The IoT Chain of Trust: The Boot Process

December 15, 2020

From the moment a user activates an IoT device, how do they trust the device is secure? How do they know their data remains confidential? How do IoT devices establish trust in their security? Enter the IoT Chain of Trust.

Establishing a Chain of Trust: The Verified or Trusted Boot

The boot process occurs when the CPU of an IoT device first starts and runs a piece of firmware. As firmware runs before a computer’s operating system, hackers like to install malware into the firmware to infiltrate devices before main security systems can combat it.

To establish trust in the boot system, every code executed by the firmware must be signed using “keys” from trusted parties, ensuring it is valid. A certificate authority organization manages keys by awarding certificates that serve as a record of a key’s publisher, signature algorithm and date of validation and proves a key’s authenticity.

Certificate authorities establish the root of trust. Trust in the authority establishes trust in the certificates assigned. Certificates validate keys, and keys validate codes in the firmware so the CPU knows to trust firmware updates and boot processes. Each stage of validation makes up the chain of trust and keeps devices free from malware. This process is known as the Verified or Trusted Boot.

Falling Back on the Chain: The Measured and Secure Boot

Tampering doesn’t just occur in the boot process of IoT devices. Attacks can occur throughout the use of the device – during normal operation, while in connection to the IoT network, receiving updates or messages and even while being powered off.

A measured boot works as a failsafe when a device is eventually compromised. A measured boot evaluates every step of the boot process for malware, storing each step that is deemed safe. If a measured boot encounters something suspicious, it falls back on the previously cataloged step until it finds a safe method of moving forward, circumventing malware. In some cases, if a device is severely tampered, a measured boot will become stuck, continuously cycling through the same steps and unable to move forward. This ensures the detected malware is never implemented and the device’s data remains secure.

Another potential failsafe is the Secure Boot. During device manufacturing, a digital signature of the boot process with the manufacturer’s key is stored within tamper-resistant, non-writable device memory. This protected code, which only contains data the manufacturer has verified, establishes the root of trust in place of a certificate authority. With a secure boot, a CPU loads firmware solely from this protected memory, ensuring no malware is installed and keeping device data safe.

One Long Chain of Trust

The chain of trust doesn’t just exist in boot processes. For truly secure IoT, trust must be established in every stage of the IoT system, from device design to the supply chain to manufacturing and eventually operation within the IoT network.