Author: Phil Hodgers

End-to-End IoT Security

Our July blog post has been written by one of our Industrial Stakeholders Advisory Board (ISAB) members. A special thanks from RISE to Ilhan Gurel from Ericsson for contributing this best practice advice. Ilhan is HW and SW security expert at Ericsson.

“Security baked in at every layer, not later”

Securing entire end to end IoT chain covers securing IoT devices, backends and everything in between as well as life cycle starting from manufacturing and deployment to disposal.

Every component in this chain may have different attack surfaces, different adversaries and may be managed by different entities. It is also important to note that securing IoT devices and their backends is not an easy task and depends on operational environments, deployment models, use cases, adversaries, assets to protect and costs. No matter what these can be, there must be an adequate level of security baked into every layer and component, starting from the very beginning e.g. design phase but not added later.

The IoT Recipe for Security

Securing IoT end to end chain starts with security threat modeling and risk assessment. This is a crucial phase to find answers to security threats, mitigations and security requirements. Then it requires the following ingredients when and where applicable:

  • Hardware (HW) and Software (SW) supply chain security:
    • vulnerability and incident management
    • HW and SW components free of trojans/malwares
    • Keeping track of 3rd party HW & SW components and their origins.
  • HW Security:
    • secure boot
    • TRNG
    • secure storage
    • HW based RoT (Root of Trust)
    • HW based security features to mitigate ROP/JOP like attacks
    • HW based crypto modules
    • HW (and SW) based mitigations for side channel attacks if applicable
  • SW Security:
    • security hardening of OS and applications
    • minimal OS (including disabling/removing unsecure services/components)
    • sandboxing
    • least privileged processes
    • code signing
    • access control
    • secure SW development
    • auditing and logging
  • Trusted identities:
    • unclonable
    • unique
    • cryptographically random and strong enough during the lifetime of devices
    • generating, provisioning and storing identities securely
  • Life Cycle & Device Management:
    • secure SW updates
    • remote attestation
    • secure disposal of user and device data
  • Anomaly detection:
    • on device and at network level
  • Identity Management:
    • managing identity life cycles
    • revocations
    • renewals
    • bootstrapping
    • integration with PKI systems
  • Secure communication:
    • data confidentiality , integrity and origin in transit
    • the use of strong ciphers and mutual authentication
    • the use of secure protocols e.g. TLS/DTLS according to the best security practices as defined in RFC 7925, RFC 7525 and RFC 7540
    • the use of TLS 1.3 when and where possible. TLS 1.3 as standardized in RFC 8446 has significant security and privacy improvements comparing to TLS 1.2

How to measure security?

Connectivity also plays a crucial role with respect to high availability, battery life, reliable communication, data transmission rates (e.g. important for SW updates and rapid patching), built-in security.

Then an important question remains: how to measure security? In-house and independent security audits and reviews, security certifications are all relevant and may be one of the answers.

Securing end to end IoT chain is a not easy task but it is achievable. It requires all the ingredients mentioned above when and where applicable, most importantly security awareness of end users, device owners, manufacturers, platform and service providers, HW and SW developers, and more.

RISE @ ETSI Security Week 2019

Nice Promenade

Nice to be in Nice

That is an obvious and cheap play on words for the popular South of France destination and a joke I made back in 2016 during the European Championships, but one worth re-cycling for a new audience…

RISE was invited to speak at ETSI Security week, (last week) and we gave an update on hardware security, including the latest R&D from the RISE researchers.

I have to honest with you readers, I can think of worse places to be sent away on business in late June than Nice. If there is any consolation for the readers, we were cooped up in a conference room that was just about underground, with questionable Air-Con and far away from the beaches of the French resort.

ETSI HQ


EDSI @ ETSI Security Week

ETSI stands for the European Telecommunications Standards Institute and is a not-for-profit, and one of only three bodies officially recognized by the EU as a European Standards Organization. Essentially, the Standards people. The ETSI HQ is a short drive from Nice, in Sophia Antipolis.

Tucked away in some very picturesque French hills, Sophia Antipolis, the ‘French Silicon Valley’, is celebrating its fiftieth anniversary this year.

ETSI host multiple events each year and Security Week hosts a couple of hundred people across 5 days, each year in late June. ETSI was established in 1992 and this Security Week was number 13. The great and the good from all over the globe were on site to debate and discuss all things policy related, AI, 5G, IoT and cryptography. To give you an idea of the calibre of people there, two introductions were, “The 3GPP Godfather” and “the Godfather of 3G”; both experts in their field.

RISE gave an update on each of the 8 projects that are now in-life, focusing on hardware security, more specifically on the threat of hardware Trojans and Side-channel attacks and I am delighted to report than we had interest from some major global brands about collaboration moving forward. This can only be good news for UK (and wider afield) consumers.

Les Standards > Les Algorithms (ETSI & IoT)

Earlier this year, ETIS announced a new Technical Specification (TS) for Cyber Security in Consumer IoT – TS 103 645 to be precise, the first globally applicable industry standard for consumer IoT security. This industry standard builds on the Code of Practice from DCMS, but has been designed to work for European and wider global needs. The standard is set to inform, at home and abroad, the development of regulation and industry-led certification schemes. For businesses with an international supply chain and customer base, the standard provides an avenue to pursue a harmonised approach to implementing good security practice for their products. This TS will move to become a European Standard, telecommunications series (EN) and legislation is also looming on the horizon in the UK.

