Editor’s Note: Securing the Internet of Things is critical not only for the integrity of data streams and software within each IoT application, but also for the integrity of the enterprise resources tied into those applications. IoT security is a complex problem, requiring a systematic approach for understanding possible threats and corresponding mitigation methods.
Adapted from Internet of Things for Architects, by Perry Lea.
Chapter 12. IoT Security
By Perry Lea
Software defined perimeter
Earlier in the book, in Chapter 8, Router and Gateways , the concept of software-defined networks and overlay networks was discussed. Overlay networks and their ability to create microsegments is extremely powerful especially in mass IoT scaling and situations where a DDOS attack can be mitigated. An additional component of software-defined networking is called Software-Defined Perimeter (SDP ) and is worth a discussion in terms of the overall security picture.
Software-Defined Perimeter architecture
A Software-Defined Perimeter (SDP ) is an approach to network and communication security where no trust model exists. It is based on the Defense Information Systems Agency (DISA )’s black cloud. Black cloud means information is shared on a need-to-know basis. An SDP can mitigate attacks such as DDOS, MITM, zero-day exploits, and server scanning among others. Along with providing an overlay and micro-segmentation for each attached device, the perimeter creates an invitation-only (identity-based) security perimeter around users, clients, and IoT devices.
An SDP can be used to create an overlay network which is a network, built on top of another network. A historical reference is legacy internet services built upon the pre- existing telephone network. In this hybrid networking approach, the distributed control plane remains the same. Edge routers and virtual switches steer data based on control plane rules. Multiple overlay networks can be built on the same infrastructure. Since an SDN remains persistent in much the same way as a wired network, it is ideal for real-time applications, remote monitoring, and complex event processing. The ability to create multiple overlay networks using the same edge components allows for micro segmentation where different resources have a direct relationship with different consumers of data. Each resource-consumer pair is a separate immutable network that is only able to see outside of its virtual overlay as the administrator chooses.
|The ability to create multiple overlay networks using the same edge components allows for micro-segmentation where each endpoint in a globally distributed IoT network can build individual and isolated network segments over the existing network infrastructure. In theory, every sensor could be isolated from another. This is a powerful tool for enabling enterprise connectivity for IoT deployments as services and devices can be isolated and protected from each other.|
The following graphic depicts an SDN overlay example. Here, a corporation has three remote franchises with a number of different IoT and edge devices at each store. The network resides on an SDN overlay network with micro-segments isolating POS and VOIP systems that are corporately managed from various sensors for security, insurance, and cold storage monitoring. Third-party service providers can manage various remote sensors using an isolated and secure virtual overlay network only for the device they manage:
click for larger image
An example SDN Overlay Network.
An SDP can further extend security by developing an invitation system, forcing a pair of devices to authenticate first and connect second. Only a pre-authorized user or client may be added to a network. That authorization is extended by an invitation from the control plane via email or some registration facility. If the user accepts the invitation, client certificates and credentials are extended to that system alone. The resource extending the invitation maintains a record of extended certificates and will only provide an overlay connection when both parties accept the role.
|The real-world analogy is how one sends invitations for a party. Invitations are mailed out to selected individuals, with a date, time, address, and other details. Those individuals may or may not want to attend at the party (it is up to them). The alternative is to advertise on the web, TV, and radio that you are having a party and then authenticate each person as they arrive at the door.|
Blockchains and cryptocurrencies in IoT
Blockchains are public, digital, and decentralized ledgers or cryptocurrency transactions. The original cryptocurrency blockchain was Bitcoin but there are over 700 new currencies on the market such as Ethereum, Ripple, and Dash. The power of a blockchain is that there is no single entity controlling the state of transactions. It also forces redundancy in the system by ensuring everyone using a blockchain also maintains a copy of the ledger. Assuming there is no inherent trust in blockchain participants, the system must live in consensus.
