Security in Smart City IoT devices is essential, and the previous inaction of engineers has globally resulted in governments establishing legislation to regulate it. Learn how Shield96 provides a holistic foundation of security features and services to streamline the design and development process for the secure IoT products being built today.
In the past decade, the IoT industry has experienced an exponential rate of growth unlike anything seen before in any other industry. In 2018, there were an estimated 7 billion IoT devices in use, while the total number in 2020 is estimated to be 31 billion. Assuming these figures are correct, it can be said that 127 devices are connected to the internet every second.
The reasons for this rapid growth include the introduction of AI systems that are reliant on data, the need for smart devices that can perform complex tasks remotely, and improvements in networking technology. Since networking technologies require a minimum level of processing power (such as handling IP stacks), internet technology used to be limited to desktop computers, but now that even the most basic SoC integrates a dedicated network controller, 80-MHz processor internet capabilities can be integrated into almost any project.
One area that has seen greater use of IoT solutions is smart cities. From smart lighting on the streets to new ways to improve traffic flow, there are now many more IoT end points, or “smart spaces” if you will, throughout the general public.
As exciting as all of this is, with the increased number of Smart City IoT devices comes greater concern around security. What’s more, improvements in technology also mean that even the simplest IoT devices are now capable of recording complex data. In the beginning, this was limited to sensor readings such as temperature and humidity. Now, this data can include camera capture and audio, both of which are highly sensitive in nature. Therefore, it is essential that modern IoT devices protect this data from its initial capture on through its eventual transmission.
Security in Smart City IoT
Security in the first IoT devices used to be a bit more lax, with only the most basic practices followed. Many devices would use unsecure transmission methods, implementing default passwords such as “password,” and using virtually no security hardware.
The reason for this (lack of) approach came from two assumptions: that the data the device was collecting was inherently benign, and that the device on its own could perform only basic networking functions (thus not being a threat on its own). However, both assumptions have since proven completely wrong.
As mentioned earlier, the increasingly complex nature of technology in general means that IoT devices are now capable of recording nearly as much data as a smartphone, including audio and visual information. Unfortunately, this also means that it can easily be used in illicit activities ranging from data theft to blackmail. The second assumption – that a single IoT device is harmless – holds true if there is only one IoT device on the planet. When the number of devices reaches the tens of billions, an attacker suddenly has access to potentially millions of devices that can be utilized to perform DDoS attacks.
The importance of Smart City IoT security has already been proven many times to date, with attacks continuing to this day. One classic breach example is when hackers gained entry to a casino’s internal server holding sensitive high-roller information. Their method of attack involved the use of the casino’s fish tank IoT temperature sensor, which was unsecure. The temperature sensor was hijacked and its connection was used to gain access to the casino’s greater internal network.
With so many companies flooding the market with unsecure IoT devices, governments around the world are now beginning to introduce laws and guidelines to prevent the sale of unsecure devices. For example, California has recently brought into law that IoT devices must follow a basic set of rules, such as no default passwords. The U.K. government has also brought about guidelines that are expected to soon become law, assuming the industry does not react responsibly to the security threat posed by unsecure IoT devices.
GDPR in IoT
The General Data Protection Regulation (GDPR) was introduced by the EU in 2018 in an effort to hold those that gather data responsible for its safe storage and to also prevent the misuse of that data. Most are familiar with GDPR whenever visiting a site that asks permission to use cookies, but did you know that that IoT devices are also subject to GDPR? While IoT devices are owned by the customer, their data-gathering mechanism needs to be protected to ensure that their private information is not accessible by unauthorized individuals.
GDPR also affects IoT devices with regards to the right to be forgotten; any individual has the right to have all digital information about them erased. Therefore, an IoT device that records information from its customer may not only require the customer’s consent (i.e., an “I agree…” form) but also the option to either erase the stored data or make the data inaccessible. Thus, IoT designers must now consider the device’s product life cycle from the first boot of the device to its eventual recycling; during this span, the technology must ensure that the personal data stored there within is permanently inaccessible to all unauthorized individuals.
How IoT devices can better protect data
When creating a Smart City IoT device with good security in mind, there are a number of best practices that can be followed:
No common passwords | While there is nothing wrong with a default password, the value of the password needs to be either randomly generated or unique to each device. Using default passwords such as “admin” and “password” are a common entry point for attackers, as IoT owners will often not change these for either ease of access or due to lack of understanding of the risk they’re putting themselves in. Even if a device has a unique password, it should be random and not related to the hardware in use.
Encrypt all messages | When transmitting any external information to an IoT device, all traffic must use encryption. The use of custom encryption algorithms must never be used, as methods established in the industry are constantly being analyzed by experts all around the world. It is unlikely that an individual can create a better algorithm than those already established.
Hardware root of trust | A hardware root of trust system is one whereby the underlying hardware responsible for keys and cryptographic functions can be trusted entirely. Such a design must be secure in hardware and provides the foundation for a secure boot.
Security hardware | Security hardware is circuitry that is designed to provide protection against attacks — both software and hardware. Such circuitry will include cryptographic accelerators, execution code analysis, and tamper detection. Security hardware may also include features that cause system resets when a physical attack is detected and even run subroutines to wipe data in memory.
