UC1: Device Multi-Factor Authentication

Figure: UC1 Device MFA High-level View

The Internet of Things (IoT) has revolutionized the way we live and work by connecting devices and allowing them to communicate with each other. However, this increased connectivity also introduces new challenges in terms of security. One of the main challenges is ensuring that only authorized devices can access the network, or other specific resources.

In recent years, Physically Unclonable Functions (PUFs) have been proposed as a solution for device authentication in constrained devices. This is because, some constrained devices, such as IoT devices, have limited computational resources and cannot use regular cryptographic operations. PUF-based authentication is therefore seen as a lightweight solution in such cases.

However, PUF-based authentication has proven to be difficult to implement in practice and is vulnerable to a variety of attacks. By combining multiple factors, we aim to overcome the limitations of existing PUF-based solutions and provide a more robust defense against MITM (Man-in-the-Middle). 
As a final goal of this use case, we aim to propose a multi-factor authentication (MFA) solution for IoT devices to improve their security, as shown in Figure 1. While the initial idea emerged based on the devices that leverage PUFs and other device-specific factors, we may extend it further, to provide general-purpose MFA solution. In the initial version of the use case description, we have not decided for the specific second factors yet.

UC2: Firmware Updates of IoT Devices.

Figure: UC2 Firmware Updates of IoT Devices High-level View

Firmware update is a critical process for IoT device security. Not being able to update IoT device firmware is one of the most common sources of vulnerability during the device lifecycle. Furthermore, an insecure update process also presents a major issue as it allows an attacker to upload malicious logic on the device.

Typically, firmware updates are installed Over-The-Air (OTA). Updates and security patches can be digitally signed, such that their integrity and authenticity can be verified. However, despite digital signatures, the problem of secure updates still persists, since: i) updates often come as a bundle of libraries developed by different parties, ii) the signatures are not always issued by a mutually trusted certification authority, iii) digital signatures do not give any guarantee on the logic of the update. This use case, considers two types of updates:

  • Full update: the package contains the full replacement of the old package to be installed regardless of what the previous firmware installed was.
  • Partial update: the package contains just the binary difference between the new firmware version and the old firmware version. In this case, the device has to reassemble the firmware package using the binary difference (diff) and the old package.

As described in recent studies such as [8] and [9], it is very common to find IoT devices in the field without a secure firmware update system. Even those devices having firmware update mechanisms are in many cases not updated. The main reason is that current solutions cannot provide enough trust to device operators because they can’t manage challenges such as poor network connectivity, management of the device resources to ensure minimal downtime or address a heterogeneous footprint of different hardware and software stacks within the same deployment. In [10] the authors present an analysis performed over a total of 1.061.284 devices in the field and show the average age of the installed firmware is 19.2 months, meaning device firmware is not even updated once a year, leading to many vulnerabilities uncovered during large periods of time.

UC3: Commissioning and Decommissioning of IoT devices.

Figure: UC3 IoT Device Lifecycle Commissioning and Decommissioning Processes

IoT Device Commissioning is the process by which connected devices acquire the necessary information and configuration parameters for their intended use or application: this can include security certificates, credentials, application configuration such as URLs, and others.

Commissioning is a critical step in the IoT device lifecycle, and it needs to happen before the device starts to perform its regular operation.
As opposed, IoT Device Decommissioning is the process by which the commissioned information is removed from the device. This way the device gets back to its original state when it will no longer be used or used for a different purpose or customer. This is important, especially in the case of industrial devices that may contain sensitive information.

Figure shows a typical state diagram of an IoT device lifecycle around the commissioning and decommissioning processes in a multi-stakeholder case, marking in red those processes which are part of the use case addressed by CROSSCON in this project:

In addition to 3 use cases defined in the project description, Partners are considering 2 additional use cases that will be described later”