RTFM: How Hard are IoT Platform Providers Making it for their Developers?
Pages 14 - 26
Abstract
IoT devices routinely have security issues, but are the platform designers providing enough support to IoT developers for them to easily implement security features for their platforms? We surveyed the documentation, code and guidance from nine IoT manufacturers to look at what guidance they provided for implementing three security features required by several security standards (secure boot, device identity keys and unique per device passwords). We find that more needs to be done to support developers if we want them to adopt security features---especially in the face of incoming legislation that will require developers to implement them.
References
[1]
14:00--17:00. ISO/IEC 27002:2022, 2022.
[2]
Abba Ari, A. A., Ngangmo, O. K., Titouna, C., Thiare, O., Kolyang, Mohamadou, A., and Gueroui, A. M. Enabling privacy and security in Cloud of Things: Architecture, applications, security & privacy challenges. Applied Computing and Informatics 20, 1/2 (Jan. 2020), 119--141. Publisher: Emerald Publishing Limited.
[3]
Acar, Y., Backes, M., Fahl, S., Garfinkel, S., Kim, D., Mazurek, M. L., and Stransky, C. Comparing the Usability of Cryptographic APIs. In 2017 IEEE Symposium on Security and Privacy (SP) (May 2017), pp. 154--171. ISSN: 2375--1207.
[4]
Acar, Y., Backes, M., Fahl, S., Kim, D., Mazurek, M. L., and Stransky, C. You Get Where Youre Looking for: The Impact of Information Sources on Code Security. In 2016 IEEE Symposium on Security and Privacy (SP) (May 2016), pp. 289--305. ISSN: 2375--1207.
[5]
Alqassem, I., and Svetinovic, D. A taxonomy of security and privacy requirements for the Internet of Things (IoT). In 2014 IEEE International Conference on Industrial Engineering and Engineering Management (Dec. 2014), pp. 1244--1248. ISSN: 2157--362X.
[6]
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., and Zhou, Y. Understanding the Mirai Botnet. In 26th USENIX Security Symposium (USENIX Security 17) (2017), usenix, pp. 1093--1110.
[7]
Arm. TrustZone for Cortex-M -- Arm®.
[8]
Arm. PSA Certified Attestation API 1.0, 2022.
[9]
Arm. Trusted Firmware-M Documentation Trusted Firmware-M v2.1.0 documentation, 2022.
[10]
Arm. Platform Security Model 1.1, 2023.
[11]
Asghari, P., Rahmani, A. M., and Javadi, H. H. S. Internet of Things applications: A systematic review. Computer Networks 148 (Jan. 2019), 241--261.
[12]
AWS. Secure IoT Gateway, IoT Gateway Device - AWS IoT Core - AWS, 2024.
[13]
Barcena, M. B., and Wueest, C. Insecurity in the internet of things. Tech. Rep. 1, Security response, Symantec, 2015.
[14]
Bonjak, L., and Brumen, B. What do students do with their assigned default passwords In 2016 39th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO) (May 2016), pp. 1430-- 1435.
[15]
California. Bill Text - SB-327 Information privacy: connected devices., 2020.
[16]
Chen, J., Anandayuvaraj, D., Davis, J. C., and Rahaman, S. A Unified Taxonomy and Evaluation of IoT Security Guidelines, Oct. 2023. arXiv:2310.01653 [cs].
[17]
Chiara, P. G. The IoT and the new EU cybersecurity regulatory landscape. International Review of Law, Computers & Technology 36, 2 (May 2022), 118--137. Publisher: Routledge _eprint: https://doi.org/10.1080/13600869.2022.2060468.
[18]
Chowdhury, P. D., Hallett, J., Patnaik, N., Tahaei, M., and Rashid, A. Developers Are Neither Enemies Nor Users: They Are Collaborators. In 2021 IEEE Secure Development Conference (SecDev) (Atlanta, GA, USA, Oct. 2021), IEEE, pp. 47--55.
[19]
CSA. Identity and Access Management for the Internet of Things, 2015.
[20]
CSA. Future Proofing the Connected World | CSA. Tech. rep., Cloud Security Alliance, 2016.
[21]
CSDE. C2 Consensus. Tech. rep., Council to secure the digital economy, 2021.
[22]
DSIT. Code of Practice for consumer IoT security, 2018.
[23]
ENISA. Baseline security recommendations for IoT in the context of critical information infrastructures. Publications Office, LU, 2017.
[24]
ENISA. Cyber Resilience Act Requirements Standards Mapping - Joint Research Centre & ENISA Joint Analysis. Report/Study, European Union Agency for Network and Information Security, 2024.
[25]
Espressif. esp32-s2_technical_reference_manual_en.pdf, 2023.
[26]
Espressif. Secure Boot V2 - ESP32-S2 - ESP-IDF Programming Guide v5.2.1 documentation, 2024.
