The Convergence of Technologies to Provide Security on IoT Edge Devices
Security emerged as one of the most critical concerns for the broad IoT adoption . Millions of potentially vulnerable edge devices now flood the Internet with significant processing power. Such devices bring vulnerabilities to private networks, turning the Internet into a fertile environment for hackers willing to steal sensitive information or perform denial-of-service and denial-of-sleep attacks. Therefore, improvements in the security of devices connected to the Internet are a vital concern for the future of the IoT .
In the run for safer devices, a realm of technologies can be applied. This article discusses fundamental security trends and how they may converge to compound future IoT edge security foundations.
Figure 1: Establishing a CoT from hardware to higher software layers.
Trusted Execution Environment and Security by Separation
The root of security is to guarantee that the IoT device’s firmware cannot be changed maliciously. A Trusted Execution Environment (TEE) allows for the detection of unintentional software substitution, consisting of a protected machine’s memory area. There are two elements to build a TEE: the Root of Trust (RoT) and the secure-boot process. Both parts result in the so-called Chain of Trust (CoT), which can secure a system to the user application software from the hardware level.
Once the device is securely booted, there must be a mechanism to guarantee its execution integrity. Some edge devices require significant processing power to handle sensor data, decision making, and communication over the Fog layer. As the software complexity increases, an opportunity is created to explore architectures supporting multiple separated execution flows. Such an environment improves the usage of hardware resources, although protection and isolation are necessary. Enforcing isolation between the flows in a lightweight way while still maintaining the TEE can be challenging.
Virtualization can be used to provide separation. Nevertheless, the requirements for embedded systems virtualization differs from enterprise systems, as restrictions about response time, processing power, memory size, and battery life are the primary concerns. This motivated the appearance of hypervisors specially designed for embedded virtualization, as seen in Tiburski et al. . Among the goals for developing embedded hypervisors, two of them are frequently addressed: to keep low memory requirements and some level of support for real-time applications. Furthermore, if carefully designed, virtualization can provide security by separating devices even smaller than that reached by containerization.
Federated Learning for IoT Security
IoT systems as a distributed system inherit all problems related to guarantee confidentiality, authenticity, integrity, and availability. Traditional strategies to deal with these issues involve intrusion detection, usually implemented in a centralized way, which is not scalable for IoT with an increasing number of components. It also implies an unacceptable single-point-of-failure.
Federated Learning (FL) , a general approach to handling these problems, is a machine learning technique where a group of devices performs model training locally, using private datasets. A server generates a global model based only on received updates from local models. This global model is shared back to the devices. FL can also be implemented in a decentralized way. Devices start training rounds to generate a global model from the aggregation of the local models in their neighborhood.
Considering data privacy-preserving aspects, FL offers advantages: model training is not dependent on access to the device data . Since local dataset information is not transmitted through the network, security risks are minimized. However, since an initial global model is shared with client devices and further model updates are sent to the server, malicious devices may capture network traffic and even change the models. Differential privacy  is one of the techniques to cope with these threats by adding noise to the data, thereby making it impossible to be restored. Byzantine consensus is also applied to mitigate attacks in FL. Still, this consensus depends on assumptions that are not valid in most IoT systems , which assume that samples are independent and identically distributed across local clients.
FL must also consider the peculiarities of resource-constrained devices (low computational power, small memory capacity, limited available energy) . Some strategies to select devices for each model training round and appropriate task scheduling are critical issues to consider.
Quantum mechanics properties as entanglement, superposition, and teleportation allow quantum computers to perform more sophisticated calculations than classical computers. Hence, QC is capable of performing cyber-attacks that threaten current cryptography algorithms and protecting information systems . The potential of QC announces opportunities and challenges to cyber security. Classical cryptography used in IoT devices relies on mathematics and algorithms that ensure information integrability . One example is the public-key algorithm RSA that depends on the integer factorization problem. The consolidated RSA cryptography can be solved with Shor’s algorithm in a quantum computer. Besides that, Grover´s algorithm is capable of improving brute force attacks . Although quantum computers need to have good qubits to perform such calculations, the threat to existing IoT security protocols is imminent .
Post-quantum cryptography (PQC) uses mathematical resources to prevent public-key cryptographic algorithms from quantum computers attacks . It is essentially the adaptation of existing cryptographic algorithms and preparation in classical computers to future attacks from quantum computers.
Quantum cryptography adopts quantum mechanics to enhance security and detect third-party eavesdropping in communications . The most common methodology is Quantum Key Distribution (QKD), based on the Heisenberg uncertainty principle, meaning that anything constantly observed changes. Therefore, it makes information interception impossible .
The security issue that IoT and other devices face soon with quantum computer attacks is forthcoming. To protect devices against quantum attacks, no other solution can be compared to QC . Reinforcing current cryptography algorithms to make them quantum-resistant with PQC or generating keys with quantum computers that restrain outsider observers with QKD are the main initiatives paving the path for a post-quantum world. The significant relevance of IoT in society states that protect the communicated information and transition from pre-quantum security to post-quantum is an urgent necessity.
