Last night I attended a Meetup on Cyber Security with a IoT context sponsored by Kerpashky Lab. It was a great night with hosted by a female with three well credentialed females as the guest panelists. There was a interesting presentation on Cyber Security followed by a Q&A with the panel. KASPERSKY LAB CYBER SECURITY MEETUP EVENT
This rhetorical question occurred to me:
Is "IoT Security" an Oxymoron?
I am reminded of what oxymoron means from the Danny DeVito movie "Army Intelligence"(Renaissance Man) . Tongue-in-check he teaches to some army personal, "An oxymoron is when you take two words that are totally opposite and you jam them together, like Amy and Intelligence"; implying there is no intelligence in army.
YouTube clip (at about 2 minutes)
The point of the oxymoron rhetoric above is that security is quite problematic with the Internet of Things (IoT). You have millions of devices out on the edge ,each with security credentials enabling them to interact with highly secure services in the cloud. If one is compromised and goes rogue then we have a problem. How can we ensure security with IoT?
An IoT Portal (IoT Hub) may service millions of devices, providing a plethora of sensors and actuators. . These can be very low level microprocessors with little or no security. It does not make much sense for these devices to have direct access to the portal. It is better that they be aggregated behind field gateways that do directly connect to the IoT cloud service from "the edge". Apart from security, there are various reasons why this is desirable. The gateway can filter preprocess and batch the data. It can also respond directly to the data where required (e.g.. alarm conditions). Also field gateways can an do protocol translation to and from protocols that the hub uses. From a security perspective, these gateways can enforce rigorous security between the edge and the cloud.
An issue that was raised last night was privacy. There is a broad range of off-the-shelf IoT devices available for home automation. An example is IoT lighting which via a light vendor specific cloud service, provides remote control of lighting via a phone app. But what if there was logging of your usage in the cloud such that an unscrupulous individual could determine when your home was most vulnerablev. Heaven forbid if the IoT light had a camera in it! There was a recent case where an IoT sex toy was logging users use of it.?
Typically an IOT device is configured on the device and at the IoT portal (IoT Hub) for connectivity. On the device end it involves credentials and portal details. This may be stored in software on the device as a device-portal specific encrypted connection string; heaven forbid if was ever not encrypted! A more secure option is for the connectivity to stored in hardware. Windows 10 IoT Core supports TPM which some microprocessors support in firmware or can be added to a device's circuitry as a discrete chip. For development purposes there is a software simulation of TPM for the Raspberry PI with IoT-Core whereas the Qualcomm DragonBoard 410c has TPM built in, as does the Intel Minnowboard MAX
"Windows 10 IoT Core devices connected to Azure can be secured with the Trusted Platform Module, which makes them impervious to cloning and impersonation. This is essential for devices that need to be secure and trusted. Unlike in the traditional approach in which the device credentials are stored directly on the device (in the application code or a configuration file), devices equipped with TPM store device credentials in a dedicated hardware device. Once stored, the credentials cannot be read or duplicated."
Ref Device Provisioning with TPM
"A Trusted Platform Module (TPM), is a cryptographic coprocessor including capabilities for random number generation, secure generation of cryptographic keys and limitation of their use. It also includes capabilities such as remote attestation and sealed storage."
Ref: TPM on Windows 10 IoT Core
Code for a TPM enabled device is quite simple:
TpmDevice myDevice = new TpmDevice(0); // Use logical device 0 on the TPMstring hubUri = myDevice.GetHostName();string deviceId = myDevice.GetDeviceId();string sasToken = myDevice.GetSASToken();var deviceClient = DeviceClient.Create( hubUri, AuthenticationMethodFactory. CreateAuthenticationWithToken(deviceId, sasToken), TransportType.Amqp);
string DeviceConnectionString = "HostName=HostName.usr.azure-devices.net;DeviceId=MyDevice;SharedAccessKey=XXXXXX";////Not using TPMvar deviceClient = DeviceClient.CreateFromConnectionString(DeviceConnectionString, TransportType.Amqp);