IoT Security Starts with Threat Modeling and Security Analysis

IoT Security Starts with Threat Modeling and Security Analysis

September 27th, 2018

By Lynnette Reese, Editor-in-Chief, Embedded Systems Engineering

Fighting back as more processing muscle becomes available to hackers along with the rest of us

Markets that employ the Internet of Things (IoT) will increase to $520 billion in 2021, which is more than twice the $235 billion expended on IoT in 2017. Nevertheless, growing concern about security has caused firms to hesitate. According to a 2018 Bain & Company survey of 600 IoT decision-makers, firms face “ongoing security and implementation challenges. Respondents said security, integration with IT and operational technology systems, and an uncertain return on investment remained the biggest barriers to adoption.” While cloud providers are influencing IoT analytics and services, their broad focus creates an opening for others to work closely with firms to deliver solutions that are tuned explicitly to a planned strategy.

Figure 1: In a 2018 survey with over 600 respondents, security is the most significant barrier that limits the adoption of IoT/analytics solutions. (Image: Bain & Co.)

Manufacturers that want to improve security can take some obvious actions, like eliminating the use of default passwords across devices, encrypting communications, and disabling programming and debugging interfaces like JTAG and UART before production. However, even with encryption, attackers with the right tools and a lot of patience may engage in a category of non-invasive hardware-based attacks known as side-channel attacks (SCAs).

Companies are aware of the concern for security in IoT and realize that attacks come in many different forms. These can be split into four primary channels: communication, life cycle, software, and physical attacks. Communication attacks exploit connectivity. Life cycle attacks depend on companies to abandon security updates for their products after a few years. The type of attack with the most press coverage is the software attack, which is often carried out remotely and frequently opportunistic. Physical attacks, which Arm categorizes as either invasive or non-invasive, very often require local access to a device to obtain detailed information about the physical state or response of the device. Physical attacks are more difficult to perform but not impossible. If the value of the intellectual property (IP) on a target device is high enough and other methods are not successful, hackers will resort to “brute force,” or physical attacks.

Unlike attacks that exploit software algorithm weaknesses, SCAs use forensic techniques associated with the physical implementation of the embedded hardware. Typically,  hackers use SCAs to extract information that assists in guessing cryptographic keys. Side-channel attacks can require expensive software and hardware tools. However, the same low-cost yet powerful processors sparking IoT growth are placing lower cost, automated tools within hackers’ reach.

Types of Side-Channel Attacks
Four types of side-channel attacks are power consumption analysis, electromagnetic radiation analysis, differential fault analysis, and timing analysis.

Power consumption analysis involves monitoring the power consumption of a device under attack. When a processor is performing calculations, transistors turn on and off as they change state. Switching states creates variations in power consumption by the processor that can be externally monitored. For example, as a processor performs calculations for AES encryption algorithms, power consumption patterns can help hackers make educated guesses about the encryption key that’s being used.

Electromagnetic radiation analysis is very similar to power consumption analysis, as the two are directly and physically related. As transistor states change, the total electromagnetic radiation changes in proportion to power consumption. As the electromagnetic radiation changes over time, the electromagnetic field can be analyzed to make educated guesses regarding encryption keys.

A differential fault analysis is based on the response of the device to incorrect clocking cycles or voltage levels. Hackers perturb the device under attack, inducing unintended behavior, and make a note of the corresponding corrupted responses to various stimuli. Over time, the device under attack is less of a black box, as experimentation helps hackers reverse engineer the device based on documented behavior.

Timing analysis is another side-channel attack method that measures the time it takes to perform calculations, which can reveal information about the length of a key or other characteristic that enables hackers to make educated guesses.

Platform Security Architecture Program
Arm’s TrustZone has been available for some time. However, Arm has also released a processor designed to prevent physical attacks against IoT devices, the new Cortex-M35P processor. In addition to the processor, Arm released new security IP that includes side-channel attack protection (ref. CryptoIsland-300P and CryptoCell-312P).

Even the most robust security schemes are not immune to physical attacks. However, it’s worth it to make hacking as difficult, time-consuming, and frustrating as possible. Companies like Arm provide solutions and tools from the physical layer up. In 2017, Arm announced a major program called Platform Security Architecture (PSA)  “a common framework aiming to provide a holistic approach to IoT security.”  The PSA starts with documentation about Threat Models and Security Analysis (TSMA) for assessing the security risk of several connected devices, beginning with TSMAs for asset tracking, smart water meters, and network cameras. Arm recommends that designers of IoT devices carry out extensive threat modeling to determine specific threats. Once designers identify risks, they can find and assign specific countermeasures to lessen the likelihood of those threats. It’s good practice to implement security on several different layers of the device, starting at the physical layer with tools like TrustZone.

Figure 2: There are three key stages to the Platform Security Architecture: Analysis, Architecture, and Implementation. PSA advises that implementing security should start with an analysis of potential threats and that developers and manufacturers should start by creating their own TSMA. (Source:

According to a press release from Arm earlier this year, “PSA aims to provide a holistic set of security guidelines for IoT security to enable everyone in the value chain, from chip manufacturers to device developers, to implement security successfully. When we launched PSA, we provided an overview of what it would aim to deliver to the industry, and we’ve been working hard to progress with that vision.” Arm released the first open source reference implementation firmware that conforms to the PSA specification Trusted Firmware-M (TF-M). Rob Coombs, director of business development, IoT Device IP Line of Business at Arm, states in a related blog post, “Trusted Firmware M (TF-M) is the name of the new open source project that will provide a reference implementation of PSA trusted code, created for the latest Armv8-M microcontrollers with Arm TrustZone technology. TF-M will provide foundational firmware components as a reference implementation that our silicon partners and OEMs can build on (including trusted boot, secure device initialization, and secure function invocation).”

More information on this topic and a download of the Trusted Firmware-M is on the Arm PSA pages online at

Bosche, Anne, et al. “Unlocking Opportunities in the Internet of Things.” Unlocking Opportunities in the Internet of Things, Bain & Co., 7 Aug. 2018,
Norton, Steven. “Internet of Things Adoption to Rise Despite Security, Data Integration Challenges.” The Wall Street Journal, Dow Jones & Company, 6 Aug. 2018,
“Arm PSA Resources.” Arm Platform Security Architecture, Arm, 2018,
“The next Step for PSA and a Secure IoT Future (TF-M).” Arm Community, Mar. 2018,

Lynnette Reese is Editor-in-Chief, Embedded Intel Solutions, and has been working in various roles as an electrical engineer for over two decades. She is interested in open source software and hardware, the maker movement, and in increasing the number of women working in STEM so she has a greater chance of talking about something other than football at the water cooler.