Full Program »
Reboot-Oriented IoT: Life Cycle Management in Trusted Execution Environment for Disposable IoT devices
Many IoT devices are geographically distributed without human administrators, which are maintained by a remote server to enforce security updates, ideally through machine-to-machine (M2M) management. However, malware often terminates the remote control mechanism immediately after compromise and hijacks the device completely. The compromised device has no way to recover and becomes a botnet. Even if the IoT device remains uncompromised, it is required to update due to recall or other reasons. In addition, the device is desired to be automatically disposable after the expiration of its service, software, or device hardware to prevent being cyber debris.
We present Reboot-Oriented IoT (RO-IoT), which updates the total OS image autonomously to recover from compromise (rootkit or otherwise), and manages the life cycle of the device using Trusted Execution Environment (TEE) and PKI-based certificates (i.e., CA, server, and client which are linked to device, software and service). RO-IoT is composed of three TEE-protected components: the secure network bootloader, periodic memory forensics and life cycle management. The secure network bootloader downloads and verifies the OS image by the TEE. The periodic memory forensics causes a hardware system-reset (i.e., reboot) after detecting any un-registered binary or a time-out, which depends on a TEE-protected watchdog timer. The life cycle management checks the expiration of PKI-based certificates for the device, software, and service, and deactivates the device if necessary. These features complement each other, and all binaries and certificates are encrypted or protected by TEE. We implemented a prototype of RO-IoT on an ARM Hikey board with the open source trusted OS OP-TEE. The design and implementation take account of availability (over 99.9%) and scalability (less than 100MB traffic for a full OS update, and estimated at a cent per device).