The internet of things (IoT) is expanding explosively with the International Data Corporation (IDC) predicting that the installed base of IoT units and systems will grow at 17.5 percent CAGR to reach 28.1 billion in 2020. That is everything from home security cameras and heating controllers, through industrial automation, to smart street lighting and much more.

IoT in 2020 (Source: Intel Corp.)

With all these connected devices, there is a real security issue; you might remember the internet outages in 2016 caused by a Rutgers undergraduate who unleashed the Mirai botnet[1]. His malware hijacked thousands of simple IoT devices, like CCTV cameras and baby monitors, to launch ‘denial of service’ attacks on servers round the world. The methodology was simple – the malware looked for open device ports on the internet and then tried to log in with default usernames and passwords, all too often successfully. The botnet then configured the devices to send continuous access requests to overwhelm the target servers.

There are more ways though that those looking to attack systems can try to access IoT devices by exploiting software vulnerabilities. The effects can often go unnoticed with the aim being to steal IP or valuable data.. Counterfeit components can also lead to loss of legitimate revenue or compromise the quality of the system so they should be detected and rejected.

Adding embedded software protection against IoT attackers is a solution, but software alone is vulnerable in itself to malicious interference, not least because one of the benefits of IoT is the ability for devices to have their software updated remotely, deliberately ‘opening the door’ to the possibility of unauthorized changes. A better solution is to have a hardware ‘root of trust’ - a chip that incorporates pre-provisioned secret cryptographic keys that enable secured authentication between the IoT device and other elements of the IoT system in a manner not subject to compromise of application software. The presence of a hardware root of trust enables software updates to be validated, remote access to be controlled, and low-quality counterfeit add-on parts or repair tools screened out.

The Infineon OPTIGA^TM Trust[2] is an example of a crypto security controller, which gives IoT designers a turnkey solution to securing their device while meeting international standards. The OPTIGA™ Trust is in a tiny package but packs in a lot of functionality. Along with device authentication and native support for X.509 certificates, it is a ‘trust anchor’ with a secured boot and memory integrity check. Encryption keys can be generated and exchanged for secure data exchange and updates, and it even includes a secure clock to be able to log incidents and provide supply chain tracking and a lifecycle counter. The device has an I²C communication interface and includes 10 KB user memory. Power consumption is low, and the part is available in standard and extended temperature ranges.

Connection to ‘the cloud’ is a major benefit for IoT devices for availability and scalability of data processing but it can bring its own security issues. To address this, Infineon has become an Advanced Technology Partner to the Amazon Web Services (AWS), one of the world’s leading public cloud service providers and a gold standard for IoT services [3]. With its solutions offering, Infineon enables IoT device makers to fully and securely develop and integrate their product solutions into the AWS cloud.

In the fast-moving IoT market, security features cannot be left behind so a turnkey hardware solution is the way to go.

References

[1]         https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/

[2] https://www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-trust/optiga-trust-x-sls-32aia/?redirId=59560

[3]        https://www.infineon.com/cms/en/about-infineon/press/market-news/2019/INFDSS201905-070.html