A good question to ask is if we have solved identity management and security with asymmetric cryptography and key exchanges, why are blockchains needed to exchange data or currency? This is not enough for the exchange of money or data of value. One thing to note is that since the inception of information theory, when two devices communicate, Bob and Alice, they send a message or a bit of data. That information is still retained by Bob even if Alice receives a copy. When exchanging money or contracts, that data must leave one source and arrive at another. There is only a single instance. Authenticity and encryption are tools needed for communication but a new method to transfer ownership had to be invented:
click for larger image
Ledger topologies. A centralized ledger is the typical process of a single controlling agent maintaining “the books”. Cryptocurrencies use either decentralized or distributed ledgers
Blockchain secure cryptocurrencies are particularly relevant to IoT. Some example use cases include:
- Machine to machine payments : The IoT needs to ready itself for machine exchanging services for currency.
- Supply chain management : In this case, the movement and logistics in managing inventory, moving goods, and logistics can replace paper-based tracking with blockchain immutability and security. Every container, movement, location, and state can be tracked, verified, and certified. Attempts to forge, delete, or modify tracking information becomes impossible.
- Solar energy: Imagine residential solar as a service. In this case, solar panels installed on a customer home are generating energy for the home. Alternatively, they can also send energy back to the grid to power someone else (perhaps in exchange for carbon credits).
The cryptocurrency portion of Bitcoin is different from the blockchain itself. Bitcoin is an artificial currency. It has no commodity or value backing like gold. It is also not physical; it only exists in a network construct. Finally, the supply or number of Bitcoins is not determined by a central bank or any authority. It is completely decentralized. Like other blockchains, it is built up from public key cryptography, a large and distributed peer-to-peer network, and a protocol that defines the Bitcoin structure. While not the first to conceive of digital cash, Satoshi Nakamoto (alias) posted the paper in 2008 called Bitcoin: A Peer-to-Peer Electronic Cash System to a cryptography list. In 2009, the first Bitcoin network was online and Satoshi mined the first block (Genesis Block).
The concept of a blockchain means that there exists a block representing the current portion of a blockchain. A computer connected to the blockchain network is called a node . Each node participates in validating and relaying transactions by obtaining a copy of the blockchain and is essentially an administrator.
A distributed network based on peer-to-peer topologies exists for Bitcoin. Metcalfe’s Law applies here since the value of a cryptocurrency like Bitcoin is based on the size of the network. The network maintains the system of records (the ledger). The problem is, where do you find a source of computing willing to share their compute time for monitoring ledgers? The answer is to build a reward system called Bitcoin mining.
The transaction process is shown in the following figure. It starts with a transaction request. The request is broadcast to a Peer-to-Peer (P2P) network of computers called nodes . The peer network is responsible for validating the authenticity of the user. Upon validation, the transaction is verified and combined with other transactions to create a new block of data for the distributed ledger. When a block is full, it is added to the existing blockchain, making it immutable. The Bitcoin authentication, mining, and validation process is shown below:
click for larger image
Bitcoin blockchain transaction process.
Shown in the graphic is the exchange of 0.000554 Bitcoins between Alice and Bob with a service fee of 0.0001 BTC. Alice initiates the transaction by signing the contents of the transaction with the previous transaction hash against Alice’s private key. Alice also includes her public key in the inputScriptSig script. The transaction is then broadcast to the Bitcoin P2P network for inclusion in a block and validation. The network competes to validate and discover a working nonce based on the current strength of complexity. If a block is discovered, the server broadcasts the block to peers for validation and then inclusion in the chain.
What follows is a qualitative analysis of the blockchain and in particular Bitcoin processing. It is important to understand these fundamentals which build on all the security foundations from earlier in this chapter:
Digitally signed transaction : Alice intends to give Bob 1 Bitcoin. The first step is to announce to the world that Alice intends to give Bob 1 Bitcoin. Alice does this by writing this message: “Alice will give Bob 1 Bitcoin,” and digitally signing it for authentication with her private key. Anyone can verify the message is authentic given the public key. However, Alice could replay the message and artificially forge money.
- Unique identification : To resolve the forgery problem, Bitcoin creates a unique with a serial number. US-issued money has serial numbers and Bitcoins do as well in a general sense. Bitcoin uses a hash rather than a centrally administered serial number. The hash that identifies the transactions are self-generated as part of a transaction.
