Although the IoT concept has been around for many years now, it is still struggling with its integral security. As the picture shows, the data security and encryption part has been fairly well covered, using such technologies as cloud-based Hardware Security Modules, Secure Element ICs in the user devices, and recently also Physically Unclonable Functions (PUF) to securely store the encryption key.
A major challenge, in contrast, remains the need for Trusted Identities, especially of the IoT end nodes. For the higher system levels the problem has been solved, using public-key certificates, MAC-address management and managing these with Secure Elements. However, the end node remains the biggest problem. The lack of trustworthy identities, especially in the lowest part of these connected networks, remains the most vulnerable element of the IoT, restricting its broad deployment. Due to these weak or missing identities, hacking an end-node to subvert a network is still relatively easy. This weakness of IoT end nodes makes it very difficult or even impossible to build reliable IoT applications on top of them.
The lack of trusted identity of the end nodes results in a high vulnerability to hacking. By stealing a weakly protected identity of a device one can easily enter the same or other networks by pretending to be a legitimate user. The network is hacked! Once a hacker is inside the network, he can access the entire application. For example, there was a famous hack in 2017 where breaching an internet- connected fish tank helped hack a casino. Another famous example is the hack of a smart lighting network, which potentially allowed the perpetrator to disable all smart lamps in an entire city. In- house IP cameras and smart doorbells are also known weak spots for hackers. Not only the well- known consumer applications are vulnerable to hacks, the same is valid for professional applications like building automation, lighting, and sensor networks.
To provide trusted identities to IoT end nodes, there are two main types of solutions.
- The first method puts the identity into the end node, storing the identity in some form of protected memory, ultimately in Secure Elements. However, no matter what level of protection is provided, an end node can be hacked, its identity stolen, and if the identity management is based on the end nodes only, this stolen identity can be endlessly replicated. Thus: Break one – Break all. This has led to some famous hacks as mentioned earlier, but also e.g. the Dutch public transport system hack.
- Alternatively, the fundamentally more reliable central approach can be taken, allowing much better detection, coordination, and control after the detection of a hack. Break one – Break all thus no longer applies. One major weakness remains, however: there is no link between a generated and assigned identity and the physical device it should belong to. Thus, a hacker could steal (and delete) an identity from a device and insert it into his own clone.
The perfect authentication system, providing trusted identities to physical devices should be based on two critical elements: an immutable link between the identity and the physical device, in combination with a central identity management system. This is the SandGrain system solution!
The SandGrain authentication system is based on two pillars:
- Unique, immutable SandGrain ICs with a hard-coded identity provide a very strong link between the identity and the device it belongs to.
- The CyberRock cloud-based data management system administers all identities and is thus able to detect any system abuse on the level of individual end node devices.
The SandGrain-CyberRock system thus provides unprecedented levels of identity trustworthiness, making identity-based hacks virtually impossible.
- Break one – Break all is fundamentally no longer applicable. If one identity is stolen and/or duplicated, this will immediately be detected by CyberRock, the identity will be blocked, but not affect any other identity and device.
- Because the lowest network layer has become fundamentally more reliable, the need for excessive security measures at higher network levels to protect against threats from the end nodes is reduced.
- Clones and illegal copies of devices are now no longer a threat to a brand, since their identity – if available at all – will immediately detected by CyberRock as being false or stolen, and not allowed into the network. On a more positive footing, it allows companies a way of controlled second sourcing of network end nodes from other suppliers by issuing them a series of valid identities.