The Seven Properties of Highly Secured Devices (2nd Edition)

MSR-TR-2020-41 |

Published by Microsoft

Many organizations building and deploying IoT devices largely underestimate the critical societal need to embody the highest levels of cybersecurity in every network-connected device. Every connected child’s toy, every household’s connected appliances, and every industry’s connected equipment needs to be secured against network-based attacks. Until now, high development and maintenance costs have limited strong security to high-cost or high-margin devices.

Our mission is to bring high-integrity cybersecurity to every IoT device. We are especially concerned with the tens of billions of devices powered by microcontrollers. This class of devices is particularly ill-prepared for the security challenges of internet connectivity. Insufficient investments in the security needs of these and other price-sensitive devices have left consumers, enterprises, and society critically exposed to device security and privacy failures.

This paper makes two contributions to the field of device security. First, we identify seven properties we assert are required for all highly secured devices. Second, we describe our experiment working with a silicon partner to create a prototype highly secured microcontroller, codenamed Sopris. We evaluate Sopris against the seven properties framework and in a penetration test utilizing a red team of 150 top-tier hackers. Our experimental results suggest that even the most price-sensitive devices can and should be redesigned to achieve the high levels of device security critical to society’s safety.

Note: This 2nd Edition (MSR-TR-2020-41) expands on and enhances the content of the 1st edition (MSR-TR-2017-16).