CODE:https://cdn.rawgit.com/samliew/4f6aec0c65e4dbe5c7fd782ea0953a3b/raw/0d928b52b69aef81b1bf5da50cbfb26ba3b4e71e/countries.js

Free email course on building IoT with Cloud IoT CoreCloud IoT Core
Free email course on  
Connectivity in IoT
Thanks for signing up! You'll get the first email soon.
Oops! Something went wrong while submitting the form.
< Back to Blog

MIT Technology Review named “Botnets of Things” as one of the top 10 breakthrough technologies in 2017. From internet-connected kiosks to medical devices, IoT security problems have been stealing the headlines since the infamous Mirai attack last year.

We previously covered Google’s Infrastructure Security Design and CryptoNets as software approaches to security. This week, we dive into the “Seven Properties of Highly Secure Devices” by Microsoft Research NExT Operating Systems Technologies Group to see how we can bring security to the microcontroller level to complete the IoT stack.

Fixing IoT Security Problems

The goal of the research was to identify and implement security protocols for the billions of smart devices powered by microcontrollers. Despite the complete lack of security properties in current devices, the researchers remain bullish that IoT security problems can be addressed at the hardware level regardless of the price. Mainly, the purpose of this paper is two-fold: 1) establishing 7 properties required to achieve high security, 2) demonstrating the feasibility with a prototype.

7 Properties of Highly Secure Devices

According to the Microsoft research group, the minimum requirements to secure connected devices are the following:

  • Hardware-based Root of Trust: physical countermeasures built-in to resist side-channel attacks (e.g. pulse testing the reset pin to prevent glitching attacks).
  • Small Trusted Computing Base: private keys stored in secure vault, separated from the software.
  • Defense in Depth: multiple layers & checkpoints for defense.
  • Compartmentalization: hardware-enforced barriers to prevent failure in one area to affect others.
  • Certificate-based Authentication: signed certificates, not passwords, used to establish identities.
  • Renewable Security: periodic updates to the software to keep security state up to date.
  • Failure Reporting: compiling reported failures to build up a better response routine.

To our astute reader, many of these principles seem obvious. However, the real contribution by the Microsoft team lies in demonstrating the feasibility of implementing all seven principles in low-cost microcontrollers. 

Sopris: Modified MT7687

The team at Microsoft took a low-power smart home chipset MT7687 from MediaTek Labs to build in multiple levels of security. Figure 1 below shows the architecture of the MT7687 device. While it already contains cryptographic engines to provide some level of security, it fails to provide sufficient security due to its lack of compartmentalization and defense in depth.

Architecture of the MT7687 wifi-enabled microcontroller
Image Credit: Microsoft

Compare the previous design with the modified design shown below. The new design has multiple levels of isolation and process-isolated compartments inside what Microsoft named the Pluton Security Subsystem.

Architecture of the experimental sopris highly secure wifi-enabled microcontroller, Microsoft's solution to IoT security problems
Image Credit: Microsoft

While the paper doesn’t report the added cost to implement Pluton, the researchers state that the next phase will detail packaging Pluton into a simple device board for mass production. Although demonstrating feasibility on a single existing board doesn’t prove that security solved, Microsoft is leading the discussion to push security design considerations to the hardware level.

Have Questions? Talk to an Expert

Yitaek Hwang

From traveling the world solving vision issues in underserved regions through ViFlex to building software to diagnose autism using machine learning, I realized that I like building things. So currently I’m on a path to build an Internet of Things (IoT) platform at Leverege as a Venture for America Fellow.

SHARE

Liked this post? You're gonna love these!

Trilateration Versus Triangulation for Indoor Positioning
November 28, 2018
Association of IoT Devices: Challenges and How to Overcome Them
November 28, 2018
Leveraging Computer Vision for Asset Tracking Solutions
November 28, 2018

Talk with Leverege

What type of use case are you building for? Whichever it is we are looking forward to learning more about your needs.

Have Questions?

Our team of experts is here to help!

Thanks for your submission! Our team is looking forward to connecting with you and will be in touch very soon!
Oops! Something went wrong while submitting the form.