Companies have finally attended to the development of IoT devices and their security.

Typical IoT device

IoT is an extremely young market segment, just trying to take the first serious steps. Of course, IP cameras and other sensors have been around for a long time, but to fully call them "smart" language does not turn. In this case, one of the problems of the market is, oddly enough, the development cycle, because it involves not only creating a physical device, but also writing software for it in extremely limited resources. This 20 years ago, several megabytes of memory under the application was the norm. Now, when optimization of resource consumption for users (and developers) only dreams, and for top products, memory leaks or unreal voracity (hi, Chrome) are normal, working in conditions of a couple of hundred kilobytes of flash memory on an energy-efficient microcontroller seems like a punishment for those developers, who misbehaved last year.

But this is not the only IoT issue. It’s not for me to tell you how helpless smart devices are in terms of information security. Stories about botnets from IP cameras, refrigerators and other microwaves periodically pop up in the media, starting in 2015. Add to this “dish” also a “sauce” from all sorts of clever speakers and assistants like Alexa or Alice, and we get a frightening picture; from the time of the Chinese nouvei-cameras, products from Amazon and Yandex have also acquired the ability to make online orders at the request of the owner. Actually, these are the features of the new generation of IoT devices and forced the software manufacturers to start moving, namely, to strengthen the digital defense lines of our talking boxes and other sensors.

')
But just as it usually happens with all sorts of standards in the young segment, there is no unity of approach. After all, the device can be secured in at least three ways: by deploying a cloud-based IoT control platform, enhancing security at the device firmware level and the so-called Gateway border, that is, protecting the IoT network at the router level and the internal intranet gateway at the interface with the outside world.

At least three giant companies from three different segments of the IT market right now are working in these areas - they are trying to simplify development and at the same time strengthen the lines of digital defense.

Google SDK and Cloud Platforms

How does the search giant usually do when it comes to entering a market? Well, we all know very well about the tactics of “buy, copy the best, close”, but in the case of IoT devices there is no one to buy. Here we are deserted, only the company ARM towers over the whole of this wasteland. So Google went the second favorite way - building a platform and then creating an ecosystem around it.

Google loves self-contained ecosystems. If you omit glaring failures on the path of social networks, the company creates ecosystems and builds communities around them with enviable stability. And most importantly - she knows how to support and develop them. But while it is impossible to show ads through smart refrigerators and other IoT devices, the ecosystem for Google in this direction is interesting only in the long term. This is the Google Cloud IoT platform for processing, analyzing and storing data of smart devices. But this was not enough, because the data from the devices must somehow be removed. Given the lack of a universal standard, this is not so easy.



That is why the search giant went even the third to its most beloved path and announced its own SDK for developers for IoT devices written in Embedded C. Why was this the third typical path for Google? Well, if the search giant cannot “buy and close”, or quickly build an ecosystem, tie it up with already existing services and platforms of the company and run ads, then it releases tools for developers. And waiting. Moreover, the platform as a tool is already there, why not release the SDK?

The product, called the Cloud IoT Device SDK , was developed jointly with ARM, Microchip Technology and NXP Semiconductors. Of course, the open source tool. The goal of the Cloud IoT Device SDK is to assist in prototyping and testing prior to the commercialization of the product. The SDK supports a wide range of microcontroller devices. The advantages of the SDK are that the development is applicable to devices with extremely low power consumption and flash memory from 25 KB. In general, Venturebeat writes that the development turned out to be juicy: the SDK includes compatibility with realtime OS, such as Zephyr, ARM Mbed OS, FreeRTOS kernel (and many others), compatibility with POSIX systems, there is an asynchronous API that allows you to work at all without the OS, but there is also an event scheduler and so on.

Sources are available on GitHub .

What does this mean for the industry? First of all, Google attended to consistent work in this direction. Given the dominant position of Android and the prospects for remote control of devices via smartphones and tablets, the release of a dedicated SDK was only a matter of time.



