Sure, it’s convenient to control the lighting, temperature, security system, and even appliances in your home from your smartphone. But how safe are these internet of things (IoT) devices from the prying reach of hackers?
The news lately has certainly been alarming. The massive internet outage in late October—which brought down the likes of Netflix, Spotify, and Amazon—was apparently sparked by hacked CCTV video cameras and DVRs using a botnet based on the Mirai malware strain. This spring, researchers at the University of Michigan and Microsoft published what they called the first in-depth security analysis of a smart home platform, in this case the Samsung SmartThings platform. In their study, the researchers, exploiting framework design flaws, developed four proof-of-concept attacks that:
- Secretly planted door lock codes
- Stole existing door lock codes
- Disabled vacation mode
- Induced a fake fire alarm
How to Safeguard IoT Devices
There have also been plenty of news stories about the hacking of baby monitors, thermostats, and even smart toilets. Of course, many companies in the IoT business are building robust levels of security into their products. In some cases, some of the products can really only be hacked in a lab setting and often by experts. And in other cases, consumers must be diligent about changing default user credentials and passwords. (A couple of years ago, a website indexed more than 73,000 locations worldwide with unsecured security cameras. These cameras were basically unsecured because they were still using default usernames and passwords!) However, security experts have noted that when it comes to lower end smart home products, all bets are off as they tend to come with more vulnerabilities.
So how can designers build more impenetrable security into their smart, connected products? Integrating security into a design early on, with consideration to how security is implemented, is critical. And for the security to be effective, it has to be implemented at multiple levels throughout the design, from sensor to the cloud.
Encrypting the embedded system is a start, but still prone to vulnerabilities, particularly if someone steals the encryption key. A better way to implement encryption is via a secure microcontroller, which provides on-chip storage of the encryption keys and, therefore, does not have to rely on transmission of the key from an external memory source.
Secure authentication is one way to guard against malicious attacks. Authentication provides a process to verify identity, allowing or denying access based on the authentication results. The strongest authentication schemes tap into cryptographic algorism like SHA-1, SHA-256, and ECDSA, along with secret keys.
Protecting sensors is essential, as these sensors are the conduit for all of the data being gathered by smart devices. Technology that provides an authenticated data chain from a protected sensor node to a web server can help here.
Building Advanced Protection Into Your System
Maxim provides solutions that address each of the areas I’ve outlined. The company’s DeepCover Secure Microcontrollers bring together advanced cryptography and physical security to provide the highest level of protection against physical tampering and reverse engineering. DeepCover Secure Authenticators use advanced physical security for low-cost IP protection, clone prevention, and peripheral authentication. And DeepCover Security Managers integrate physical security with on-chip, nonimprinting memory to protect sensitive data from even the slightest physical or environmental tampering. Another solution is MAXREFDES143#, an IoT embedded security reference design that protects an industrial sensing node through authentication and notification between the sensor and the web server. It essentially provides financial-strength cryptography. Read Scott Jones’s recent blog post for more details about how MAXREFDES143# can make it easier for you to build safer IoT products.