The combination of TEE and virtualization can be used to provide integrity checks over multiple domains. The hypervisor guarantees that, once an area is compromised, the attack will not spread over other domains, hence, allowing the coexistence of trusted and non-trusted environments. Additionally, different vendors can deliver their own with custom application-defined signatures.
Decentralized resource-constrained FL provides an additional security layer for IoT systems, enabling the implementation of fault-tolerant intrusion detection and prevention mechanisms tailored to the system’s available resources.
There is a long road ahead for QC to grow. Nevertheless, it is a robust technology that has the potential to influence diverse knowledge areas. Furthermore, due to the enormous QC growth, it is fundamental to understand what these advances will impact security topics.
Many more technologies are available to provide appropriate security in IoT edge devices. The advances in existing security techniques as TEE, the combination of different concepts as FL, and even the emergence of new ones as QC demonstrate the topic’s demand and relevance.
- M. Chiang and T. Zhang. Fog and IoT: An Overview of Research Opportunities. IEEE Internet of Things Journal, 3(6):854–864, Dec 2016.
- PeiYun Zhang, Mengchu Zhou, and Giancarlo Fortino. Security and trust issues in Fog computing: A survey. Future Generation Computer Systems, 88, 05 2018.
- R. T. Tiburski, C. R. Moratelli, S. F. Johann, M. V. Neves, E. d. Matos, L. A. Amaral, and F. Hessel. Lightweight security architecture based on embedded virtualization and trust mechanisms for IoT edge devices. IEEE Communications Magazine, 57(2):67–73, February 2019.
- H Brendan McMahan et al. Communication-Efficient Learning of Deep Networks from Decentralized Data. ArXiv, 2016.
- Sin Kit Lo et al. A Systematic Literature Review on Federated Machine Learning: From a Software Engineering Perspective. ACM Computing Surveys, 54(5):1–39, 2021.
- Edgar Weippl et al. Deep Learning with Differential Privacy. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 308–318, 2016.
- Ahmed Imteaj et al. A Survey on Federated Learning for Resource-Constrained IoT Devices. IEEE Internet of Things Journal, PP(99):1–1, 2021.
- Tiago M Fernández-Caramés. From pre-quantum to post-quantum IoT security: A survey on quantum-resistant cryptosystems for the Internet of things. IEEE Internet of Things Journal, 7(7):6457–6480, 2019.
- G. Arun and Vivekanand Mishra. A review on quantum computing and communication. In 2014 2nd International Conference on Emerging Technology Trends in Electronics, Communication and Networking, pages 1–5. IEEE, 2014.
- Jasmeet Singh and Mohit Singh. Evolution in quantum computing. In 2016 International Conference System Modeling & Advancement in Research Trends (SMART), pages 267–270. IEEE, 2016.
- Sudhir K Routray, Mahesh K Jha, Laxmi Sharma, Rahul Nyamangoudar, Abhishek Javali, and Sutapa Sarkar. Quantum cryptography for IoT: A perspective. In 2017 International Conference on IoT and Application (ICIOT), pages 1–4. IEEE, 2017.
Carlos Roberto Moratelli received his Ph.D. in computer science from PUCRS. He is an adjunct professor at UFSC. He worked for ten years in the telecommunication industry, acting on software engineering related to embedded systems. His research interests are embedded real-time systems, Linux Embedded, and virtualization for embedded systems.
Sérgio F. Johann received his Ph.D. degree in computer science from PUCRS. He is an adjunct professor at PUCRS, Brazil. He has experience in computer architecture design and organization, operating systems, embedded systems (design and integration), embedded software support, real-time systems, and control systems.
Everton de Matos received his M.S. degree in computer science from PUCRS. He is an adjunct professor at Meridional Faculty (IMED). In addition, he is a Ph.D. student of computer science at PUCRS. His research interests are IoT, middleware, fog and edge computing, context-awareness, and context sharing.
Francisco Assis M. Nascimento received his M.S. degree in computer science from UFRGS. He is a Ph.D. student of computer science at PUCRS and an adjunct professor at Faculdades Integradas de Taquara (FACCAT). His research interests are IoT and related security issues, Artificial Intelligence applied to embedded systems design and distributed systems.
Gabriel Rossi Figlarz received his M.S. degree in computer science from PUCRS. He is a Ph.D. student of computer science at PUCRS. His research interests are Quantum Computing, Quantum Cryptography, and Quantum Communication.
Fabiano Hessel is a Full Professor of Computer Science at PUCRS. He received his Ph.D. in computer science from UJF, France (2000). He has experience as General and Program Chair in several committees of prestigious conferences and journals. His research interests are embedded real-time systems, RTOS and MPSoC systems applied to IoT/SmartCities.
Sign Up for IoT Technical Community Updates
Calendar of Events
2021 IEEE Conference on Internet of Things and Intelligence Systems
23-24 November 2021
Call for Papers
Special issue on Empowering the Future Generation Systems: Opportunities by the Convergence of Cloud, Edge, AI, and IoT
Submission Deadline: 15 October 2021
Special issue on Knowledge and Service Oriented Industrial Internet of Things: Architectures, Challenges and Methodologies
Submission Deadline: 1 October 2021