(Source: elenabsl/Shutterstock.com)
As the cost of embedded networked devices falls—consider the Raspberry Pi as one example—they become ubiquitous. But, a hidden cost in this proliferation is that these devices can lack security and therefore be exploited. Without the investment in security, devices can leak private information—such as video, images, or audio—or become part of a botnet that wreaks havoc around the world.
Edge computing is a paradigm of shifting centralized compute resources closer to the source of data. This produces a number of benefits including:
As shown in Figure 1, the cloud infrastructure manages the devices at the edge. The Internet of Things (IoT) devices connect to the cloud through an edge device such as an edge gateway to minimize global communication.
Figure 1: The Edge Computing Architecture diagram shows the cloud infrastructure’s relationship to the connected devices at the edge. (Source: Author)
Statista, a German-based statistics database company, estimated that there were 23 billion connected IoT devices worldwide in 2018, and experts expect that number to grow to 75 billion by 2025. The Mirai malware, which targeted IoT devices and disrupted internet access for millions of people in 2016, illustrated the need for better security in these devices. In fact, when an attacker finds an exploit for a particular device, the attacker can then apply the exploit en masse to other identical devices.
As more and more devices proliferate to the edge, so do the risks for these devices. Connected devices are a common target for attackers who could be exploiting for attention or, more commonly, to expand botnets. Let’s explore the ways to secure edge computing devices.
To look at a device and understand how it can be exploited, we look at what’s called the attack surface. The attack surface for a device represents all of the points where an attacker can attempt to exploit or extract data from a device. This attack surface could include:
The attack surface defines the device’s exposure to the world and becomes the focus of defense for security. Securing a device is then a process of understanding the possible attack vectors for a device and protecting them to reduce the surface.
Common attack vectors typically include:
From Figure 2, we can see some of the attack vectors from the interfaces—network or local—various surfaces around firmware running on the device and even the physical package itself. Let’s now explore some of these vectors and how to secure them.
Figure 2: The image shows the potential attack vectors for a simple edge device. (Source: Author)
Attacking an interface or protocol is a multi-layered issue. There is the security of the communication itself with the cloud—including data security—as well as access security to the device through one or more protocols such as HTTP.
The Transport Layer Security (TLS) should protect all communication to and from the device. This type of cryptographic protocol covers authentication—to ensure that both sides can be specific about who they are communicating with—as well as encryption of all data to avoid eavesdropping attacks. This is ideal for an edge device that communicates to a remote cloud over public networks like the internet.
Given the speeds at which data moves over IP networks, hardware acceleration is a must in order to efficiently manage authentication and data encryption and decryption. Processors with hardware encryption acceleration like the TI EK-TM4C129EXL include on-chip crypto acceleration for TLS, ensuring secure communication with remote systems.
Using protocols like Kerberos for authentication can ensure that a client and server securely identify themselves. Kerberos relies on symmetric-key cryptography or public-key cryptography, both of which can be accelerated using processors that include cryptographic engines.
The protocol ports used with a network interface form one of the largest attack vectors on an internet-connected device. These ports expose protocol access to the device—for example, a web interface is exposed typically through port 80—and therefore provide information to the attacker on types of exploits to attempt.
One of the simplest ways of protecting these ports is with a firewall. A firewall is an application on a device that you can configure to limit access to ports in order to protect them. For example, a firewall can include a rule that prohibits access to a given port except for a predefined trusted host. This limits access to the port and helps avoid common attacks using protocol exploits such as buffer overflows.
Edge devices are becoming increasingly complex, performing more advanced functions than prior generations, including machine-learning applications. With this complexity comes the requirement to fix issues and release updates to devices. But, the firmware update process creates an attack vector. By implementing security measures for firmware updates in your edge security plan, you can mitigate the risks posed by attackers.
Code signing is a common security method used to prevent malicious code from entering a device. This entails digitally signing the firmware image with a cryptographic hash, which can be used on the device prior to the firmware update process, to ensure the code is authentic and has not been altered since the signing process.
The signed code can also be used at boot-time to ensure that the firmware in the local storage device has not been altered. This covers two attack vectors, attempting to update the device with an exploited image using the device’s update process and protecting the device against an image forced into the local storage device.
The processor used within a device can be helpful here, particularly if it implements a secure cryptographic engine for hash generation and checking. One example is the Microchip CEC1302, which includes a cryptographic Advanced Encryption Standard (AES) and hash engine.
The use of a Trusted Platform Module (TPM) is also beneficial. The TPM is a secure crypto-processor dedicated to security features and typically includes hash generation, key-storage, hash and encryption acceleration, and a variety of other features. One example is the Microchip AT97SC3205T, which implements a TPM in the context of an 8-bit microcontroller.
Creating tamper-proof designs can help detect if the device has been physically opened or compromised in some way. This also includes minimizing external signals whenever possible to limit the ways that an attacker can monitor a device in their possession and identify exploits. Attackers may attempt to monitor bus signals to identify secure information and, in extreme cases, may apply temperature changes to the device, change clock signals, and even induce errors through the use of radiation. Understanding the methods that a motivated attacker will use to understand your device will help in building more secure products.
With the state of cyber warfare today and the plethora of motivations, individuals and states have to exploit devices edge security is an uphill battle. But, implementing modern security practices and considering security at the start of product development will go a long way to keep your device safe. Early analysis of the attack surface of a device helps to identify where to focus attention in order to create more secure devices. You can learn more at the Mouser Security blog.
M. Tim Jones is a veteran embedded firmware architect with over 30 years of architecture and development experience. Tim is the author of several books and many articles across the spectrum of software and firmware development. His engineering background ranges from the development of kernels for geosynchronous spacecraft to embedded systems architecture and protocol development.