Will a fingerprint for each device fix IoT security?
By STACEY HIGGINBOTHAM
After a California device security law went into effect at the start of this year, one of the open questions was whether each individual IoT product needed a unique hardware identifier. One of the people I spoke with from the chip world said that could be prohibitively expensive for companies, as it would require them to flash firmware onto a device individually as opposed to in batches.
But earlier this month, Silicon Labs introduced a new security feature that gives each chip a unique identifier and does so in a way that’s scalable, making a unique device ID possible. The security feature—one in a package of features that includes an automatic shutdown or notification if a device is tampered with—is part of Silicon Labs’ security vault that will be included in its Wireless Gecko Series 2 Platform modules.
Sharon Hagi, chief security officer at Silicon Labs, says this is the first wireless MCU with a dedicated secure element on the chip. The unique identifier also enables some really compelling use cases in the internet of things.
According to Hagi, devices with unique, hardware-level identity capabilities can identify one another across a cluster of devices and understand what rights each of these devices has.
For example, a company might use unique identifiers on each vehicle in a fleet of cars to determine which cars and trucks could have access to a campus. In a home, a unique identifier on a device might determine what the device can talk to on the wireless network.
Silicon Labs creates a unique ID for each device by labeling the slight differences in how each chip responds to electricity after manufacture, and then storing that pattern in the cloud. It’s similar to the method used by CryptoQuantique, another chip company trying to build unique silicon during the manufacturing process.
Does adding unique identifiers increase the cost and complexity for people trying to use these chips, as others had feared? Josh Datko, founder and chief engineer at embedded security firm Cryptotronix, acknowledges that it does add some engineering and development costs at the factory, but that they are not insurmountable. Most devices have a serial number or a unique device ID (the UDID on your phone, for example), and taking that to the chip itself is just an additional step. Silicon Labs didn’t provide pricing on its new secure vault chips, however, so we can’t use it for comparisons.
The challenges arise when you have devices with different chips all containing different types of unique IDs inside. Such IDs are managed using the public key infrastructure (PKI), which gathers parties together to agree to certify a device. With PKI, a device gets a certificate from one of the trusted players, which is stored in the cloud. Other devices then check the device and certificate before exchanging information.
As Mike Nelson, SVP of IoT at certificate-issuing company Digicert, explains, “Secure device authentication using PKI can be done in multiple OEM environments, but it requires forethought and industry collaboration.” He adds that having the unique identifier in hardware, as Silicon Labs is doing, is more secure than software-based keys.
Broadly speaking, having better security at the device level might be worth the added engineering time and costs during manufacturing. But it does sound like we need to get industry groups on board to create something that is truly interoperable and easy to use.