The security of IT devices is one of the most important aspects to consider throughout the life cycle of a system, beginning from the design phase to the final deployment.
Since IoT devices have few hardware resources, they cannot depend on all the protection mechanisms that are implemented on normal systems. IoT systems are extremely vulnerable because of their exposure.
What could happen if the security of an IoT system fails or is hacked by external attacks? Certainly, some of the most serious consequences concern:
- Lack of confidentiality of the transmitted data.
- Possibility of modification or destruction of data with catastrophic consequences for public safety, such as databases containing sensitive private information.
- Possibility of attacks on the system, such as vandalism or fraudulent control of devices.
- Industrial espionage and information theft
Here we will try to illustrate some of the primary solutions that Zerynth has adopted to ensure the security and integrity of an IoT system.
IoT devices are composed of two parts: a physical device that lives in the field, and its abstract digital twin which lives in the cloud.
The two entities must always be securely connected.
Vulnerable surfaces in an IoT system:
- Network communications
- Security updates
- Onboard services
Zerynth has adopted strategies to address these security threats, starting with the device built in the factory using only secure communication protocols, and securely storing data in the cloud.
Here are the solutions for the vulnerabilities listed above.
All Zerynth physical devices are based on the ZM1 module, which incorporates a crypto element to store credentials and encryption keys required to communicate with the digital twin securely.
The cryptographic element is a hardware integrated circuit that implements the higher security features available on the market.
zOS implements TLS v1.2 and v1.3 standard protocols. Such standards are based on a couple of encryption keys: a private one and a public one. The private key is kept secret on the physical device. These keys are stored inside the cryptographic elements at the factory when they are built, and this ensures the private key is not physically accessible by an attacker wanting to eavesdrop. This is a key point for the whole security. The hardened TLS protocol permits the physical and digital twin devices to communicate privately, thus, simultaneously protecting the data integrity.
Figure 1. How a cryptographic element works
The Zerynth devices can be updated using FOTA (Firmware Over The Air) procedures, which permit updating the firmware of physical devices in a robust and reliable way.
Zerynth also keeps zOS updated with its latest security upgrades and releases a new Zerynth SDK version to the public when necessary. This permits the deployed IoT devices to be updated and secured.
On the cloud, the services are updated with the latest releases to close security vulnerabilities as soon as the industry identifies them.
Also, the servers are protected by firewalls that implement higher security standards and strategies to block or mitigate any security attacks.
The zOS does not open any listening service on the physical devices. The security threats which attack the running services, either to trigger exploitation or perform Denial of Service, do not apply. Network connections always start from the physical device directed toward the cloud. This gambit prevents port scanning and related DoS (Denial of Service) attacks.
Easy to use for the end-user
The user does not need to bother with any of the security details or complexity since the Zerynth SDK provides easy and ready-to-use Python libraries.
The user can connect the physical device to the cloud securely by only writing a few lines of code.
This is an example of how to configure and connect a Zerynth IoT device securely to zCloud by leveraging the embedded crypto element.
The two lines of code at the core of secure connection handling are lines 15 and 16.
Figure 2. How to configure and connect a Zerynth IoT device securely to zCloud
The first three lines describe modules needed for running the program:
- Line 1:Import the board module from the bsp (board support package) the project can be run on different Zerynth devices without changing a line of code.
- Line 2: The Zerynth Device Manager is the entry point to the zCloud where the device’s digital twin lives.
- Line 3: Import the wifi module from its networking package. So, we can now configure the Wi-Fi interface and establish a network connection (lines 5-13)
In the end, lines 15 and 16, which are the most important for this demonstration, define the ZDM object and start the connection between the physical device and the digital twin on the zCloud. All of the security aspects are handled by the zOS using the crypto element under the wood.
The code loop ends between lines 18 and 23, where data is sent from the physical device to the Zerynth Cloud and this concludes the process to make the device more secure.
If you want to learn more about data security code, read our white paper The Veil of IoT Security.