By navigating our site, you agree to allow us to use cookies, in accordance with our Privacy Policy.

Take Control Of Your Security

The security of embedded devices is vital. All over the world, there are adversaries, both benign and malicious, routinely using low-cost tools in a quest to discover IoT device vulnerabilities. Breaching the security of a single target device in a remotely connected system may enable the adversary to access the entire IoT implementation.

By Mark Patrick, Mouser Electronics

Introduction

In today’s connected, always-on world, adversaries are having a field day trying to compromise devices. Security is vital to prevent hackers from gaining control of embedded devices. Worse still, a malicious adversary may infiltrate the device’s connected systems. Aside from remote attacks, local attacks on the device’s physical hardware are also possible, giving them access to system authentication passwords and even the IP of the application code itself.

This article looks at security best practices for establishing a robust and reliable process in an embedded microcontroller. It also examines security fundamentals and provides insight into the popular attack surfaces and vectors that adversary’s use.

MRXACI083 Figure1

Figure 1: It only takes one compromised or unsecured device to expose the whole IoT system to an adversary. (© STMicroelectronics)

Never underestimate how much complexity is added to an embedded system when provisioning security. It involves securing cryptographic keys, embedded firmware, and personal data. Should the adversary get at the device’s firmware, potentially, they could reverse engineer the code. If the adversary knows how the code works, they could uncover further vulnerabilities and insert malicious code. Gaining access to just one connected IoT device may enable the adversary to access the entire IoT deployment – see Figure 1.

What To Protect

What do we need to protect? Generally, hackers target an IoT device that needs protecting – see Figure 2. The asset is what is contained in the target that requires protection with the associated risks. This simple classification technique helps select the correct approach when implementing embedded security.

MRXACI083 Figure2

Figure 2: Classifying the targets, assets, and associated risks will help decide which security methods to use. (© STMicroelectronics)

Attack Types

Broadly categorized, IoT device attacks can be either software or hardware-based. Software attacks can be on the device itself or via a network connection. Hardware attacks are further split into non-invasive or invasive types. Non-invasive attacks are local and, in a few cases, need an electrical connection to the main PCB of the device. On the other hand, invasive hardware attacks require physical and electrical access to the device’s microcontroller, making them expensive to carry out and require specialist knowledge. Figure 3 illustrates the types of attack, techniques used, and reasons why the adversary would employ them.

MRXACI083 Figure3

Figure 3: The three attack types and associated costs. (© STMicroelectronics)

The most common type of attack is on the device’s software via its communication channels and can involve exploiting firmware bugs or protocol weaknesses. Since these attacks are executed remotely, the associated costs may be relatively low. The adversary may share the device’s vulnerability to the manufacturer through its disclosure program or within the hacker community.

How To Implement Security

Understanding security drivers helps identify the right security functions to implement. From a device manufacturer viewpoint, there are three common scenarios:

Royalty Payments

When royalty payments for a company’s firmware are the main revenue source, the valuable intellectual property (IP) asset needs protection. This firmware, therefore, needs to be securely isolated from the customer’s application code. Although the firmware is usually changed infrequently, the manufacturer still needs access to install and update it securely. Therefore, the primary security functions are isolation, IP protection, and secure install and update routines.

Authenticity

When a company sells equipment and wants to generate revenue by offering its customers a firmware update service, it must ensure the equipment only runs its firmware. Therefore, the firmware update process must be handled carefully with regular authenticity checks throughout the procedure. To ensure that only the company’s firmware runs on the equipment requires a secure boot function. The integrity and authenticity checks are handled via a secure install and update function.

Data Security

When a device manufacturer wants to collect user data as part of a more extensions system, must maintain compliance with consumer data regulations. To ensure that user data is secure during device communication with the host, cryptographic techniques, device identification, and authentication functions are used. If the manufacturer also wants to ensure its device only runs its firmware to ensure its robust behavior, a secure boot function is also required.

Security Frameworks

Access to a comprehensive toolset of robust security functions is paramount. The STM32 microcontrollers from STMicroelectronics, for example, offers developers access to its ‘STM32Trust’ framework – see Figure 4.

MRXACI083 Figure4

Figure 4: The STM32Trust framework provides a comprehensive suite of security functions. (© STMicroelectronics)

The STM32Trust ecosystem offers security functions for the STM32L4 and STM32L5 microcontrollers, which are both Arms PSA (Level 2) and SESIP (Level 3) certified. These security functions are device-dependent and are either embedded into the microcontroller’s silicon or available as firmware.

As mentioned above, the two essential security functions are secure boot and secure boot and secure install and update also referred to as secure boot and secure firmware update (SBSFU). For the rest of the article, these two security functions offered by the STM32Trust framework will be the focus.

Secure Boot

On-device Reset, the secure boot code executes and verifies the application firmware’s authenticity before deciding whether or not to launch. It is the only code that runs on reset and is immutable, i.e., modification is impossible. Also, the boot code address is unique, which prevents unauthorized access at reset. Together these two parameters establish a root of trust (RoT) for the device – see Figure 5.

MRXACI083 Figure5

Figure 5: How a secure boot function works. (© STMicroelectronics)

The secure boot code checks the integrity and authenticity of the application firmware compared to a signature. The integrity check is complete by comparing a hash or digest generated from the application code against a supplied reference. The authenticity check compares the signature computed from the generated hash value and a private key. The generated signature is then verified using an associated public key. Both the reference hash and signature values must be provided with the firmware and stored in the program metadata or header – see Figure 6. The metadata is not encrypted because of how it is generated. Should malicious firmware be injected into the microcontroller, it is blocked as there is no way to match the firmware hash with the reference.

MRXACI083 Figure6

Figure 6: The metadata signature’s construction, using the hashed firmware digest and private key. (© STMicroelectronics)

To confirm the application firmware’s integrity and authenticity, the secure boot uses the metadata signature – see Figure 7. Once the firmware is verified to be valid, it is loaded. Any discrepancies with the application firmware or the signature will prevent the boot process from progressing further.

MRXACI083 Figure7

Figure 7: The metadata signature validates the application firmware before loading. (© STMicroelectronics)

Firmware Updates

The five critical steps in a firmware update are – its creation, generation of the associated metadata, and transmitting it to the target device. The secure boot checks the integrity and authenticity of the application firmware and, if the checks pass, then the firmware is installed.

The same technique used in the secure boot creates the new metadata signature. For connected devices, the update is transferred over-the-air (OTA). Devices with no internet connection need updating via a UART, SPI, USB, or microSD card. The new application firmware is then written to the target device’s flash memory using a loader program, which is typically included in the secure boot or within the application firmware. Note: the incumbent firmware still runs at this point, which is why two memory slots are required – see Figure 8.

MRXACI083 Figure8

Figure 8: A remote firmware update requires two memory slots. (© STMicroelectronics)

Once the new application firmware passes its checks, the existing application firmware is replaced, and the update is now complete.

Closing

Take control of your embedded security. Ensure you protect your devices against vulnerabilities and malicious attacks by using security functions, such as secure boot and secure firmware install and update. The STM32Trust framework provides all the necessary security functions to enable embedded developers to safeguard their devices and comply with current legislation.

Tags

Aishwarya Saxena

A book geek, with creative mind, an electronics degree, and zealous for writing.Creativity is the one thing in her opinion which drove her to enter into editing field. Allured towards south Indian cuisine and culture, love to discover new cultures and their customs. Relishes in discovering new music genres.

Related Articles

Upcoming Events