In this article, discover what IoT expert Brian Geisel, the founder, and CEO of Geisel Software, Inc., has to say about IoT hardware and IoT security.
We sat down with IoT expert Brian Geisel, the founder, and CEO of Geisel Software, Inc., to follow up our IoT hardware discussion with a look at IoT security. In this article, you’ll learn about:
→ Where IoT Security and IoT Hardware Intersect
→ Some Common IoT Security Mistakes
→ Why OTA Software Updates are so Important
→ The Best OTA Update Platforms for IoT Devices
The Big Takeaways
→ There are security measures that can be used to protect devices with compact, low-power hardware (blowing fuses on JTAG connectors, encryption-capable low-cost, low-power chips).
→ One of the biggest security mistakes in the IoT world can occur when device developers don’t take advantage of well-made, existing hardware options, and opt to build their own instead. Before you DIY your hardware, see what’s already out there and find out if it fits your needs.
→ You don’t need to overengineer security on every type of IoT device. Consider what kind of information the device will hold, what it does, and what sort of access an attacker would gain by hacking it.
→ Being able to update your IoT device fleet with over-the-air (OTA) firmware updates allows you to add and possibly sell new features to customers, as well as maintain the security of your device fleet over time.
→ When choosing an OTA update management platform, it’s important to evaluate the features provided and make sure they fit your needs.→ If you choose to develop an OTA update platform in-house, it could take 3-6 months of initial development time to produce a beta. From there, it could take another number of months to rigorously test, patch, and prepare the product for commercial use. Consider taking advantage of existing, tried, and tested solutions like Nitrium.
Where do IoT Security and IoT Hardware Intersect?
Q: It’s easy to think of IoT security as being only a software-related concern, but what role does IoT hardware play in device security?
A: There are a few major things that have come up in the hardware world that, from that hardware standpoint, have interesting security implications. One of these issues comes up in the development process where software developers and electrical engineers who have full access to an IoT device might use unsafe development practices which cause security issues down the line. For example, it’s a common and well-accepted practice for developers to use the JTAG interface to debug a product by offloading the product’s memory. However, once the product is shipped, anyone could take the product apart, get into JTAG and access the device’s code, allowing them to do all kinds of potentially malicious things. To stop this from happening, most chips nowadays offer the ability to blow the fuses on the very, very tiny lines that connect you to JTAG in the processor. So, before the company ships the product, they should always run a voltage that’s specified by the chip manufacturer that will blow the fuses on those lines. Then there’s no hardware way to connect to the device’s JTAG connector. That’s just one example of how the hardware of an IoT device can pose a safety risk if not handled properly.
So there are physical hardware security steps that companies are taking as they build products. If you are developing a device, you should be aware of and make use of these security measures. Make sure that you’re doing, things like blowing fuses to JTAG connectors or SWDs.Something that I’ve been surprised about lately is that some of the very limited chips, some of the very small, low-cost, very low-power chips actually have the ability to do good encryption now. And some of them are adding sections of the processor or a co-processor to the SoC. They’re adding an additional functionality that is specifically targeted around encryption signatures and hashing so that the device can transmit more securely.
There are also measures that companies are taking such that you can’t read the memory and easily access the data on the chip itself, making it as hard as possible to pull the data off of the chip. Now, we can encrypt the data that we’re sending back and forth, even on these very low-power processors because they’re designed with encryption in mind. So, that’s another significant hardware advancement that’s helping to solve the security puzzle.
What are Some Common IoT Security Mistakes?
Q: And what are some of the biggest mistakes that device developers are struggling with when it comes to implementing these hardware-based security solutions?
A: One of the biggest problems that we have in IoT still is companies simply not utilizing these technologies. Rather, they’ll opt to create their own solutions and, often, those solutions don’t hold up.
The tech world has done so much work to come up with good security. Security has evolved through the decades with continual improvement. So if you create some brand new thing, that’s not based on all the stuff that came before it and all the lessons we’ve learned, you’re gonna have to learn all those lessons all over again, the hard way. The same thing happens when you develop a new product. If you aren’t learning all the lessons that have been learned, when you introduce this new product, you’re likely to run into some issues. And, more than one company has been shuttered because of a huge security breach they had with their IoT device that was completely avoidable. The hardware is very much catching up with what we’re doing in modern security enough that we’re able to do a lot more of it in a lot smaller devices., we just need to take proper advantage of those solutions.
