Media Relations for a Connected World
Protecting the Internet of Tiny Things
Protecting the Internet of Tiny Things: Security for Resource Constrained Devices
Alan Grau, David West, Icon Labs
Devices such as sensing and control units in industrial environments, utility meters, lighting control systems and smart home devices make up a large portion of the Internet of Things that we refer to as “The Internet of Tiny Things”. The smallest of these devices are cost sensitive and are built with the lowest cost CPU and minimum memory required to support their function.
While these devices are characterized by minimal processing resources, they include TCP/IP or other communication interface and utilize the Internet for reporting, configuration and control functions. As their numbers skyrocket, so has the number of cyber-attacks targeting these devices. Despite the growing threat from hackers, few devices include robust, multi-layered security to protect against attacks. This is particularly true in the most resource constrained devices.
The BOM cost requirements result in devices that are resource constrained, and engineers have often forgone security capabilities in these cost-sensitive designs. As a result, many of these devices do not support any security beyond password authentication. While password authentication is easy to implement, it does not provide an adequate defense against attacks.
The embedded marketplace needs a resource-friendly security solution designed to provide protect against Internet-based attacks. Embedded firewalls provide an ideal solution. The firewall is integrated directly into the communication stack at the link layer of the supported protocol and configured with a set of rules specifying what communication is allowed. For TCP/IP, those rules block packets by IP address, port, protocol, and other criteria. The integrated firewall (“embedded firewall”) provides a basic, but critical level of security by controlling what packets or messages are processed. Because each packet or message is filtered before passing from the protocol stack to the application, many attacks are blocked before a connection is even established. The result is an effective layer of protection with minimal impact on system resources.
How a firewall protects against attacks
An embedded firewall enforces a set of rules or policies that govern who the device can talk to, what protocols and ports can be used, and who can initiate communication with the device. Embedded devices typically have very well defined communication requirements, only supporting a small number of protocols and ports and in many cases only communicating with a limited number of devices/IP addresses. Some embedded devices need the ability to communicate with any IP address, but even then communication is usually limited to a few protocols and ports that are open to the world.
These well-defined communication requirements allow the creation of restrictive firewall policies. The firewall enforces policies by filtering packets as they are received, comparing each packet to the policies, and blocking anything not matching the communication policies.
By only allowing packets meeting communication policies, most cyber-attacks are blocked. A hacker attempting to login to the device is blocked because their IP address is unauthorized. DoS attacks and many other cyber-attacks will also be blocked because they use ports or protocols blocked by the firewall, or because they originate from an IP address not allowed by the policies. When combined with password authentication, this creates an effective, resource-friendly defense against cyber-attacks.
Embedded Intrusion Detection
Devices without a firewall or other security capability provide an easy target for hackers. A hacker can probe these devices for weakness, or run dictionary attacks against these devices with no risk of detection. A hacker can run a brute-force dictionary attack against an embedded device for weeks on end, attempting thousands and thousands of login attempts and no one would ever know. With an embedded firewall, the device can report failed authentication attempts, firewall policy violations and device specific events to a management system. This information allows detection and mitigation of attacks, providing a critical and missing line of defense for these tiny devices.
The firewall filters packets as they are received, blocking unwanted packets, unfriendly login attempts, and DoS attacks before authentication is allowed to begin. One or more methods are implemented by the filtering engine to enforce firewall policies and block Internet-based attacks. Common filtering methods are:
- Static filtering – the static filtering engine compares each packet to a set of static rules determining if the packet is blocked or allowed. All decisions are made based on the information in the packet. Rules-based filtering enforces policies by blocking unused protocols, closing unused ports, and enforcing IP address whitelists and blacklists.
- Dynamic Filtering – the dynamic filtering engine performs Stateful Packet Inspection (SPI) by maintaining information regarding the state of each connection and using that information when making filtering decisions. SPI provides protection against packets received with invalid TCP state information, a common web-based attack.
- Threshold-based filtering – the threshold filtering engine maintains statistics on received packets and monitors threshold crossings to detect packet flood DoS attacks. Threshold-based filtering is complex and may require more system processing time and memory than some systems can handle, but provides a powerful tool for detecting packet flood DoS attacks.
The firewall depends on properly defined policies allowing required communication and blocking all other communication. Defining the embedded device’s communication requirements is the first step.
- With what other systems will the device communicate?
- What communication services are provided for these systems?
- Can the other devices be grouped into sets of users that require the same services?
Once the communication requirements are specified, they are coded as a set of rules. The rules specify the IP addresses, ports, and protocols used by the device to communicate with other network nodes.
For some devices the communication requirements are very well defined and restricted. Other devices require broader communication capabilities, resulting in a broader, but not necessarily less secure, firewall rules.
All packets received by the device are passed to the firewall for filtering and compared to the firewall rules. Packets not matching the firewall rules are dropped. As a result, attempts to hack into the device are blocked before a connection is even established.
Icon Labs provides a solution to the problems and constraints of implementing security for resource constrained devices. Icon Labs’ Floodgate firewall is a portable, source code product that can be integrated with an embedded OS or RTOS. Floodgate is designed specifically for use on small footprint devices, from embedded Linux systems to 8-bit MCUs. The firewall controls the packets the embedded system processes and blocks invalid login attempts, denial of service attacks, packet floods, port scans, and other common Internet-based threats. Floodgate also provides event reporting and intrusion detection capability, enabling detection and mitigation of threats for all even the smallest of devices.