OTA software updates – an essential part of IoT device securityAdvice
The Device Chronicle interviews Vladimir Nagin, CEO, Trustels, and an expert in embedded device security and security eSims.
Vladimir has extensive experience of embedded systems, working more than 20 years in the industry. His primary focus was small devices – microcontrollers and smart cards, and then pivoted to security for edge devices, typically devices that connected to wireless and cellular networks. His company Trustels develops secure elements and secure software environments that help to protect the device against different attacks. Vladimir’s company Trustels develops an open security element which integrates root of trust and embedded sim functionality, devices that use wireless networks can use this secure element, and different profiles can be set up to authenticate on the network. The company also offers an open SDK to help developers build blockchain cryptographic applications. A mechanism to provide OTA software updates is in Vladimir’s estimation a very important part of the security toolset.
The problem with consumer devices
Vladimir observes that IoT devices operated by consumers and smaller businesses are especially vulnerable to attacks: He says “Currently the challenge is that these devices have a large installed device base so the attacker has a large footprint. Routers, trackers, tracers have produced in quantities of millions; They are large deployments and are quite easy for attackers to access. Consumer devices have insufficient security and security configuration – default passwords are hardly ever changed so they are easy to break and get access to.”
Cost sensitivity drops guard against security threats
Furthermore, many vendors of consumer IoT devices are often cost sensitive due to razor thin margins, and are reluctant to add trust execution environments such as hardware elements, or necessary processes to do bug fixing, roll out automatic software updates. Some updates may be released but the users would have to do it themselves manually. Some of these vendors ignore the challenges and this is a culture that Vladimir believes has to, and will change. In other cases, Vladimir observes that the software update to the device requires user consent so if a user gets a notice that they must perform a firmware update, they will not take action due to apathy. Furthermore, many IoT devices are unattended by design and many of these do not have OTA updates and centralized management. It is a big challenge but it is changing due to legislation and security certification processes through ICICIP.
Consumers often unaware of vulnerabilities
Many customers were also completely unaware of security vulnerabilities, but enterprises have been investing into this, and so smaller companies and consumers are becoming more aware of the need to make devices secure. End customers can decide what grade of security they want on their devices, some grades can only be achieved through a physical secure element such as a tamper resistant element, a root of trust to protect processes such as OTA. The update deployment feature is very important for all these grades, the best approach is a combination of different technologies, there is no single solution.
Security by design is mandatory
Devices must be secure by design, the designer must emulate the threats and implement counter measures to make them resistant. The devices must be hardened and resistant to physical access. The standards scheme has guidelines on security by design and it is developed by ICICIP. It is called the Security Operation Standard for IoT Platforms and is universally accepted. Many semiconductor companies and hardware manufacturers are supporting this with best practices and guides.
OTA updates is an essential tool for device security
Vladimir believes that OTA software updates is the core component of all countermeasures: “Without OTA you are not able to change the unattended devices in the field over the 5-10 year life cycle. If a problem or vulnerability is identified, an OTA update is the only practical, cost effective way to resolve these devices. OTA ensures the lifecycle of the device, makes it maintainable and therefore it has to be part of the security by design process.” Regardless of different measures the designer implements, the OTA is mandatory for device lifecycle management from commissioning to being phased out and replaced.
The next question is how can OTA be made secure? Vladimir advises that “A secure element can be bootstrapped to the OTA update to manage the keys and certificates such as SSL, these are issued for 1 to 2 years and should be updated securely. Vulnerabilities in applications should also be considered. “These applications from 3rd parties can be insecure and quite independent from the device security. If a device manufacturer wants to achieve the highest security grade, they need a tamper resistant approach such as TPM or smart card.”
Increasing system complexity will lead to greater security risks
Devices use public networks to connect, and have different applications running. Everyone can theoretically access these devices through the network, the transport between the device and the cloud is also public, such as the cellular network. SSL is so important to use, but there are always vulnerabilities in the stacks. Exploits and vulnerabilities can be used by the hacker, data can be manipulated, traced or intercepted from it if it is sent from a device. Attacks to spoof the network, and on critical infrastructure such as power plants are increasing. Power substations were taken off the network by these attacks. Devices are proliferating, autonomous and M2M will only increase the attack vectors available. There are hundreds of independent systems in an autonomous vehicle so a lot can happen, all supplied by different manufacturers. The systems are becoming more sophisticated, more integrated from different vendors so the risks will only grow.
We wish Vladimir and his colleagues at Trustels well as they work to secure wirelessly-connected devices and help developers build secure applications.