Microsoft Azure Sphere: make sure your connected devices and appliances are not controlled by a hacker on the other side of the world

What is the problem that Azure Sphere is trying to tackle?

 In 2008 the number of network-connected things exceeded the earth’s population. By 2025 that number is expected to reach 75 billion connected devices.

These connected things - also known as Internet of Things devices or IoT devices - are not immune from hacking. If security is not considered from the beginning, then there are many security vulnerabilities that allow hackers to control devices remotely. Examples of such vulnerabilities and hacks include:

1.     Hackable cardiac devices from St. Jude or Owlet baby heart rate monitor. 

2.     TRENDNet webcams allowed anyone to see through the cameras or even listen in.

3.     A heater in a casino’s aquarium allowed hackers to access the casino’s customers list.

4.     The Jeep hack where some hackers demonstrated how they can turn the engine off or steer the car remotely. The vulnerability came from the car’s use of a dashboard system called Uconnect, which provided the ability to re-write the firmware on the chip. This in turn, enabled access to the rest of the car’s controls via the CANBus interface.

5.     The Mirai Botnet DDoS attack infected many devices (including digital cameras and DVR players) and used these devices to attack a service provide (Dyn) which then brought down huge portions of the Internet.

6.     Other examples of vulnerabilities and hacks can be seen online.

What is a truly secured device?

 It used to be that only high-end devices had strong security. But going forward it is critical that all network connected devices are secured. This includes children’s toys, household appliances and factory equipment. In the end, an IoT solution is a secure as its weakest link.

A Microsoft research team came up with the 7 criteria which they assert are required in highly secured devices. The 7 properties of highly secure devices

1. Highly secure devices have a hardware-based root of trust: the device has a unique identity tied to the hardware.
2. Highly secure devices have a small trusted computing base: the security enforcement features are protected from other hardware or software.
3. Highly secure devices have defense in depth: several countermeasures lessen the effect of a successful attack.
4. Highly secure devices provide compartmentalization: having different security layers means that if one layer is compromised, the other layers are not affected.
5. Highly secure devices use certificate-based authentication: trust brokered using signed certificates
6. Highly secure devices have renewable security: the device’s software can be updated automatically.
7. Highly secure devices have failure reporting: the device can report failures to its owner.

  How does Microsoft Azure Sphere secure Internet connected devices?

 Azure Sphere is a secured, high-level ecosystem with built-in communication and security features for Internet connected devices. It consists of:

1.     The hardware: secured microcontroller unit (MCU). Microsoft is working with several device manufacturers to produce these certified MCU’s. The first such MCU is the MT3620 from Mediatek. And other MCU’s should be coming from Qualcomm and NXP. 

And several existing Azure Sphere hardware partners are developing starter kits (prototyping boards) based on the MT3620 MCU. These include: Seeed Studio, AI-Link and USI.

2.     The OS: a new Linux-based operating system (OS). Microsoft will service the OS on the device for the 13 years of its life.

3.     The Service: the Azure Sphere Security Service that provides:

3.1.  Over the air updates infrastructure

3.2.  Application deployment and updates

3.3.  Reliable system software updates

3.4.  Error reporting at a global scale: software bugs or security attacks are reported

Azure Sphere will be in general availability in February 2020.

 When would you want to use Azure Sphere?

1.     Brownfield scenarios: for existing devices – that cannot be connected themselves to the Internet because of security concerns or because they lack the networking capability – you can use Azure Sphere Guardian modules to retrofit these older devices.

 2.     Greenfield scenarios: with new devices or appliances that you want to connect to the Internet with end-to-end security

Are you interested in learning more about Azure Sphere secured MCU’s and how you may use them to send data securely to the cloud?

 I recently got my hands on an Azure Sphere MT3620 Starter Kit from Avnet. You can read about connecting such an Azure Sphere device to the cloud by reading articles on my blog:

• Connecting the Azure Sphere MT3620 board to Azure IoT Hub using Visual Studio 2019
• Connecting the Azure Sphere MT3620 board to Azure IoT Central using Visual Studio 2019.

 This article first appeared on my Azure IoT and Cloud Blog.