Encrypted memory | While memory encryption for non-volatile storage has been implemented for years, newer systems are starting to integrate RAM encryption to prevent processes from peeking into the memory contents of other processes.
True random-number generation | For random numbers to provide a strong security bedrock, they need to be truly random. Those that are based on time are easily attacked, while those that are based on noise are better (however, do note that the root mean value of noise still poses somewhat of a risk). Modern security hardware systems generally implement true random-number generators for this purpose.
Get an all-in-one solution with Shield96
The Shield96 Standard Development Board, based on Microchip silicon and designed/manufactured by Arrow Electronics, has been specially created to meet all of these security criteria, providing engineers with a comprehensive, secure platform built from the ground up. At the heart of the Shield96 is the ATSAMA5D2 microprocessor, which integrates a Cortex-A5 core running up to 500 MHz, 1-Gbit DDR, and 1-Gbit flash. Multiple I/O connectors are available on the Shield96, including a bootloader USB port, a serial console port, a USB 2.0 connector, a microSD card slot, and a mezzanine connector. Internet connectivity is realized by way of the on-board 100-Mbit Ethernet connector and an ATWILC1000 Wi-Fi module.
The security features on the Shield96 board are what make it stand out from other development platforms. The first is the use of the ATSAMA5D2, which is a microprocessor focused on strong security practices. This includes Arm TrustZone, secure boot, on-the-fly encrypted code execution, integrity-check monitor of memory content, hardware encryption engine, and tamper pins. The Shield96 board also works with Sequitur Labs EMSpark™ Security Suite, which provides designers with a software solution that helps to create secure and trustworthy devices. Some of the features that EMSpark enables for the end device include unique IDs, encrypted boot chains, key and certificate management, and firmware authentication. The design of the Shield96 follows the NIST principles and methodology for platform firmware resiliency: detect, protect, recovery, and notification.
Why should you use Shield96?
In a world where security is paramount and technology is becoming more complex, creating systems from scratch is quickly becoming a monumental task. To this end, there are a number of reasons as to why it is better to use a design like the Shield96 as opposed to a custom developed solution, and why writing encryption algorithms is strongly discouraged. The chances that an individual can create a stronger security algorithm than those that already exist — and are designed by those who devote their lives to the development of them — is very small. Those same algorithms are also tried and tested on a daily basis by both security researchers and hackers alike.
When designing a Smart City IoT device from the ground up, which is necessary when implementing strong security practices, there is risk of overlooked areas such as exposed pads, memory contents, and component layout. A device could incorporate a secure microprocessor, but unless the correct types of external memory are utilized or tamper pins are correctly used, there is a chance that the device will contain vulnerabilities. Thus, it makes more sense to use a board that has been rigorously tested for security.
The next advantage to using the Shield96 board in trusted environments is that by eliminating the hardware development stage, engineers are afforded more time to focus on the application side of the product. This results in significant cost savings in prototyping, with engineers getting straight into the product design from day one. And with a pre-made security platform, the hardware already complies with existing guidelines and regulations surrounding IoT devices. This helps reduce the legal work needed and thus decreases overall time to market.
How can Shield96 help the Smart City IoT world?
The development of a secure platform enables the widespread implementation of IoT devices by providing minimal security exposure. One example of how IoT devices can greatly help societies is through the use of smart city technologies. Such technologies can help enable intelligently controlled streetlights that dynamically control their light output, depending on traffic and pedestrians, and therefore save electricity. Traffic systems could be made to react to traffic in real time, and the use of large networks could help better coordinate traffic systems to minimize build-up in critical locations such as merging lanes, junction roads, and more. Smart cities could also redirect resources, such as public transport, in real time to locations that need them the most.
All of this is only possible with the use of an underlying secure platform that prevents an attacker from being able to expose vulnerable points of entry. In a scenario in which a Shield96 board is used in an attack, the use of unique IDs and other secure boot methods mean that attacking a second Shield96 board could be as difficult as attacking the first, thereby preventing all devices from being vulnerable at once.
Conclusion
Security in Smart City IoT devices is essential, and the inaction of engineers has globally resulted in governments establishing legislation to regulate it. Creating a secure platform is a monumental task, and those who are not fully experienced may leave their devices open to attacks via poor implementation. This is of particular concern with the roll-out of smart city solutions happening so quickly. Should a point of entry prove vulnerable, and an attacker takes advantage of this, the security breach could be catastrophic.
Shield96 provides a holistic foundation of security features and services and streamlines the design/development process for the secure IoT products being built by today’s design engineers. A comprehensive, secure platform, Shield96 has been tested and proven capable of minimizing exposure, reducing risk, and ultimately better protecting the data recorded and transmitted across a range of industries for a variety of applications, from the single IoT device to modern smart city solutions. Learn more about Shield96.
Ähnliches Produkt:
Shield96 Standard Development Board | HD96_STANDARD
Arrow Development Tools Eingebettete Systementwicklungsboards und -kits AnzeigenÄhnliches Produkt: