8 Views of Security from RSA: Internet of Things Lacks Root of Trust

Date Published: April, 01, 2015
SAN FRANCISCO — The Internet of Things, along with everything else, is insecure. The U.S. government wants to help with that and other security problems — if you still trust them.

Those were two of several messages from the annual RSA Conference here.

“We have a long way to go in IoT security just to bring designs up to the not-yet-adequate state of PC security,” Steve Hanna, co-chair of the IoT committee at the Trusted Computing Group (TCG), an industry alliance setting security standards for nearly a decade.

Hana was one of a handful of experts who gave a half-day seminar showing at RSA. They demoed ways cost-constrained embedded systems could adapt the group’s approach to providing a hardware-backed root of trust, something well established in x86-based PCs and servers.

“Without hardware security, IoT devices are as vulnerable as PCs were 15-20 years ago, perhaps more so because they only use software security and it’s rarely updated, so it’s pretty easy to attack and control a device,” said Stacy Cannady, the other IoT committee co-chair and a security expert at Cisco Systems.

Other experts such as Adi Shamir, the ‘A’ in the RSA algorithm, agreed. He noted the recent phenomenon of ransom-ware in which remote hackers lock up someone’s device and demand a ransom to fix it.

“Think about your smart TV being ‘ransomwared’ and you have to pay someone in Moldovia to get your service back,” Shamir said. “We failed in a particularly miserable way because there is no good security program to protect from ransomware…and it’s a very serious problem. Police in Maine had to pay $300 to get police computers released from scam artists,” he added.

Shamir’s lab at the Weizmann Institute of Science in Israel is conducting experiments to find security flaws in IoT devices. For example, it found a WiFi router gives a home LED lighting system its password in an unencrypted form. “Anyone who listened in gets the password,” said Shamir in the cryptographer’s panel, an annual highlight of the event.

What’s more Shamir’s group was able to write an app to break in and control the LED lighting system remotely. “It lets us rapidly change the amount of light even inside a secure perimeter, so we can leak information by flickering the lights and anyone sitting outside will get the information — I hope the NSA will not install these lights,” he joked, in a reference to the U.S. National Security Agency.

Another member of the cryptographer’s panel, Ed Giorgio spent 30 years working for the NSA helping it find ways to make and break codes. Some of his projects involved IoT-like designs.

“We tried to build constrained devices of about 100 flip-flops and 10 or so adders that ran cryptographic codes,” he said in a Q&A after the panel. “They found ways to break them, so we revised the designs until they got too big,” he recalled.

To help lock down commercial IoT devices, the TCG is writing profiles of its specs for specific classes of IoT devices. It already released a profile for car engine controllers. TCG’s embedded and mobile working groups are expected to publish profiles of their own later this year.

The group released at RSA a technical white paper on securing IoT devices. It is working on another paper aimed at managers, aimed at convincing them to spend the time and money (less than a dollar per node) to add a root of trust.

To read the full article, please click here.


Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.

Join Now

Trusted Computing

Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.

Read more


Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.

Read More