How to build secure IoT device

Industry largely underestimates the critical need for the highest levels of security in every network connected device. Even the most mundane device can become dangerous when compromised over the Internet: a toy can spy or deceive [1], an appliance can launch a denial of service [2] or self-destruct, a piece of equipment can maim or destroy [3]. With risks to life, limb, brand, and property so high, singleline-of-defense and second-best solutions are not enough.

Building secure devices is challenging. From observation of existing best-in-class devices, we argue it is more of a science than an art. If one adheres rigorously to well-understood principles and practices, building secure devices is repeatable

According to Microsoft, seven properties must be shared by all highly secure, network-connected devices: a hardware-based root of trust, a small trusted computing base, defense in depth, compartmentalization, certificate-based authentication, security renewal, and failure reporting. Summarized in the table below.

Property

Examples and Questions to Prove the Property

Hardware-based Root  of Trust Unforgeable cryptographic keys generated and protected by hardware. Physical countermeasures resist side-channel attacks
Does the device have a unique, unforgeable identity that is inseparable from the hardware?
Small Trusted Computing Base Private keys stored in a hardware-protected vault, inaccessible to software. Division of software into self-protecting layers.
Is most of the device’s software outside the device’s trusted computing base?
Defense in Depth Multiple mitigations applied against each threat. Countermeasures mitigate the consequences of a successful attack on any one vector
Is the device still protected if the security of one layer of device software is breached?
Compartmentalization Hardware-enforced barriers between software components prevent a breach in one from propagating to others.
Does a failure in one component of the device require a reboot of the entire device to return to operation?
Certificate-based Authentication Signed certificate, proven by unforgeable cryptographic key, proves the device identity and authenticity.
Does the device use certificates instead of passwords for authentication?
Renewable Security Renewal brings the device forward to a secure state and revokes compromised assets for known vulnerabilities or security breaches
Is the device’s software updated automatically?
Failure Reporting A software failure, such as a buffer overrun induced by an attacker probing security, is reported to cloud-based failure analysis system
Does the device report failures to its manufacturer?

This page is just an abstract, so in case you want to read more, here you can find the whole article on 7 properties of highly secured devices.

References:

[1] C. Wiking, “If Your Child Has This Doll You Should Get Rid of It Now,” 17 Feb. 2017. [Online].
Available: https://mom.me/news/39826-if-your-child-has-doll-you-might-want-destroy-it/. [Accessed 17 Feb. 2017].

[2] N. Perlroth, “Hackers Used New Weapons to Disrupt Major Websites Across U.S.,” New York Times, 21 Oct. 2016.

[3] E. Mills, “Internet-Connected Coffee Maker Has Security Holes,” CNET, 17 Jun. 2008.