Bench Talk

Software techniques have helped developers protect their IoT devices against increasingly sophisticated hacks. But vulnerabilities remain. Now, chip makers are addressing those challenges with built-in MCU hardware protection.

(Source: sizsus / stock.adobe.com; generated with AI)

Despite recent security enhancements, Internet of Things (IoT) connected devices still represent a weak link in many networks, offering a back door into computers that are otherwise protected by relatively strong defenses. The size of the “attack surface” presented by IoT devices is multiplied by four factors: the sheer number of connected devices; their relatively limited protective resources; infrequent software patches to resolve security issues; and poor attention to safety features such as strong passwords and encryption keys.

Malicious actors can seize control of IoT devices and then either use them as a botnet to bring mayhem across the internet with activities such as distributed denial-of-service (DDoS) attacks, or to gain entry to company systems through a cybersecurity Achilles’ heel to access valuable data.

Software—typically in the form of passwords, encryption, and authentication—is playing an increased role in protecting IoT devices from botnet attacks or network compromises. But for software security to maintain its protection, skilled programmers and regular maintenance are needed, which many companies are finding to be in short supply. However, an alternative approach rapidly gaining credibility is to design security from the ground up using new microcontroller unit (MCU) hardware features supplied by security-conscious chip vendors. Let’s consider more how this new approach is stepping up security in IoT devices.

The Botnet Lives On

The most infamous example of the IoT being used for a mass DDoS attack dates to 2016, when malware called Mirai started scanning the IoT for devices using ARC processors. These processors typically ran a streamlined version of the Linux operating system (OS), and if the default username and password combination was not changed, then Mirai logged in and infected the device. Using approximately one hundred thousand hijacked IoT devices, the Mirai botnet brought down domain registration services provider Dyn in a mass DDoS.

Although the perpetrators of Mirai were prosecuted, the source code made it into the wild where it lives on today in several mutated forms. And it’s not alone. The aptly named “Reaper,” for example, is able to target a larger number of processors than Mirai variants and has far greater control over what it does with its bots.

Fighting Back

With no room for complacency, IoT chip makers are taking the lead in the battle against hackers, encouraging their customers to take a ground-up approach to security by including it as a fundamental part of the design-and-development process. While this adds cost and time to the project schedule, compared to the financial damage associated with a security breach, it is money well spent. According to Platform Security Architecture (PSA) Certified, an industry partnership combating security challenges, the average cost of a successful IoT device attack is more than 330,000 USD,^[1] and that’s without factoring in the financial damage due to loss of reputation.

PSA Certified not only encourages the chip industry to offer advanced security features on their MCUs, but also to seek independent IoT security certification through its framework. That way, customers have a benchmark against which to measure the protection offered by their choice of silicon.

MCU protection starts with making sure the chip can only run software from the silicon maker or trusted third parties. This is achieved by using a “secure boot” that performs a cryptographic validation of the firmware before executing it. Then the firmware checks subsequent software uploads to ensure that they are also authentic.

A well-protected MCU should also include an anti-rollback mechanism, which prevents updates with older firmware that is authentic but might be compromised with one or more security flaws—allowing hackers to take advantage of the vulnerabilities. One effective anti-rollback mechanism uses an incremental counter—held in secure storage—which represents the oldest version of the firmware that will be accepted.

Built-in Memory Protection

Another good practice for designing security is to select an MCU with either a memory management unit (MMU) or a memory protection unit (MPU). An MMU is currently only available on a few high-end IoT MCUs. It translates virtual addresses generated by a program into physical addresses in the computer's memory and enforces memory security by preventing software from accessing protected memory, thus ensuring that one process cannot interfere with another. An MPU, meanwhile, is more common and protects memory regions by defining access permissions for different privilege states. MPUs fetch and trigger a fault exception when an access violation is detected.

Taking security even further, encrypted memory will increase protection over and above that facilitated by the MMU or MPU by increasing the challenge for malicious actors to extract user data or credentials. The encryption key should be unique to each chip so that breaking one won’t compromise all the others—just be very careful how you create and store the cryptography keys.

The MCU can be used to generate the cryptographic key, but caution is advised. The source of the encryption typically comes from a random number generator (RNG). In the past, it was common for developers to use the current date or time as a ‘seed’ for a pseudo-random number generator (PRNG). The problem is that a PRNG is not unpredictable and patterns in its generation could be exploited by hackers.

To overcome the potential weaknesses of a PRNG, MCU makers have begun to implement a hardware random number generator (HWRNG) using sources of entropy based on jitter generated by thermal or audio noise, or a ring oscillator. The result is a true RNG that can be used for cryptography keys that are nearly impossible to hack. It is best to look for chip vendors that certify their HWRNG implementations, which in turn is useful if you want your product certified to a standard such as PSA Certified.

Secure boot, secure firmware updates, memory protection, and encrypted memory form a Root of Trust (RoT), which underpins developer and user confidence in the MCU’s software architecture.

Computing in Isolation

Establishing an RoT provides an authentic software foundation for the MCU’s activities. Although it makes life harder for hackers, this doesn’t mean they will give up. While secure software might prevent the MCU from being coerced into a botnet, it can still be hacked to gain access to its data or data in a network of which it forms a part.

The primary form of protection against such hacking is a secure processing environment (SPE). This isolates a part or parts of the MCU from the outside world. With no connectivity, bad actors have no way in. It is also good practice to encrypt the data stored in the SPE as an additional security measure.

Moreover, the chip will likely make use of a non-secure processing environment (NSPE) where it can perform low-risk computational activities and store mundane data. The advantage of an NSPE is lower latency and reduced power consumption. If the MCU has several cores, then one or more can be used for the SPE, while others can be allocated to the NSPE. If the MCU only has a single core, then a section of the processor can be dedicated to the SPE by using technology such as Arm’s TrustZone.

The SPE and NSPE are isolated from each other and don’t communicate directly. Instead, they use shared resources such as RAM and interprocess communications. So even if the NSPE does manage to get hacked, there’s no way to access the SPE from there.

Resisting Fault Injection

There is another scenario whereby RoT can be compromised—fault injection attacks. By repeated voltage and clock glitching, an attacker can force the MCU to skip important instructions, such as secure boot verifications, compromising its protection. This type of attack is harder to execute compared to remote offenses because the hackers must physically access the MCU. Nonetheless, it has been attempted on many occasions when the data contained on an IoT device is of high value.

As IoT security threats have evolved, the complexities involved in combatting them have forced MCU makers to advance their design techniques. Protection now comes in the form of anti-tamper measures, such as dedicated protection hardware components and software countermeasures. This is an emerging discipline for many engineers, so the best approach to MCU selection is to ask the chip maker how they’ve gone about protecting their solutions against fault injection attacks.

Conclusion

While IoT devices feature enhanced software security, hackers are becoming increasingly sophisticated and are quickly finding new ways to circumvent the protection. Techniques such as uploading authentic but flawed software, breaking encryption keys, and voltage and clock glitches can overcome defenses. 

In the face of these new threats, chip makers are rising to the challenge by adding MCU hardware features to complement software security. Developers can take advantage of technology such as RoT, secure processing environments, and fault injection protection to harden their products against malicious attacks. Additionally, organizations like PSA Certified are defining industry standards so developers can independently benchmark the security status of their IoT devices. While the battle will never be over, these latest developments are keeping the chip industry one step ahead. 

[1]  https://www.psacertified.org/what-is-psa-certified/why-choose-psa-certified/#:~:text=The%20Cost%20of%20Inaction%20is,damages%20will%20total%20%2410%20trillion.