[27]
ETSI, S. CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, 2020.
[28]
EU. General Data Protection Regulation (GDPR) -- Legal Text, 2016.
[29]
EU. Regulation - 2019/881 - EN - EUR-Lex, 2019. Doc ID: 32019R0881 Doc Sector: 3 Doc Title: Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (Text with EEA relevance) Doc Type: R Usr_lan: en.
[30]
EU. Cyber Resilience Act | Shaping Europes digital future, 2023.
[31]
Fagan, M., Megas, K. N., Scarfone, K., and Smith, M. IoT device cybersecurity capability core baseline. Tech. Rep. NIST IR 8259A, National Institute of Standards and Technology, Gaithersburg, MD, May 2020.
[32]
FreeRTOS. FreeRTOS - Market leading RTOS (Real Time Operating System) for embedded systems with Internet of Things extensions, 2024.
[33]
Grassi, P., Garcia, M., and Fenton, J. Digital Identity Guidelines. Tech. Rep. NIST Special Publication (SP) 800--63--3, National Institute of Standards and Technology, Mar. 2020.
[34]
Grassi, P. A., Fenton, J. L., Newton, E. M., Perlner, R. A., Regenscheid, A. R., Burr, W. E., Richer, J. P., Lefkovitz, N. B., Danker, J. M., Choong, Y.-Y., Greene, K. K., and Theofanos, M. F. Digital identity guidelines: authentication and lifecycle management. Tech. Rep. NIST SP 800--63b, National Institute of Standards and Technology, Gaithersburg, MD, June 2017.
[35]
Green, M., and Smith, M. Developers are not the enemy!: The need for usable security APIs. IEEE Security & Privacy 14, 5 (2016), 40--46.
[36]
GSMA. IoT Security Guidelines for Endpoint Ecosystems, 2020.
[37]
GSMA. IoT Security Assessment, 2024.
[38]
IAmTheCavalry. Hippocratic Oath for Connected Medical Devices - I Am The Cavalry, Jan. 2016.
[39]
Infineon. PSoC 64 security getting started guide, 2023.
[40]
infineon. Infineon/mtb-example-psoc6-security, Apr. 2024. original-date: 2022- 07--26T05:03:26Z.
[41]
IoTF. UK Government Update on Plans for Consumer IoT Security Regulation, Apr. 2021.
[42]
IoTSF. IoTSF IoT Security Assurance Framework Release 3.0, 2021.
[43]
Iso. ISO/IEC 18031:2011, 2011.
[44]
Khanna, A., and Kaur, S. Internet of Things (IoT), Applications and Challenges: A Comprehensive Review. Wireless Personal Communications 114, 2 (Sept. 2020), 1687--1762.
[45]
Labs, S. AN1428: SiWx917 Secure Debug, 2024.
[46]
Ling, Z., Yan, H., Shao, X., Luo, J., Xu, Y., Pearson, B., and Fu, X. Secure boot, trusted boot and remote attestation for ARM TrustZone-based IoT Nodes. Journal of Systems Architecture 119 (Oct. 2021), 102240.
[47]
McDonald, J. How the EUs proposed IoT cybersecurity law could affect device makers, 2022.
[48]
mcuboot. mcu-tools/mcuboot, June 2024. original-date: 2016--12--12T23:53:39Z.
[49]
Microschip. Securely Connecting to AWS IoT Core With The ATECC608B, 2023.
[50]
Mishra, N., and Pandya, S. Internet of Things Applications, Security Challenges, Attacks, Intrusion Detection, and Future Visions: A Systematic Review. IEEE Access 9 (2021), 59353--59377. Conference Name: IEEE Access.
[51]
Mohanty, J., Mishra, S., Patra, S., Pati, B., and Panigrahi, C. R. IoT Security, Challenges, and Solutions: A Review. In Progress in Advanced Computing and Intelligent Engineering, C. R. Panigrahi, B. Pati, P. Mohapatra, R. Buyya, and K.-C. Li, Eds., vol. 1199. Springer Singapore, Singapore, 2021, pp. 493--504. Series Title: Advances in Intelligent Systems and Computing.
[52]
Naiakshina, A., Danilova, A., Gerlitz, E., von Zezschwitz, E., and Smith, M. "If you want, I can store the encrypted password": A Password-Storage Field Study with Freelance Developers. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems (New York, NY, USA, May 2019), CHI '19, Association for Computing Machinery, pp. 1--12.
[53]
NCSC. The logic behind three random words, 2021.
[54]
Neshenko, N., Bou-Harb, E., Crichigno, J., Kaddoum, G., and Ghani, N. Demystifying IoT Security: An Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-Scale IoT Exploitations. IEEE Communications Surveys & Tutorials 21, 3 (2019), 2702--2733.
[55]
Nordic. KMU Key management unit, 2024.