A serious problem arises with double spending. Even if the transaction is signed and uniquely hashed, Alice could potentially reuse the same Bitcoin with other parties. Bob will check Alice’s transaction and everything will verify. If Alice also uses the same transaction but buys something from Charlie, she effectively is cheating the system. The Bitcoin network is very large, but there is still a small chance that theft could occur. Bitcoin users protect against double spending by waiting for a confirmation when receiving payments on the blockchain. As a transaction becomes dated more confirmations arise, validating it becomes more irreversible.
- Security through peer validation : To resolve the double spending cheat, what is done in blockchains is that recipients of the transaction (Bob and Charlie) broadcast their potential payment to the network and request the peer network to help legitimize it. This service of requesting assistance in verifying a transaction doesn’t come free.
- Proof of Work Burden: This still hasn’t completely resolved the double spend problem. Alice could simply hijack the network with her own servers and claim all her transactions are valid. To finally resolve this issue, Bitcoin introduced the concept of Proof of Work. There are two aspects to proof-of-work concepts. The first aspect is validating the authenticity of a transaction should to be computationally expensive for a computing device. It must be more computationally burdensome than just verifying keys, logins names, transaction IDs, and other trivial steps in the authentication process. Second, users need to be rewarded to help resolve other people’s money exchanges—this is covered in step
- The method Bitcoin uses to force a work function on individuals validating transactions is to attach a nonce to the header of the transactions in process. Bitcoin then uses the cryptographically secure SHA-256 algorithm to hash the nonce and header message. The goal is to keep changing the nonce and deliver hash leading values that are less than 256-bit values, known as the target . A low target makes it much more computationally intensive to resolve. Since each hash basically generates a completely random number, many SHA-256 hashes must be performed. On average this takes about 10 minutes to resolve.
|The 10-minute proof-of-work also implies that a transaction will take 10 minutes on average to validate. Miners work on blocks which are collections of many transactions. A block is limited (currently) to 1 MB of transactions which implies your transaction will not be processed until the current block is completed. This can have implications for an IoT device with real-time demands.|
Bitcoin Mining Incentives : To encourage individuals to build a peer-to-peer network to validate other people’s spending, incentives are used to reward those individuals for their service. There are two forms of an reward. The first is Bitcoin Mining, which awards individuals who validate a block of transactions. The other form of award is a transaction fee. The transaction fee is rewarded to a miner who helps validate a block and is taken as part of the transaction. Initially, there was no fee, but as Bitcoins have gained popularity, the fee has grown. On average the fee is about $35 (in Bitcoin currency) for a successful transaction. As a further incentive, fees are dynamic and one can increase fees, which artificially forces the transaction to be processed faster for a user. Even when new Bitcoin generation is exhausted, there is still an incentive to manage transactions.
|Initially, the reward was very high (50 Bitcoins) but that reduces by half about every four years after 210,000 blocks have been found. This will continue until the year 2140 when the halving rate will reach a point of exhaustion and rewards will be less than the lowest unit value of a Bitcoin (called a Satoshi or 10-8 Bitcoins).
Given that a block is mined every 10 minutes and the reward is halved every four years, we can come up to the maximum number of Bitcoins in existence. We also know the initial reward for a mined coin is 50 Bitcoins. This produces a series that converges to the Santoshi limit: 50 BTC + 25 BTC + 12.5BTC… = 100 BTC. 210,000 * 100 = 21 million total Bitcoins possible.
Security through chaining order : The order in which transactions occur is also vital to the integrity of a currency. If a Bitcoin is transferred from Alice to Bob and then to Charlie, you don’t want the ledgers to record the events as Bob to Charlie then Alice to Bob. Blockchains manage the order by chaining the transactions. All new blocks added to the network contain a pointer to the last block validated in the chain. Bitcoin states that no transaction is valid until it is chained to the longest fork and that at least five blocks follow it in the longest fork.
This provision solves the asynchronous problem of what happens if Alice tries to double spend a Bitcoin with Bob and Charlie. She might try to broadcast the transaction with Bob for one set of the miners and with Charlie on a second set. However, the process will find this fraud when the network converges. Bob may win the transaction but the network will invalidate Charlie’s transaction.
