Attacking an interface or protocol is a multi-layered issue. There is the security of the communication itself with the cloud—including data security—as well as access security to the device through one or more protocols such as HTTP.
The Transport Layer Security (TLS) should protect all communication to and from the device. This type of cryptographic protocol covers authentication—to ensure that both sides can be specific about who they are communicating with—as well as encryption of all data to avoid eavesdropping attacks. This is ideal for an edge device that communicates to a remote cloud over public networks like the internet.
Given the speeds at which data moves over IP networks, hardware acceleration is a must in order to efficiently manage authentication and data encryption and decryption. Processors with hardware encryption acceleration like the TI EK-TM4C129EXL include on-chip crypto acceleration for TLS, ensuring secure communication with remote systems.
Using protocols like Kerberos for authentication can ensure that a client and server securely identify themselves. Kerberos relies on symmetric-key cryptography or public-key cryptography, both of which can be accelerated using processors that include cryptographic engines.
The protocol ports used with a network interface form one of the largest attack vectors on an internet-connected device. These ports expose protocol access to the device—for example, a web interface is exposed typically through port 80—and therefore provide information to the attacker on types of exploits to attempt.
One of the simplest ways of protecting these ports is with a firewall. A firewall is an application on a device that you can configure to limit access to ports in order to protect them. For example, a firewall can include a rule that prohibits access to a given port except for a predefined trusted host. This limits access to the port and helps to avoid common attacks using protocol exploits such as buffer overflows.
Edge devices are becoming increasingly complex, performing more advanced functions than prior generations—including machine-learning applications. With this complexity comes the requirement to fix issues and release updates to devices. But, the firmware update process creates an attack vector. By implementing security measures for firmware updates in your edge security plan, you can mitigate the risks posed by attackers.
Code signing is a common security method used to avoid malicious code from entering a device. This entails digitally signing the firmware image with a cryptographic hash, which can be used on the device prior to the firmware update process, to ensure the code is authentic and has not been altered since the signing process.