Microsoft is continuing to devote resources toward the hardware end of the IoT market, through a new research program aimed at making low-cost devices more secure. Dubbed Project Sopris, the endeavor follows the opening of several Microsoft IoT innovation labs around the world (go here for our recent report on that effort).
IoT security has been a sore spot to say the least in recent times, with no consensus on security standards, not to mention reluctance by many device makers to invest the time in making their products secure, versus getting them to market faster. High-profile cyberattacks such as the IoT botnet Mirai will undoubtedly continue to occur, but with Sopris, Microsoft wants to help the IoT market start turning the tide. Here's the rationale for Sopris from the researchers' website:
Industry largely underestimates the critical societal need to embody the highest levels of security in every network-connected device—every child’s toy, every household’s appliances, and every industry’s equipment. High development and maintenance costs have limited strong security to high-cost or highmargin devices.
Our group has begun a research agenda to bring high-value security to low-cost devices. We are especially concerned with the tens of billions of devices powered by microcontrollers. This class of devices is particularly ill-prepared for the security challenges of internet connectivity. Insufficient investments in the security needs of these and other price-sensitive devices have left consumers and society critically exposed to device security and privacy failures.
Our experimental results suggest that in the near future even the most price-sensitive devices should be redesigned to achieve the high levels of device security critical to society’s safety. While our first experimental results are promising, more ongoing research remains and we seek to enlist the broader security community in a dialog on device security.
The Microsoft research team has released an academic paper describing their proposals and experiments in-depth. It names seven properties that are critical for secure connected devices:
Hardware-based root of trust, small trusted computing base, defense in depth, compartmentalization, certificate-based authentication, security renewal, and failure reporting.
The researchers wanted to figure out whether those qualities could be delivered effectively even in the lowest-cost devices. They managed to build a proof-of-concept microcontroller that hit on all seven marks. Now they're packaging their initial research into a device board design that will be shared with other researchers and security experts, both in academia and industry, according to the site.
Sopris's arrival has interesting timing coming so soon after the launch of the IoT innovation labs, notes Constellation Research VP and principal analyst Andy Mulholland. "Taken together, is this the beginnings of a new Microsoft focus on becoming the software operating platform of choice for IoT devices?" he says. "Certainly there are powerful arguments in favor of one of the big technology vendors taking a direct interest in this part of the IoT market."
Microsoft has its own interests in mind, of course, given that the presence of billions of insecure IoT devices runs counter to its ambitions of capturing IoT-related workloads through its Azure cloud service. But as Mulholland notes, there's much to like about a vendor as influential as Microsoft in both the consumer and enterprise worlds putting wood behind the IoT security arrow.
The researchers are looking for help battle-testing Sopris through a hacking contest. It will provide 150 security experts with Sopris testing kits and award bounties of between $2,500 and $15,000 to those who find vulnerabilities.
24/7 Access to Constellation Insights
Subscribe today for unrestricted access to expert analyst views on breaking news.