December 11, 2017
IoT security researchers at Microsoft Research are focused on the near future when microcontrollers, which are small, low-power computers on a single chip, gain connectivity. Microcontrollers are already installed in billions of gadgets, so their eventual connectivity will explode the number of Internet of Things devices, all of which will require greater security. Microsoft Research’s Project Sopris aims to provide cost-effective security for microcontrollers, which currently don’t have enough compute power to offer security.
Wired reports that a security crisis looms as thousands more such insecure IoT devices come online, since “an attacker who penetrates those IoT devices can potentially steal data, rope the unit into a botnet, or even use it as a jumping off point to infiltrate other parts of a network.”
Microsoft Research’s Project Sopris microcontroller prototype is based on what Microsoft dubs “Seven Properties of Highly Secure Devices.” In addition to “enabling regular software updates, and requiring devices to store cryptographic keys in a secure part of the hardware,” the prototype takes into account that, as future hackers “get more clever,” it must be able to be updated “without the consumer doing anything.”
To accommodate that, “the Sopris chip includes a secondary security processor that handles much of the cryptographic overhead … does periodic software audits to check for deviations or any misbehavior,” and “can reset individual processes — or the whole device — as needed.”
This takes into account that “many IoT devices … are essentially on all the time … so attackers can currently rely on compromises that are effective, but not persistent after a reboot, because they’re typically not in immediate danger of losing their foothold into the device.” The Sopris chip “also incorporates the concept of software compartmentalization” so that “a bug or glitch in one portion doesn’t need to taint the whole system, and can be corrected in isolation.”
So far, the new chip holds up; HackerOne organized a challenge during which 150 security researchers tried and “failed to crack Project Sorpris.” The plan, say researchers, is to open-source full schematics for Sopris, but no timeline has been revealed. Doing so, notes Wired, “could truly make a radical impact in facilitating better IoT security for all products at low cost.”
In the meantime, producing the Sopris chip to be “nearly as cheap as a regular one … would be a critical step to widespread adoption.”