IoT SAFE: an innovative way to protect IoT

IoT SAFE: an innovative way to protect IoT
SECURE IoT

By the end of 2021, there will be 12 billion connected IoT devices, and by 2025, that number will increase to 27 billion.

All of these devices will be connected to the Internet and will send useful data that will make industries, medicine, and automobiles smarter and more efficient.

However, will all these devices be safe? It is worth asking yourself what you can do to avoid (or at least reduce) becoming a victim of cybercrime such as data theft or other forms of cybercrime in the future.

Will IoT security ever improve?

In recent years, the number of security vulnerabilities related to the Internet of Things has increased significantly.

Let’s start at the beginning: most IoT devices come with default, publicly disclosed passwords. Furthermore, the fact is that there are many cheap, low-capacity Internet of Things devices that lack even the most basic security.

And that’s not all: security experts discover new critical vulnerabilities every day. Numerous IoT devices that undergo security audits repeatedly exhibit the same issues over and over again: remote code execution vulnerabilities at the IP or even radio level, unauthenticated or broken access control mechanisms.

Weak hardware security is one of the most frequently discovered issues. With this complex term, we mean all the attack possibilities that hackers can exploit when they have an IoT device in their hands: extract the security credentials stored in the clear in the memory of the device → Use this data to penetrate the servers where the device data is located. sent → share or sell these credentials on the “dark web” to remotely attack other devices of the same type, etc.

SECURE IoT

There is a true silent IoT battle going on and tens of thousands of IoT devices have already been compromised. To give you an idea of ​​the level of awareness that is rising, the Orange Cyberdefense Epidemiology Lab gives us some exciting and scary numbers: in 2019, for example, a vulnerable IoT device could be infected in less than 3 minutes, and in 2021, a IoT device is attacked an average of 2,814 times a day by more than 100 different botnets trying to hijack it. It is therefore not surprising that five years after Mirai, a new IoT botnet called Meris has emerged and been used for massive DDoS attacks against Yandex, a very large Russian search engine website.

SECURE IoT

Light at the end of the tunnel

However, the situation may start to change in the near future. Recently, Orange, the largest player in the European telecommunications industry, launched an initiative called “SECURE IoT” in collaboration with Thales, a major manufacturer of electronic devices. Collaboration between a network provider and an IoT device manufacturer has been shown to significantly improve the security of IoT devices (and thus the security posture of its users).

IoT SAFE has been standardized by the GSMA as a result of extensive collaboration between device and chip set manufacturers, cloud providers and mobile network operators.

The key idea is to use a SIM card (or an embedded SIM) as an application KeyStore where security keys are securely stored and dynamically managed. No longer is it necessary to hand over secrets to an untrusted provider. There’s also no need to add a dedicated, expensive secure element. Also, there are no requirements for proprietary interfaces.

Thanks to IoT SAFE, the SIM card can cover a wide range of crypto services directly.

You may wonder: Why do we stick with a SIM or embedded SIM to secure an IoT device? It is because SIM cards are very well protected against physical attacks. They are also standardized and can be considered reliable and well developed chips. All IoT devices that are connected to the cellular network are usually equipped with SIM cards. With 5G for industrial IoT just around the corner, they are sure to remain popular. They’re also cheap, as many mobile IoT devices are small and have cheap sensors, so a specialized chip probably isn’t needed.

How does it work? An example.

Additionally, this new standard also brings the benefit of overall simplicity to the table.

An example of this is “Zero Touch Provisioning”. In this use case, the network operator remotely installs and configures an instance of the IoT SAFE applet as soon as the user powers on the IoT device. The network operator then tells the applet to create a new key pair consisting of a private key that is stored securely on the SIM card and a public key that is sent back to the server. The server generates a new client certificate and returns it to the applet. Finally, the IoT SAFE-enabled device uses this data to establish a secure connection to the cloud using a mutually authenticated TLS session.

If the device is suspected of being compromised, the credentials are remotely wiped over the mobile network.

There are also more complex use cases that IoT SAFE can also cover, such as storing critical user data on the SIM or pre-execution software authentication to prevent unauthorized code execution by IoT malware.

Towards a bright and secure IoT world

Orange launched the first open source implementation of the standard in October 2020, based on simple C language. The implementation of this project was tested on two restricted devices using applets from two different vendors. It has been successfully integrated into two popular public clouds, Azure and AWS, and into Orange’s own Live Objects private cloud. Thanks to the permissive license of this open source code, device manufacturers will be able to easily implement an IoT SAFE compatible device.

The IoT SAFE initiative has been presented at several conferences, including the Java Card Forum, the Global Platform, and the Mobile IoT Summit. During the seminars, the use cases for implementing IoT SAFE were demonstrated and discussed in detail with the IoT community. Thanks to these efforts, wolfSSL has added support for IoT SAFE to its popular SSL/TLS library.

Of course, IoT SAFE developments and prototypes were also demonstrated at the Orange booth at this year’s Mobile World Congress. It was obvious that the IoT industry showed great interest after this demo. In addition to device manufacturers, chipmakers, and even an aircraft manufacturer, many others were also excited about the potential of IoT SAFE.

One for all

It is undeniable that these connected devices do not provide adequate security protection. In the age of ever-increasing insecure devices, there is no doubt that they pose a threat to all of us. Furthermore, security threats are considered a major obstacle to the development of IoT markets. According to Internet of Things World and Omdia, 85% of the 170 industry leaders surveyed believe that security concerns remain a major barrier to IoT adoption. Potential customers are often hesitant to purchase IoT objects because they are concerned that they will be compromised.

Ultimately, only reasonably secure and reliable devices will succeed in the market and lead to reasonable commercial growth of IoT. Therefore, the vendor community must actively contribute to IoT security to drive the IoT market and increase business opportunities.

If you want to learn more about what Orange Cyberdefense researchers have been investigating this year, you can visit the home page of their recently published security browser.

Note – This article is written and contributed by Fabrice Fontaine and Leila de Charette, both from Orange Innovation.

Leave a Comment