The fact that manufacturers such as ARM were involved in the work only adds confidence that we will not get another “chrome” that eats as much resources as it is given, and a real workable product that takes into account the specifics of the architecture of modern IoT. The presence of a full-fledged platform and the possibility of “running on the table” of software solutions before their commercial implementation will only increase the level of final products and speed up their entry into the market.

Information security of smart devices

It is difficult to talk about what really does not exist. No matter how much the individual characters are crucified, that IoT-Security is real, we all understand that IoT devices themselves are completely defenseless and are 100% dependent on the network to which they are connected. Actually, because of the devil-may-care attitude to security in the field, we observed hundreds of thousands of botnets from IP cameras several years ago. For example, you can remember the botnet Mirai .

But this issue must be addressed. Earlier, I mentioned Alexa and Alice - these two madam earnestly claim to have access to the credit cards of their owners to order pizza for them or another trinket from Amazon, eBay or Yandex.Market.


Yandex station

On the path of the struggle for security, ARM was again noted.

The Platform Security Architecture Certified project is, in essence, a certification program for IoT devices. There are two ways to use PSA: these are multi-level security schemes and API test suites for developers. To create a PSA, ARM has attracted several independent research laboratories in the field of information security.

The project simply grew from a set of documentation on the topic of IoT security, which contained recommendations for development. However, now there is much more information in the project, for example, models of cyber attacks, documentation on security analysis, certification on the hardware and software architecture of devices, and more have been added.

Another significant project in the field of security IoT has domestic roots, he is engaged in "Kaspersky Lab". This company chose the most obvious path for itself and drew attention to the vulnerability of intranets mentioned earlier, in which IoT devices exist. The most effective way to protect the network is to defend the “locks with the outside world”, which is what the LK did. Specifically, they are currently working on the IoT Gateway project, which is a firmware for routers and routers. The entire project is based on KasperskyOS and, apparently, is its subset.


Router with KasperskyOS on board

According to the LC prospectuses, direct manufacturers of routers take an active part in the development, who went to conscious cooperation with the company to increase the safety of their devices at the conveyor stage. At a minimum, Advantech , a major equipment manufacturer with whom Laboratories previously collaborated on the KICS for Networks project to ensure information security at work, must participate in the development.

Instead of output

With all the attention of technology giants and other companies to the IoT segment, ARM is the most active manufacturer of microchips, on which all these cameras, sensors and other energy efficient devices work. Now ARM's dominance and the company's desire to make the market wider plays into everyone's hands: it willingly cooperates with Google, hires private laboratories for specific projects and tries in every way to restore the confidence of the general public, which has been badly undermined by the same story with Mirai and other botnets.

However, ARM is not all IoT. The market still lacks medium and frankly unknown electronics manufacturers who wanted to spit on the Google SDK, test tools and security checks and so on and so forth. Kaspersky Lab is doing a serious job, and I am sure that not only they are moving in the direction of increasing the security of routers and routers. But in the developments of LC there is one big problem - its focus, first of all, on the industrial segment, as evidenced by other projects of the company in this direction and the joint past with Advantech. In addition, these commercial products include delivery in a package with the rest of the company's software, which is not all and need.

How long did we go to the Micro-USB Type-B as a standard charging connector? But not a couple of years of silence and tranquility passed, as USB Type-C came, and Lightining did not disappear at all. In terms of security and the development of IoT devices, a compromise is needed that is comparable to the choice of “standard USB”. That's just to achieve this will be almost impossible, because now IoT is developing at a pace that any standards become obsolete in a year or two. It is hoped that ARM and Google will be able to consolidate developers around themselves and achieve a certain standard in the development and information security, but then the consumer will face another monopoly, which is already sick.

However, in any case, some kind of movement is better than stagnation. Because IoT is a development for a variety of areas of knowledge adjacent to it, for example, in the field of speech recognition, AI and so on. And behind these technologies is the future.