Q: I think that the key word there was taking “proper” advantage of these solutions, right? Just because you can use a security solution doesn’t mean that you always should. Can you speak to the concept of overengineering security?
A: That’s right. Another issue on the opposite side of that same coin is overengineering device security. Anyone who says you just need maximum security at all times on every device has never done security before because security is honestly all about trade-offs. You can’t spend infinite money to secure every kind of device. You have to consider the cost of a potential breach on a specific device. So you have to scale security in accordance with what the device does. If the device is holding medical information, that device better have very good security and hardware security. If the device holds no sensitive information and a breach would yield no network access, then there is no need to overspend on robust security capabilities for the device.
Why are OTA Software Updates so Important?
Q: Can you speak to the role that over-the-air software (OTA) updates play when it comes to the device’s features and security after deployment?
A: Once you’ve developed a device and it’s out there in the world, the hardware is not going to change for the most part. So it’s easy to think of security as being set in stone, but we have to remember that the security of the device changes over time and needs to be maintained. Over-the-air updates are huge in this space, for numerous reasons, as you alluded to. One of them is that they let you add new features to your device. If you’re trying to delight your customer, give them new features after they’ve bought your device. Depending on what the device is, there are cases where you could even sell those features to a customer to increase revenue or add them on as features that the customer might pay for monthly. We’re seeing a lot of this with Tesla; you buy the car, but it’s another $10,000 or whatever today’s price is for the auto drive module. All Tesla has to do is send that piece of software to your car. So, whatever it is that you are building, you have the ability to add features to them via OTA updates.
The other part of OTA is security. No matter how much time you spend on device security during development, you just can’t ever know that you’ve plugged all the holes, and once you’ve plugged all the holes, the world finds new ways to poke holes. There’s always the old user interface axiom that states that “while you build an idiot-proof interface, they’re always building a better idiot”.
Q: If you don’t update your IoT devices regularly, what kinds of attacks do your devices suddenly become vulnerable to?
A: So, without the ability to update over the air, devices suddenly are vulnerable to a thing that we call “script kiddie”. These are scripts that are written by professionals who are in the black hat or white hat community. And, eventually, these scripts get into the hands of people who don’t know how to use them, but know how to run them. So, the weapon in the case of this attack on the vulnerability has been packaged in a way that a kid could use to attack your device. That’s how easy it becomes to attack a device. All you need to do is apply that change to your device so that it’s no longer vulnerable. If you don’t have a way to get updated firmware to that device, then there’s no way for you to stop those kinds of commonplace attacks. I wanted to mention “script kiddie” because it highlights just how easy it is to attack IoT devices, and further strengthens the case for using robust, frequent OTA updates.
I think one of the great examples of this was the Meltdown and Spectre case. Meltdown and Spectre were a way to infer data in a probabilistic way so that you could essentially know what the data was. You wouldn’t need access to read secured memory, you could simply infer data to the point that you could decipher what it was, and get things like the keys to the kingdom or the root password for the device, or whatever is stored in the computer’s memory. That vulnerability had been there for over 20 years in these chips, and people were mad at Intel because they hadn’t discovered these vulnerabilities. But, no one was thinking about this kind of attack 20 years ago. Eventually, Intel was able to push updated firmware to their CPU and patch some of those vulnerabilities. That was an early use case of OTA updates, but it shows how vital OTA has been and will be to IoT device integrity going forward.
What are the Best OTA Update Platforms for IoT Devices?
Q: For those out there who are creating IoT devices, what are some ways that they can protect those devices with OTA updates? What are some of the platforms or options available for OTA updates right now?
A: Some platforms have been built by individual hardware manufacturers. So, if you use a particular hardware manufacturer’s device, then you can use their over-the-air updates. There are things like Amazon Web Services’ IoT service. Those things are a little bit more hands-off. All they do is let you register a device and give you a way to communicate back and forth with the device. That leaves it up to you to update the firmware, and roll out the firmware, and these kinds of things, as they only provide you with the communication mechanism and the registration mechanism.
