Build secure IoT applications with open source

Locked Down

The Internet of Things (IoT) is a game-changer for healthcare, connected homes and cities, ground transportation, and many other domains. From a technical point of view, IoT is very challenging, given such elements as hardware design and certification, embedded software on resource-limited targets, Internet-scale management servers, and ground-breaking user interfaces. In this article, I will look at one of the most challenging and sensitive areas: IoT security. I will explore different topics – from hardware to cloud servers – and discuss applicable open source projects.

Hardware security is very difficult to master. Why? Because when you deal with hardware security, you need to deal with physics. The real world has much more stringent rules than the digital world.

A common reaction is: Why should I care? Physically accessing one device should not compromise the whole system, right? True. But, it is a big deal. In a nutshell, anyone can buy or physically access the device and inject a firmware back door and resell the product. A back door in a IoT device makes a nice gateway for sending spam or spying on houses. Hopefully, hardware security features like secure boot, secure debug, secure flash storage are more common.

To leverage secure boot, for example, you can use the U-Boot [1] "verified boot" feature. It will verify a booted Linux kernel or the boot image if you are not using Linux. Your kernel will need to be signed and hashed with a RSA public/private key. The device should securely store the public RSA key used for the signature. Those different features can be chained; your device can contain a Trusted Platform Module (TPM) in charge of verifying the U-Boot binary before booting it. Then, U-Boot will be in charge of verifying the booted Linux OS, and the Linux OS will be in charge of verifying the installed application packages.

If your hardware is booting only

... comments powered by Disqus