Days 4 & 5 (RISE spoke on Day 5)

What does the ‘S’ stand for in IoT?

This is a good idea. I remember being at CES in 2014 & 2015. In 2014, IoT had just become mainstream, one of the new hype technologies at CES that year, but nobody was talking about security. Thankfully, 12 months later, industry was more aware of the threat landscape about ‘everything being connected’, therefore vulnerable to a range of cyber-attacks, not least botnets. However, industry wanted to promote self-regulation, which still made me concerned for the future of IoT and consumer adoption.

As consumers, we still have the choice to buy a smart gadget, or not. My preference is to avoid smart gadgets where possible. And it isn’t just the security aspects that concern me, privacy is another major aspect around the IoT, not to mention technological obsolescence. 

Fast forward to 2019, here we are with international standards and legislation imminent in the UK around basic consumer IoT security measures. The community is working together to bring more secure IoT products and services to market, meaning the things we use and need, will be secure by design.

Good job ETSI and et al (DCMS, NCSC and the State of California).

Regards from the RISE (EDSI) Rookie

All the Pieces (Alma) Matter – the ramblings of the RISE rookie

As a former QUB alumni, I am very excited to join my Alma Matter down at ECIT as Business Development Manager for RISE (you will get plenty of abbreviations in this post)!

RISE is the Research Institute for Securing Hardware and Embedded Systems with the aim to bring together industry and academia to make our more secure, in the world of connected everything (IoT).

I first heard the term “Internet of Things” in late 2012 when I was chatting to some security researchers (really smart people who wear white lab coats, brown sandals and Megadeath t-shirts) in a previous job. The reason for my meeting with them was to get a better understanding of Botnets, as we were launching a new Botnet detection and remediation product in early 2013, so I wanted some context about the threat landscape.

Ever since then, I have had an insatiable interest in IoT and view “smart” devices with equal helpings of fascination and suspicion. As consumers we have the currently have the choice to buy a smart device, or not. In time, this choice will recede and the new fridge we buy will be connected whether we like it, or not. I won’t get into the data security and privacy arguments, let alone who actually owns the ‘data’ that these connected devices collect in this blog, so may return to this topic later.

We are living through this new wave of technological revolution and sincerely, I hope that we learn from our mistakes when computers went online.

ETSI announed earlier this year, a new Consumer Code of Pratice, (TS 103 645) which is great for ordinary people. Secion 4.1, ‘No universal default passwords’ is great advice for manufacturers since weak passwords is a major cause for devices being compromised.

And in case you didn’t know, ECIT is the Institute for Electronics, Communications and Information Technology and is located at Catalyst Inc., formerly the Northern Ireland Science Park. ECIT was one of the first ‘new’ buildings with staff moving in here back in 2004; I say new, as we are right beside the Titanic Pump house which is over 100 years old. Here the infamous steam liner was fitted and kitted out before setting sail on that fateful voyage, its last touch point with the port of Belfast. Just beside the Pump House is HMS Caroline, the only surviving war ship from the brutal battle of Jutland in 1916.

Don’t worry, this isn’t a tourist post for Belfast and I promise to move on now, but as a history graduate, I do appreciate the local landmarks.

Not only do we have a view of local history from our office, we also work with many beautiful minds at ECIT/CSIT, with experts drawn from all over the world. It is an absolute privilege to work with true global experts in cyber security.

So we are surrounded by history, a proud history of Belfast with a city that is transforming with technology leading the way, from cyber security, to Fin-Tech to other local tech start-ups. Thousands of jobs have been created in this part of Belfast and many more are due to come in thanks to the great work done by Invest NI, Foreign Direct Investment (FDI) and CSIT in recent years. Belfast has a reputation for world class cyber security research and it is bringing well paid jobs to the city.

I look forward to building engagement between multiple parties and taking the RISE brand with our university partners, Cambridge, Bristol, Birmingham, Manchester and Edinburgh to the wider UK ecosystem.

The title of this blog is a play on words from a famous quote from the TV show, the Wire (my favourite show of all time) uttered by Veteran Baltimore Police Detective, Lester Freamon at the start of the special undercover detail they are working on. The full quote was actually:

 We’re building something here, detective. We’re building it from scratch. All the pieces matter.

Thankfully, I don’t have to start from scratch with RISE as Lester Freamon did, the multi-institutional research centre has been running for 18 months already. But all the pieces do matter, as in the Internet of Things world, one device or system with poor or no security in-built, will cause problems for every user. Sadly, this is inevitable and we have already seen IoT Botnets that have infected gadgets from your home router, to IP cameras to smart locks.

Therefore, we will continue to build the RISE brand, establish engagement and forge connections between the academics and the creators of our new and soon-to-be-used gadgets.  

We are here to help, securing hardware and embedded systems and securing ALL the pieces that matter.

Ed

Call for Small Equipment Bids is open!

RISE Announces Call for Small Equipment Bids

The Research Institute in Secure Hardware and Embedded Systems (RISE: www.ukrise.org) is inviting proposals for research equipment to support UK academic research projects in the field of hardware security. Funding of up to £140,000 is available to support this call from the National Cyber Security Centre (NCSC).

Full information is available here