loading the keys in the device and storing them is critical and therefore requires particular attention. Verimatrix offers an award-winning flexible and secure solution for provisioning that fits the different needs of device vendors.
Secure Communication: protecting data in transit
As their name implies, the Connected Devices leverage existing Internet technologies and protocols. These protocols provide a selection of proven secure communication solutions. The actual use case of the node typically dictates the criteria for selecting the leveraged secure communication protocol – for example, in “Smart Grid” deployments where the communication model typically follows the client-server model, protocols such as SSL/TLS or DLTS are used, while in “full mesh”-type networks a network level security protocol such as IPsec is more applicable.
Secure Execution of code: protecting data in process
The code executed by a Connected Device must behave as expected: it should not be modified or corrupted and should not leak sensitive data. This is even more important when the code handles cryptographic keys or performs cryptographic algorithms. The key must remain secret and unchanged during the full cryptographic process, including loading of keys, and the code executing the crypto-function must behave as expected. Some sensitive applications such as payment applications in a wearable device may require some specific level of further protection.
The code can be protected in two ways: either execution happens within a secure or trusted environment or execution can be protected using software code protection technologies.
Software code protection technologies can roughly be divided into three categories:
- Obfuscation
- Integrity checks
- Whitebox
Obfuscation
Obfuscation hinders an attacker’s ability to statically analyze the software. Given the “always on” requirement of modern software, significant quantities of sensitive logic and Intellectual Property (IP) will be installed on client devices. At the same time, many new features are deployed in devices that contain commercially sensitive algorithms, security-sensitive features that seek to fingerprint or authenticate devices and users, or those that decrypt streams of sensitive content.
These sort of routines within applications can be readily examined using a wide array of freely available debugging and hacking tools, creating a significant risk of hacking and IP theft.
Powerful obfuscation, such as technologies offered by Verimatrix, significantly increases the complexity required to reverse engineer an application’s sensitive functions, and in doing so, significantly hampers attempts to statically or dynamically analyze their operation, making analysis impractical for all but the most skilled attacker and ensuring that even elite hackers will move on to softer, less frustrating targets.
Verimatrix offers a plug-in to integrate code obfuscation technology into the build toolchain. This allows easy code obfuscation on any Qt Application that needs protection against reverse engineering.
Integrity checks
The integrity of an application and its functionality is achieved by tamper-proofing the
application code itself. Tamper-proofing means that an attacker cannot:
- Modify the software to insert malicious code
- Dynamically analyze the software with “known” conditions, or change the code to observe the effect the change has
- Remove protections
- Lift components out the application to make them easier to analyze in e.g. an emulator
Integrity checks inserted into the code to protect the software integrity during runtime. Any code change attempt will automatically be detected to stop an attacker before they even start to take control of the device.
Verimatrix offers technology to automatically add integrity checks into Qt applications. These checks can be added as part of the build toolchain. The integrity checks have some dependency on the hardware of the target device that needs to be taken into account when doing the tuning of the checks.
Whitebox
As discussed above, cryptography is a crucial part of protecting the IoT device and its wider ecosystem, but all standard cryptography algorithms have a flaw that attackers are increasingly capitalizing upon. If an attacker has direct access to the software running on a device, then it is usually very easy for them to steal any secrets (such as keys) being used with those algorithms. In most cases, obtaining access to these secrets nullifies any benefits that might have been gained from using cryptography in the first place.
The most obvious effect of using whitebox technology is that the secrets are never revealed in memory even while they are being used. A good whitebox implementation, such as the Whitebox technology from Verimatrix, specifically protects against advanced attacks that aim to reconstruct the secrets by leveraging weaknesses in the original algorithm and/or the white-boxed version.
Secure Storage – Protecting data at rest
While data is protected during its manipulation, stored data must also be protected. There are two main categories of data that must be protected during storage:
- The encryption key and unique device identifiers. Such data is used as a trust anchor for a secure system.
- Sensitive data that belongs to the application and must be protected to warranty its privacy.
In a Connected Device this data is stored in a variety of media, but essentially in memory devices offered by the semiconductor industry. Data can be protected by encryption or by being stored in a tamper-resistant device, or a combination of both. In any case, the access to such data must be carefully controlled for authorized persons, machines or processes.
Although some of the technology related to security can be complicated, it doesn’t have to be hard to integrate it into your Qt applications. Qt users can easily benefit from the latest and most advanced Whitebox technology to implement secure storage or a secure filesystem. Verimatrix offers a plug-in into the Qt Creator IDE to add this component and make it available through simple and clear APIs.
Conclusions
The Internet of Things is a new and emerging technology market, with a large scope of requirements and needs in terms of security. The security requirements are similar to those of earlier generations of networked devices, embedded devices or security tokenization but need to be combined together strategically to match each specific use case. The security design of connected devices can greatly benefit from the experiences gathered in the fields of platform security, network security, and highly sensitive applications such as payment or financial transaction, government-related application and content protection.
Having secured more billions of devices worldwide, Verimatrix offers a solution to address all the security needs of Connected Devices. Starting from secure provisioning solutions and Security IP for chip vendors, spanning Secure Boot and Secure Communication solutions and going all the way to the most advanced software protection technologies. These technologies have successfully gone through extensive penetration and attack testing by external security labs.
The products from Verimatrix allow device vendors to securely process and store sensitive data in a hostile environment. It simplifies the integration of security into software and allows to defend against malicious attacks.
If you are interested in securing your application or embedded device, contact The Qt Company to get more information about how to integrate Verimatrix' solution with Qt.
