Security Principles for IoT Devices Using Arm TrustZone Security Extension

Examining four “must do’s” for tackling the complex challenges IoT device security poses.
The Internet of Things (IoT) market is expected to enable and deploy around 50 billion connected devices by 2020. These IoT devices will be deployed across the board to cater for multiple use cases, for example home or building automation, automotive, and the diverse embedded segment: gateways, set-top boxes, security cameras, industrial automation, digital signage and healthcare, to name a few.

Figure 1: The four principles for securing IoT devices using Arm® TrustZone® security technology

The predicted scale of the IoT poses a challenge for developers to secure connected endpoint devices from a myriad of physical and remote software attacks. For example, the DDOS Mirai botnet launched through IoT devices such as digital cameras and DVR players. Among the many requirements for securing an IoT device, key principles include device identity, trusted boot, secure over-the-air updates, and certificate-based authentication.

1. Protect your IoT device identity with hardware isolation
Device identify involves being able to identify the endpoint device as an authentic device, rather than another device that may be masquerading as legitimate by assuming its identity. If and when a malicious device assumes the identify of a legitimate device, it can launch different types of attacks. When a new device is activated and contacts the server for the first time, it needs to verify that it is indeed one of the target devices and not a hacker’s computer. One security measure is to configure a unique device-shared secret before the device is shipped or an identity certificate issued to the device by a certification authority (CA) for anonymous attestation.

This type of security function is typically executed in a protected and isolated environment. Arm® v7-M and Arm v8-M architectures can host such an environment with an MPU or Arm® TrustZone® security technology. They both provide enhanced security hardening to host protected and trusted execution partitions. The TrustZone security extension, however, offers more security robustness over MPU-based protected partitions, and is the industry-preferred security technology, with over 15 billion shipped to date in Cortex™-A based devices.

2. Assure device integrity with a trusted boot sequence
Trusted boot is yet another key function—when implemented on the IoT device, it will assure the integrity of the boot and runtime software as being authentic and not tampered with, since it was installed or provisioned on the device. The implementation of a trusted boot on the platform requires a hardware-based root of trust, which is typically a security processor or security enclave (SE) that can host a protected and secured environment. Arm TrustZone is an example of a low-cost virtual SE capability that can host a secure partition.

 3. Securely fix vulnerabilities with an over-the-air software update
The Mirai botnet is a good example of the importance of firmware/software patching of an IoT endpoint device, to fix zero-day security vulnerabilities identified in the field. It is practically impossible to know and address all vulnerabilities upfront, as hackers are always finding new ways to detect and exploit vulnerabilities. It is an ongoing race between the device manufacturer and hackers. The fundamental requirement to mitigate attacks is to have on-device capabilities to allow patching of software/firmware images in a secure way, to address known vulnerabilities.

Many government agencies across the globe have identified this as an international security issue and are feverishly working to put forth regulations and guidelines for device patching. The National Telecommunications and Information Administration (NTIA) is seeking to define different firmware patching capabilities for IoT devices, to increase consumer awareness and to ask for the support of these standards on the devices they purchase. The secure software update capability is typically implemented in a protected partition, with either an Arm MPU or TrustZone technology providing security robustness.

4. Ensure trusted communication with certificate-based authentication
With so many connected devices, it is inevitable that these devices will be communicating with each other. A very good example of this is in the automotive industry with vehicle-to-vehicle and vehicle-to-infrastructure communication (V2X). During secure communication between devices, it is critical that they only respond to authenticated devices to send and receive information that could be acted upon without serious ramifications.

There are several prevalent authentication schemes, for example user ID/password, one-time password (OTP), server unique ID, and message payload. The message payload authentication token is one of the ways to facilitate the authentication of devices with certificates issued by a CA, by embedding them in the communication packets. This is another trusted function that must be executed in a highly secure environment that cannot be tampered with. Arm TrustZone technology or an MPU-based capability provides this secure environment, and this can be further supported with a SE security-hardened solution.

Robust, Hardware-Enforced Security for IoT—No Matter the Device
In summary, for IoT to scale, it must do so with security as its foundation. The challenge, however, is that developers must protect IoT devices from a variety of attack types, across a range of devices—from low cost, low power, and harvested power, to high-end devices. Therefore, ensuring strong security principles in these four areas from the start of a project is key:

  1.   Protect your IoT device identity with hardware isolation
  2.  Assure device integrity with a trusted boot sequence
  3.  Securely fix vulnerabilities with an over-the-air software update
  4. Ensure trusted communication with certificate-based authentication

Figure 2: Arm TrustZone security technology provides seamless, developer-friendly, hardware-enforced security protection

It must be said that those are not the only means and ways to protect a device, however, these principles set a strong foundation for other measures to be built upon. So, whether it’s being implemented in low-cost and low-power MCUs or high-end devices for richer IoT experiences, TrustZone security technology provides seamless, developer-friendly, hardware-enforced protection for isolated and protected environments that exceeds the strength of MPU-only protection.

Suresh Marisetty is a Security Solutions Architect at Arm, covering the emerging market segments of Automotive, IoT, and Embedded. He has over 25 years of industry experience with over 10-years of Security Architecture expertise, driving end-to-end SoC security solutions from concept to product delivery. He has successfully delivered about half a dozen silicon solutions for Automotive, Embedded, Mobile, Desktop, and Server platforms at Intel. His prior contributions include Server platform machine check architecture for RAS and its enabling as an industry standard through UEFI SIG. He holds about 25 patents, several publications, and is a co-author of book Beyond BIOS – Developing with UEFI.