“If you think that the internet has changed your life, think again. The IoT is about to change it all over again!”
Introduction
Security is very important in embedded systems like IOT devices. The basic security like closing the unused port is good but many times more complex steps are required to be implemented. However, usually it is a challenge to implement these, as most embedded developers are not security experts. But embedded systems are many times installed at critical infrastructure like a substation or Microgrids. So, importance shall be given to design and build a device that guarantees security, authenticity and availability of the overall system.
In this article I will talk about three important concepts Secure boot, Secure update and Secure storage. These are three main concepts which are important to secure an embedded/IOT device.
What is Secure Boot?
Secure boot ensures that software running on device is authentic. This is done with a trust chain within the device. In trust chain, every running module verifies subsequent module .The device should start with an immutable root of trust that is created in the factory and cannot be modified. This root of trust would verify the integrity of the first stage of boot, the first stage of boot verifies the integrity of the second stage and so on.
During a normal insecure boot process, when device boots up the boot loader starts the operating system’s kernel without any verification. There is no surety whether the boot loader or OS are trusted. The problem with this kind of boot process is that any malicious actor can tamper the boot process and can inject his own code. This code can be a malware or a root kit which resides at the boot loader level and almost impossible to get detected during the run time.
Secure boot starts with an immutable root of trust in the hardware which is the most secure implementation and makes it immune from malware attacks.. Root of trust contains the keys used for the cryptographic functions. it can be a stand-alone security module or implemented as security module within a processor. This root of trust is immutable. For example, in a UEFI based system, a platform key is used to verify the UEFI firmware signature during a secure boot process.
The public key corresponding to the key that signed the software is usually included in the software that allows it to check for the signatures for the next level boot software.
Secure boot process completes after the verification operating system kernel. Kernel then verifies the signatures of device drivers or other applications.
What is Secure Storage?
With the prevalence of IOT devices everywhere it is evident that these devices would contain sensitive data. There should be proper security implemented in the device to secure this data to prevent any data leakage. Secure store implementation establishes protection of important data from external attacks.
Encryption of the complete storage media is one method to make sure that even if the device is stolen, the data on the disk cannot be decrypted and making it unusable for the malicious actor.
However, there are different kinds of data with different level of importance. It makes sense to classify data in different categories so that appropriate level of protection can be applied to each category. This improves user experience as well. In general, following can be data categories –
- Private key class (PKC) – Private keys of the asymmetric key pairs
- Certificate data class (CDC) – Public keys used to verify the signature of firmware and also device certificates containing public keys
- Device data class (DDC) – Sensitive data stored in the device (for example user or device configurations)
- General data class (GDC) – All other information in the device which doesn’t require specific data protection measures
There is certain hardware requirement for the IOT device if secure storage needs to be implemented. Ususally the hardware should be capable of –
- An immutable Identity that can be bound to the device
- A true random number generator
- Capability to generate RSA Key pair
- Capability to store or protect the private key generated
What is Secure Update?
Software applications needs a periodic update throughout their lifecycle. Some of the reasons for this can be because of –
- Patch updates – most common to fix the bugs and patch any vulnerability
- New and improved features are implemented in the software
- Used third party dependencies are updated
When such changes are made to the software, it is required to ensure that the changes are propagated to the devices in production for various reasons such as improved functionality, performance or protection of the devices from vulnerabilities.
With secure update of the software, organizations ensure that proess of updating the device by replacing or adding new files is trustworthy.
Secure update is required to ensure that the changes made to a running system come from a trusted source. Secure update verifies the authenticity and integrity of update software to ensure that the software can be trusted and has not been tampered during transit. Secure update prevents malicious entities from inserting malware to the devices.
Asymmetric cryptography is used in secure update. A trusted public key is installed in device which cannot be deleted or changed later. This key is the trust anchor for the device to verify any incoming update package.
The private key is securely stored in a trusted development environment. When a new version of software is created a hash of the software package is created and encrypted using this private key. This process is called software signing. Only a certain set of individuals are authorized to perform the signing operation and have access to the private key.
The signed software package is transferred to the device. The device then calculates the hash of the package, decrypts the signed hash using the public key and compares the received hash with its calculated hash. If both match, then the package is trusted by the device otherwise it is discarded.
Conclusion
Secure boot is an important feature and it requires engineers to think about the boot sequence and develop a chain of trust that originates at the root of trust. When device starts, each image is verified before it is executed. If the verification fails then device will stop the boot sequence but it can also decide to restore last working version of the boot sequence.
Similarly Secure storage and Secure update plays important role in a device’s security but they require careful design and implementation.
Further reading
http://www.uefi.org/specifications
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot
https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_boot
https://en.wikipedia.org/wiki/Digital_signature