Microcontroller security hadn’t really crossed my mind at “low level” before I heard it in Jfokus this year. I know it’s been a while from Jfokus, but I finally thought I’d just plain take the time to write some thoughts about this interesting topic. The IoT keynote by Zach Shelby: Future Of IoT, the talk about securing micro controllers by Aaron Ardiri: IoT security feasibility and James McGivern’s talk about complex systems and emergent behavior: The House That Skynet Built were extremely interesting. Jfokus, by the way, is an excellent event, held annually in Stockholm – I highly recommend.
It has been estimated that by 2020 there are somewhat 26 (Gartner) to 220 (IDC) billion IoT devices in the world – even the lower end is a huge number. Most of those devices will be relaying information, taking orders in some form, to and from an another device – which may listen / talk to another device that talks to many others etc. It might just be that us humans are the 5th “controllers” when going up the “call-chain”.. and it might just be that there’s no human at all. Ok, this starts to sound like Skynet, but hey, you can’t deny that there will be a lot of machines talking to other machines and most importantly: those machines are going to be making decisions too – decisions based on the data their own sensors or other device’s sensors are relaying them. Communication between the machines will also be (partially) wireless.
So, what’s the big deal with security in the IoT then? We got all the existing nice open-source stuff out there that can be utilized to gain an acceptable level of security in anything that involves hardware capable to run at least C, right? – So let’s just do it. Well.. it’s not just that easy as we’re going to be controlling the vast majority of our brilliant devices with something called microcontrollers, which come in many forms and abilities.. As always there are some “but’s” as there are some limitations too.
Microcontrollers are small computers, so small that they fit on a single chip. A microcontroller typically has at least a processor, some memory and IO-channels that are connected to the device being controlled. The physical size along with e.g. financial and power consumption requirements of the microcontroller sets some serious constraints to computing performance and memory amount on the controller. The constraints are interesting because they also limit security techniques and the usage of existing solutions to security issues. Those solutions were originally developed for regular computer hardware, where memory and processing power are abundant (for the task). Scarce resources call for optimized solutions, often involving low level C-programming or even assembly – really a dive into the deep end. Some microcontrollers are so lightly equipped that encrypting/decrypting a 2048-bit RSA-key is impossible (insufficient memory) or it takes too long (insufficient processing power). By the way, it was already back in 2007, when 1024-bit RSA-keys were considered dead by some: Researchers: 307-digit key crack endangers 1024-bit RSA.
So, what if we just forget about security in IoT? That’s a bad idea.. What if someone could turn on your toaster because of insufficiently secured microcontroller? Or maybe start your car and drive it around? The scenario is unacceptable and what if it were automated weapons someone not authorized gains access to? This is just something to keep in mind when building the IoT. It does not require artificial (and perhaps a bit malevolent) intelligence to make Skynet happen. It is enough that a few people with decent hacking skills gain control of something that has enough momentum (and then they brew a nice cup of coffee for themselves.. with your coffeemaker that has an insecure microcontroller! They would then maneuver the cup of coffee outside with your robot vacuum cleaner that also has an insecure microcontroller! Not to mention that they unlock your house door that also has an insecure microcontroller! Ok, enough.)