Even if Alice attempts to pay herself and attempts to pay Bob, the ordering rules stop her. She does this by sending Bob a Bitcoin and waiting for the moment when the transaction is verified (five blocks follow it). She then immediately pays herself the same Bitcoin which causes a fork in the chain. She now has to validate five additional blocks of Bitcoins. This takes about 50 minutes as stated in step 4. That requires an enormous amount of computing power as she has to process faster than all other miners combined.
|Another interesting concept about blockchains is their use in managing the denial of service attacks. A proof-of-work system (or protocol/function) is an economic measure to deter the denial of service attacks. One conducting an attack intends to saturate a network with as much data as possible to overwhelm a system. A blockchain involving a work function reduces the effectiveness of such an attack. A key feature of these schemes is their asymmetry: the work must be moderately hard (but feasible) on the requester side but easy to check with the service provider.|
IOTA (directed acyclical graph-based)
An interesting new cryptocurrency has been developed solely for IoT called IOTA. In this case, the IOT devices themselves are the backbone of the trust network and the architecture is based on a Directed Acyclic Graph (DAG ). Bitcoin has an associated fee per transaction. IOTA has no fees. This is very important in the world of IoT, which may be serving micro- transactions. For example, a sensor may provide a service reporting to many subscribers of MQTT. The service has value in aggregate terms but is measurably very small per single transaction, so small that a Bitcoin fee to provide that information may be larger than the value of the data.
The IOTA architecture has the following aspects:
- No centralization of monetary control; with blockchain, miners can form large groups in order to increase the number of blocks they can mine as well as increase their rewards. This can potentially lead to a concentration of power and possibly harm the network.
- No costly hardware equipment. In order to mine Bitcoins. cryptocurrency, powerful processors are necessary due to the complexity of the processing logic required.
- Micro and nano transactions at the IoT level of data. Proven security even against quantum computing brute force attacks.
- Data that can be transferred through IOTA just as currency can. The data is fully authenticated and tamper-proof.
- Since IOTA is agnostic to the payload of a transaction, a national tamper-proof voting system can be designed.
- Anything with a small SOC can become a service. If you own a device such as a drill, personal Wi-Fi, a microwave, or bicycle, the devices with a small SOC or microcontroller can join IOTA and become leasing sources of revenue.
The IOTA DAG is called a tangle and is used store transactions as a distributed ledger. Transactions are issued by nodes (IoT devices) and they constitute a set on the tangle DAG. If there is no directed edge between transaction A and transaction B, but there is a path of at least length two from A to B, it can be said A indirectly approves B.
There is also the notion of a genesis transaction. Since there is no mining for graph edges (and no incentives or fees) to start the tangle, one node contains all tokens. The genesis event sends the tokens to other “founder” addresses. This is the static set of all tokens and no new tokens will ever be created.
When a new transaction arrives, it must approve (or deny) two previous transactions; this is called direct approval. This forms a direct edge on the graph. Anything performing a transaction is required to produce a “work” product on behalf of the tangle. This work involves finding a nonce that works with the hash of a portion of the approved transaction. Thus by using IOTA, the network becomes more distributed and more secure. The transaction may have many approvers. As more transactions occur, the confidence that the transaction is legitimate increases. If a node attempts to approve a transaction that for all intents is not legitimate, it risks having its own transaction be continuously disproved and falling into oblivion.
While still early in the rollout, it is a technology to watch. More information can be found at http://iota.org.
The next article in this series will discuss IoT security best practices and provide a security checklist.
Reprinted with permission from Packt Publishing. Copyright © 2018 Packt Publishing
Perry Lea is a 27-year veteran in the technology industry and sees himself as a technologist, strategist, business developer, entrepreneur, researcher and inventor. Besides writing the book, Internet of Things for Architects, he holds more than 50 patents. He served as Chief Architect at Hewlett Packard, where he architected and steered the design of more than 60 product lines. He holds three engineering degrees and a post graduate degree from Columbia University.