We at Geisel Software built a product called Nitrium, which fits nicely in the middle of the other OTA platforms I just mentioned. Nitrium is agnostic to any device and we have an SDK available in many different programming languages and for many particular devices. The Nitrium SDK can be used to integrate your device into our backend SaaS platform, which not only registers and communicates with devices but also handles things like staged rollouts.
Q: What are staged rollouts and why are they important for OTA updates?
A: When you roll out software updates, you’ve hopefully done a lot of testing, but as we’ve talked about, you simply never know what issues might come up. It’s always possible that you send an OTA update and it bricks (disables or even damages) all of the devices. This is really bad. This is a bad day for sure. With staged rollouts, what you can do instead is roll out to 1% of those devices, and you might find that ten of them had issues. You stop, you figure out which ten they were, which batch of hardware they had, what software they were running previously, and you debug from there. Now, you can slowly continue to roll out and make sure that there are no new issues and then eventually roll out to your entire fleet of IoT devices. This is huge for mitigating risk, reducing costs, and improving the customer experience. So those are the kinds of advanced features that you really want to have in your OTA update platform. Those are the things that we’ve built into Nitrium.
Q: What are some of the update management features that Nitrium includes that some other platforms might not?
A: Take the ESP32, for example. ESP32 is a very popular module by ESPRESSIF which has its own software development platform, which is built on FreeRTOS. That platform includes OTA update capabilities. They can take a binary file downloaded from the internet and replace the current firmware with that binary file. But, should they have gotten that binary file? Is it time to get the binary file? Was it the right binary file? ESP32 only handles the device side of those issues, they don’t provide you with a cloud solution. That’s where Nitrium comes in. Nitrium addresses questions like: Is this device ready to be updated? Does it need an update? Is this the right device? Are you authenticated? Are you someone who is allowed to have this firmware? One of the things an attacker might try to do is download firmware that they’re not supposed to have access to, and then look at the code that’s running on all these devices, and they might find vulnerabilities through that. Nitrium can check to make sure that a device is one that’s actually authorized to get your firmware. All these important checks are handled by Nitrium, which then uses the ESP32 mechanism to do the update.
Nitrium builds upon the basic update function of ESP32 and makes it more comprehensive and robust with the addition of intelligent security features. The same goes for an Arduino board or a Raspberry Pi. It could be one that you custom-made because you had to create very original hardware for your device. No matter the scenario, Nitrium works just the same to ensure a seamless OTA update management experience.
Q: Can you speak to the challenges involved with developing an OTA management platform in-house? What skills and acumen are needed?
A: It can definitely be done. What we found is that for a very basic version of an OTA update platform, it takes a team approximately three to six months to build from scratch. That’s not an insignificant amount of engineering effort, but what you’ve built at that point is your own custom platform that hasn’t had rigorous field testing on devices all over the world. You’re going to have lots of bugs and security holes that might take months to even uncover, let alone patch. We are constantly running security tests on Nitrium to make sure it delivers protection from the latest security risks. So, while you can DIY an OTA update platform, using an existing solution like Nitrium will save you a lot of the work needed to make sure your DIY platform can stand up to any security challenges.
One of the other benefits that Nitrium users benefit from is the aggregated pool of features that we’ve developed. In fact, what we at Geisel Software were doing was building this type of platform again and again and again for our customers. And that’s when we realized, well, this is silly. As software engineers, we should build the thing one time and then use it again and again and again, instead of building it from scratch each time. Through the process of building these solutions so many times, we’ve identified and integrated features into Nitrium that we think are essential. If we had to build a platform like Nitrium from scratch each time, we probably wouldn’t have the budget to invest in the development of all those extra features that make Nitrium so much more secure and reliable. So, when you use Nitrium, you’re benefiting from years of experience and development time in the form of a highly comprehensive, flexible, secure, and well-featured product.
To set up a free initial consultation with Geisel Software Inc. & the Nitrium Team, click the button below.