blog-breadcum

BLOG

breadcum-strip

Seven essential security features for Linux based edge devices

blog

Securing Linux OS in IoT devices is crucial against hacking and data breach but what are the main security features we must consider, well there are seven which we recommend..

Despite the delays caused by the COVID-19 pandemic, edge computing is expecting exponential growth over the next few decades because of developments in 5G and Internet of Things (IoT) technology. According to Statista, the number of IoT-connected devices is forecast to reach 25 billion in 2030, a more than threefold increase from 2019. Moreover, the worldwide edge computing market is projected to reach 250.6 billion USD by 2024.

The sheer number of IoT devices is mind-blowing, this means the security issues surrounding edge computers are numerous and complex. The hacking of a good spectrum of smart devices like smart fridges, baby monitors, vehicle infotainment systems is indicative of a security trauma caused hacking attacks.

Millions of IoT devices on the field requires a different set of security approach compared to traditional methods. Anyone can steal, copy, or hack if no proper security approach is implemented. It inherently becomes harder to secure edge devices with their challenging environmental condition.

Edge computing devices with operating systems are vulnerable to security threats that are different from traditional IT security environments like servers, laptops, desktop computers, and mobile devices. For example, transit operators are using Linux and Android-based smart devices on the field. In buses and railways, it is difficult to manage when the numbers scale above 1000 devices.

Here are the 7 pointers that every designer needs to consider while developing a network-based edge computing device.

1. HAB (High Assurance Boot)

HAB or high assurance boot is a unique feature available in many SoCs. For example, this feature in the i.MX SOC family (NXP), allows users to make sure only software images signed by users can be executed on the SoC. It incorporates boot ROM level security which cannot be altered after programming the appropriate one-time eFuses.

HAB enables the boot ROM to authenticate the initial software image by using digital signatures. HAB provides a mechanism to establish a chain of trust for the remaining software components (such as the kernel image) and thus to establish a secure state of the system. HAB authentication is based on public-key cryptography using the RSA algorithm.

2. ARM Trust Zone: OPTEE and OpenSSL

A trusted execution environment (TEE) is a secure area of a processor. It guarantees code and data loaded inside to be protected regarding confidentiality and integrity. OP-TEE is a Trusted Execution Environment designed as a companion to a non-secure Linux kernel running on Arm. OP-TEE is designed primarily to rely on the Arm TrustZone technology as the underlying hardware isolation. TrustZone is used to protect high-value code and data for use cases like key storing or authentication.

OpenSSL is a general-purpose cryptography library that provides an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The core library implements basic cryptographic algorithms and provides various utility functions. This type of algorithm requires extremely high computing power. However, by default OpenSSL runs on CPU (pure software acceleration) and the only way to have a better throughput is using the hardware acceleration (i.e.: CAAM in our case).

 

3. Open Virtual Private Network       

VPN stands for Virtual Private Network and it is just that, a secure network that is not restricted to one geographical location. Instead, it can communicate with buildings in distant corners of the world. OpenVPN is used as the VPN service, which allows a device to be connected remotely and enabling remote SSH access. A Virtual Private Network provides you with two major features:

Encryption: The data is encrypted when it leaves your device and decrypted once it reaches the destination. This is called the VPN tunnel, and it is what keeps your data private and secure. Once you are connected to the VPN, all the Internet traffic is routed through this tunnel.

Authentication: To access the VPN, you need to authenticate with the user and password.

4. Firewall in connected edge devices

A firewall is a set of rules. When a data packet moves into or out of protected network space, its contents (in particular, information about its origin, target, and the protocol it plans to use) are tested against the firewall rules to see if it should be allowed through.

5. Linux Unified Key Setup

Linux Unified Key Setup (LUKS) is a disk-encryption system. It provides a generic key store (and associated metadata and recovery aids) in a dedicated area on a disk with the ability to use multiple passphrases (or key files) to unlock a stored key. It is designed to be flexible and can even store metadata externally so that it can be integrated with other tools. The result is full-drive encryption, so you can store all your data confident that it's safe—even if your drive is separated, either physically or through software, from your computer.

6. Ports and Peripherals Accessibility

Edge device must have ports configuration setup. Ports must be restricted to specific use cases or specific users with authorization. Ports like serial tty, USB, or ethernet must be configured in a way that restricts unauthorized access.

7. Access Control Lists (ACLs)

“ACLs” is network traffic filters that can control incoming or outgoing traffic. ACLs work on a set of rules that define how to forward or block a packet at the router’s interface. An ACL is the same as a Stateless Firewall, which only restricts, blocks, or allows the packets that are flowing from source to destination. When you define an ACL on an edge device for a specific interface, all the traffic flowing through will be compared with the ACL statement which will either block it or allow it.

The criteria for defining the ACL rules could be the source, the destination, a specific protocol, or more information. ACLs are common in routers or firewalls, but they can also configure them in any device that runs in the network, from hosts, network devices, servers, etc., and in our case our edge device. The main idea of using an ACL is to provide security to your network. Without it, any traffic is either allowed to enter or exit, making it more vulnerable to unwanted and dangerous traffic. To improve security with an ACL you can, for example, deny specific routing updates or provide traffic flow control.


Conclusion: Trunexa develops customized edge devices for our clients in public transportation, automobile, and consumer electronics. While designing any devices we consider all the above-discussed areas and develop devices that are secure. Please get in touch with us for more information.