[56]
OCF. OCF Security Specification. Tech. rep., Open Connectivity Foundation, 2020.
[57]
Particle. Device OS - Embedded IoT Operating System, 2024.
[58]
Particle. Introduction | Getting Started, 2024.
[59]
Passemard, A. Securing cloud-connected devices with Cloud IoT and Microchip, 2018.
[60]
Patnaik, N., Hallett, J., and Rashid, A. Usability Smells: An Analysis of Developers? Struggle With Crypto Libraries. In Fifteenth Symposium on Usable Privacy and Security (2019).
[61]
Pennasilico, M. P. ArduinoIoTCloud/examples/utility/Provisioning at master · arduino-libraries/ArduinoIoTCloud, 2024.
[62]
Pinto, S., and Santos, N. Demystifying Arm TrustZone: A Comprehensive Survey. ACM Computing Surveys 51, 6 (Jan. 2019), 130:1--130:36.
[63]
Project, Z. The Zephyr Project -- A proven RTOS ecosystem, by developers, for developers., 2024.
[64]
PSAcertified. Attestation & Entity Attestation Tokens Explained | PSA Certified, 2021.
[65]
PSAcertified. PSA Certified Level 1 Questionnaire Version 3.0 BETA 01. Tech. Rep. JSADEN001, PAS Certified, 2023.
[66]
Regenscheid, A., and Scarfone, K. BIOS Integrity Measurement Guidelines (Draft), 2011.
[67]
Rep. Kelly, R. L. D.-I.-. H.R.1668 - 116th Congress (2019--2020): IoT Cybersecurity Improvement Act of 2020, Dec. 2020. Archive Location: 2019-03--11.
[68]
Schiller, E., Aidoo, A., Fuhrer, J., Stahl, J., Ziörjen, M., and Stiller, B. Landscape of IoT security. Computer Science Review 44 (May 2022), 100467.
[69]
Schrecker, S., Soroush, H., Molina, J., Caldwell, J., Meltzer, D., Hirsch, F., Leblanc, J. P., and Buchheit, M. Security Framework. Industrial Internet Consortium (2026).
[70]
Senarath, A., and Arachchilage, N. A. G. Why developers cannot embed privacy into software systems? An empirical investigation. In Proceedings of the 22nd International Conference on Evaluation and Assessment in Software Engineering 2018 (New York, NY, USA, June 2018), EASE '18, Association for Computing Machinery, pp. 211--216.
[71]
Shwartz, O., Mathov, Y., Bohadana, M., Elovici, Y., and Oren, Y. Reverse Engineering IoT Devices: Effective Techniques and Methods. IEEE Internet of Things Journal 5, 6 (Dec. 2018), 4965--4976. Conference Name: IEEE Internet of Things Journal.
[72]
Sisinni, E., Saifullah, A., Han, S., Jennehag, U., and Gidlund, M. Industrial Internet of Things: Challenges, Opportunities, and Directions. IEEE Transactions on Industrial Informatics 14, 11 (Nov. 2018), 4724--4734. Conference Name: IEEE Transactions on Industrial Informatics.
[73]
statista. IoT connected devices worldwide 2019--2030, 2024.
[74]
UK. The UK Product Security and Telecommunications Infrastructure (Product Security) regime, May 2024.
[75]
Yskout, K., Scandariato, R., and Joosen, W. Do Security Patterns Really Help Designers? In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering (May 2015), vol. 1, pp. 292--302. ISSN: 1558--1225.
[76]
Zhao, S., Zhang, Q., Hu, G., Qin, Y., and Feng, D. Providing Root of Trust for ARM TrustZone using On-Chip SRAM. In Proceedings of the 4th International Workshop on Trustworthy Embedded Devices (New York, NY, USA, Nov. 2014), TrustED '14, Association for Computing Machinery, pp. 25--36.
Index Terms
- RTFM: How Hard are IoT Platform Providers Making it for their Developers?
Recommendations
A top-down survey on securing IoT with machine learning: goals, recent advances and challenges
The Internet of Things (IoT) has seen it all from being just another innovation to a leading technology; it is now a binding force that interconnects various aspects of our lives. The IoT's tremendous growth is driven by emerging applications and evolving ...
SecureSense
Constrained Application Protocol (CoAP) has become the de-facto web standard for the IoT. Unlike traditional wireless sensor networks, Internet-connected smart thing deployments require security. CoAP mandates the use of the Datagram TLS (DTLS) protocol ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
November 2024
149 pages
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 22 November 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
CCS '24
Sponsor:
CCS '24: ACM SIGSAC Conference on Computer and Communications Security
October 14 - 18, 2024
UT, Salt Lake City, USA
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 115Total Downloads
- Downloads (Last 12 months)115
- Downloads (Last 6 weeks)49
Reflects downloads up to 04 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in