In recent years, with the vigorous development of the internet of things, IoT-related issues have sprung up. Issues related to information security are among the most widely discussed concerns. Although the IoT security topic looks very large and complex, some practices and regulations can refer to the existing internet experience and develop a management mechanism based on it. The author believes that to achieve complete IoT security, the end-to-end, overall system problem must be considered.
This article refers to a professional report from the Royal Swedish Institute of Technology.
The study, “Potential security risks in Google Nest Indoor Camera,” provides an example to illustrate how to implement IoT security functions by using a design’s main microcontrollers to realize application security, thus helping connected devices avoid most of the identified IoT security vulnerabilities.
The open web application security project
The Swedish Institute’s report refers to some of the security-threat projects focused on network-connected applications that have been defined by the Open Web Application Security Project (OWASP).
The open-source community has accumulated these projects over a long period and has produced a compilation of classifications. The report talks about the OWASP Top 10 20172 (the 2017 version of the project is slightly different from the one for 2021; this article uses the 2021 version of the term) and mentions some of the industry’s existing analyses of the security of internet-connected devices. It covers threats used and assessment methods, such as Weave,3 a communication protocol to support low power consumption, enable flexible approaches, and provide network security solutions; STRIDE,4 a project proposed by Microsoft engineers that centers on the information-security threats that communication products may encounter; and DREAD,5 a risk-level classification method, mainly for the damage that deliberate use of these vulnerabilities may cause after analyzing the system’s information-security–vulnerabilities classification by degree.
If we look at connected devices as the center, such as the Google Nest Indoor Camera mentioned in the Royal Institute of Technology report, we see that several items are related: cryptographic failures, injection, identification, and authentication failures. This article will provide a detailed comparison description based on the attack methods listed in the report and the aforementioned information-security evaluation methods. This can be used as a reference approach for evaluating information-security assurance during the product design phase of a network-connected device.
I must expressly state here that this article does not comment on the test results described in the second half of the report, because the same test was not carried out according to the report. Nonetheless, the information-security assessment method it proposes is suitable for analyzing the chip selection of a microcontroller (MCU) or a microprocessor (MPU), regardless of the security functions that need to be provided in the developed network-connected devices. It could be used as a pre-system security-risk assessment tool in the design and planning stage of the networked product, as detailed in Table 1.
Establish an analysis model for potential security threats of IoT products.
The Table 1 description seems to contain a lot of items, but we can further explain the analysis approach we want to illustrate by presenting it graphically, as shown in Figure 1.
According to the results of threat analysis or after listing possible attacks faced, select the MCU/MPU.
When analyzing a product in development or an existing product according to the information-security threat-analysis model shown in Figure 1, we can know in advance the information-security issues that must be prevented in the network-connected product we want to design and produce, or we can refer to the penetration test analysis after the device prototype design is completed. In this process, the main control chip of the product, whether an MCU or an MPU, is undoubtedly the core consideration of the electronic-technology part.
The method proposed in this article offers readers a simple way to analyze potential information-security threats for an IoT product. Unless the product itself must be submitted to a certification laboratory to obtain a particular certification, this method can be regarded as a “lite” reference method for information-security threat assessment.
The M2354 Series IoT security microcontrollers with chip-level physical security and ultra-low power consumption won the first EE Awards Asia — Asian Golden Selection Award, earning the Promising Product of the Year honor.
Products with IoT security features based on the NuMicro® M2351 and M2354 Series from Nuvoton have passed the Arm PSA certification supported by Arm and mainstream industrial ecosystem companies.
During the product design stage, device-making customers can evaluate the application scenarios for the product in terms of potential information-security issues requiring mitigation. The hardware-security functions of NuMicro IoT Security MCUs, coupled with related, supporting software services, can significantly reduce the burden on product developers in dealing with information-security issues.
AspenCore’s EE Times and EDN are professional technical media with a long history and high reputation globally and in the Asia-Pacific region. Their EE Awards Asia — Asian Golden Selection Award, bestowed for the first time in 2021, recognizes outstanding products, companies, and people throughout Asia. Nuvoton is honored to have received the award for its M2354 Series, and it is also gratified that the majority of market customers recognize that Nuvoton’s IoT Security MCU products provide considerable value for IoT developers.
As a leading supplier of IoT Security MCU/MPU technology, Nuvoton is confident that it can assist customers in building and expanding IoT application products while still meeting the security and low-power–consumption requirements of IoT node devices that are small in size and rich in energy-saving features, thereby realizing a novel and unique IoT application.