Microsoft’s Project Sopris aims to secure low-cost IoT devices

Low-cost IoT devices are notoriously prone to security weaknesses, but tech giant Microsoft has announced a new initiative to tackle the problem.

Project Sopris aims to explore ways that low-cost connected devices can be secured. In particular, it’s targeting microcontrollers – tiny, self-contained systems incorporating peripherals, memory and a processor in a single integrated circuit – which are commonly used in IoT sensors and devices. These are, according to Microsoft, “a class of device particularly ill-prepared for the security challenges of internet connectivity.”

Weak security

Over the last decade, internet-connected technologies have evolved hugely, but tens of billions of these devices are vulnerable to security compromises. The worry is that, as the cost of connectivity drops, more manufacturers will rush out affordable connected devices, without focusing sufficiently on the security aspects.

As part of this Microsoft research project, the Sopris team has taken a number of different approaches to test device security, from silicon to software. The researchers have also come up with the hypothesis that “device security must be rooted in hardware but kept up-to-date through evolving software”.

Notable researchers working on this project include senior architect George Latey, partner research manager Galen Hunt, and principal researcher Ed Nightingale.

They’ve already come up with a list of desirable qualities for secure devices, outlined in a newly released report, The Seven Properties of Highly Secure Devices, as well as microcontroller prototypes that display these.

The team created one prototype in partnership with semiconductor company MediaTek. Its WiFi-enabled MT7687 chipset was tweaked to match the seven principles.

Although this is an internal project, Microsoft is inviting external security experts to take part in a challenge to test the Sopris security closes.

Applications for the Project Sopris Challenge are open till 14 April 2017, and the tech giant is offering security professionals the opportunity to win bounties from $2,500 to $15,000.

Where the problem starts

“Our group has begun a research agenda to bring high-value security to low-cost devices. We are especially concerned with the tens of billions of devices powered by microcontrollers,” the team writes in its report.

“Insufficient investments in the security needs of these and other price-sensitive devices have left consumers and society critically exposed to device security and privacy failures.”

“Our experimental results suggest that in the near future, even the most price-sensitive devices should be redesigned to achieve the high levels of device security critical to society’s safety.

“While our first experimental results are promising, more ongoing research remains and we seek to enlist the broader security community in a dialog on device security.”

Security epidemic

Cesare Garlati, chief security strategist of non-profit security organisation Prpl Foundation, said that the IoT industry is experiencing a security epidemic and that companies need to come together to address this.

“The security of IoT devices as we know it today is broken. Until the industry comes together to agree on basic security principles and stops relying on the outdated principle of security by obscurity, then the security problems aren’t going to go away,” he said.

“What is needed to fix IoT security is layers of security, starting at the very bottom of the stack with hardware level virtualization that can provide security by separation, so if one part of the system is compromised, it doesn’t necessarily mean the whole system is compromised, which is what is currently happening.

“However, it does require the industry to change its mindset to move away from closely guarded secrets to using open source APIs and agreeing to get the security basics right before competing on the value-add features in their devices.”