With all the recent news of hackers breaking into consumer IoT devices such as IP cameras, there is increasing public scrutiny on just how secure the IoT really is. There are a number of aspects to consider around the security of an IoT device including the confidentiality and authenticity of the data flowing in and out of the device as well as the various access methods and control points available to a potentially malicious external agent.
Most of the recent news has been focused on mainstream IoT devices - consisting of highly capable application processors running an essentially scaled-down version of your desktop operating system. With power comes great responsibility, and often the complexity of configuring and maintaining a Linux OS on an embedded device prevents device vendors and users from properly locking down and securing the external network interfaces.
Now, many if not most IoT devices have a common network interaction model. First, there is a need to be registered with a cloud-based management service platform (such service providers include Xively, Amazon, IBM Watson, Microsoft Azure, Losant to name but a few in a growing list of service providers). Registration and interaction with a device management service provider is typically implemented with well-known PKI concepts and includes authenticating both the device to the server and the server to the device. When this secure management channel has been established, the device can begin to start up its other services - these additional services are generally provided as a secure high-bandwidth data channel (e.g. for video streaming) and a secure OTA (over-the-air) update channel.
While many IoT devices record sensor data and drive actuators and can operate entirely within the scope of the secure management channel (think MQTT messages), there are still many more that drive significant data into the cloud such as video capture devices. A separate secured (encrypted and authenticated as necessary) channel can be opened up for this purpose and can be configured for outbound traffic only.
Almost all IoT devices need remote update capability of their software (firmware). The software/firmware binary images are hosted at a known location communicated to the device over the management channel. Like the secure cloud management provider service, the OTA update image host authenticates itself to the device before any download occurs.
The secure channels are implemented with TLS sockets. When properly secured in this manner, the risks associated with hijacking, manipulating or compromising the IoT device in some way are mitigated.
MCU (microcontroller) based IoT devices already enjoy this level of security. With built-in secure hardware accelerators, an MCU + WiFi (e.g. TI MSP432 + CC3100) combination or WiFi SoC (e.g. TI CC3200) can take care of implementing secure socket channels plus implement all of the logic necessary for complete IoT device management including OTA updating.
Considering then that an MCU-based system can fully implement the secure IoT device network interaction model, it is not a stretch to envision placing this secure MCU front end onto more capable maintstream IoT devices to block attack vectors and plug vulnerabilities. Such a front end can be considered a firewall, and the Linux-based application processors running behind it would be a co-processor whose sole purpose is to run a feature-rich user interface, or capture video, or perform other intensive edge computing (e.g. image processing/feature extraction of captured video frames).
At Firmware Modules we are exploring the concept of the MCU firewall and working on building a scalable secure MCU-based IoT device management component that could be used in the manner described above.