Hardware-assisted Cybersecurity for IoT Devices Fahim Rahman, Mohammad Farmani, Mark Tehranipoor, and Yier Jin Department of Electrical and Computer Engineering, University of Florida {fahim034,mfarmani}@ufl.edu, {tehranipoor,yier.jin}@ece.ufl.edu Abstract—Internet of Things (IoT) has become an integral part of the modern era as it provides an ease of life with higher flexibility, easier control, and wide connectivity through numer- ous applications. However, security vulnerabilities in the IoT domain have given rise to potential threats and attacks that can compromise critical infrastructures and national security, cause physical and financial loss. Being common and easier targets due to low power and low processing capabilities, lightweight firewall, and availability for service, IoT devices require lightweight but enhanced security to thwart different cyber attacks. In this paper, we champion for hardware-assisted defense mechanisms against cyber attacks in IoT domain. We highlight that hardware-assisted techniques indeed offer an additional layer of protection with respect to traditional software-only cybersecurity. However, to offer a comprehensive security, many challenges including area and power footprint, as well as security strength, need to be addressed. I. I NTRODUCTION Internet of Things (IoT), the network of ubiquitous smart objects, has become an integral part of modern day-to-day life enabling novel applications and services, ranging from home automation to embedded medical devices and personal gears. Fast network connectivity and intelligent sensors allow these IoT devices to collect, process, and relay information in an efficient and seamless way. Advanced lightweight low- power technologies have made it even more possible to employ IoT devices in remote locations requiring no/minimal physical observation and maintenance. Although seemingly harmless, these IoT devices are not free from security and privacy concerns as there exist numerous threats and vulnerabilities in the modern IoT framework. Security vulnerabilities in the IoT domain have given rise to countless threats and attacks that can potentially compromise critical infrastructures and national security, cause physical and financial loss, and more. McAfee quarterly threat report (Jan-Mar 2017) reveals that there are 176 new cyber-threats every minute [1]. Mirai-botnet based recent DDoS attack on low-cost IoT devices infected over 2.5 million devices within only four months [1]. Such attack volume, exploiting various security vulnerabilities, is expected to grow even larger with an estimated 26 billion connected devices by the end of 2020 [2]. As of today, most of the prevailing IoT devices do not offer adequate security measures to defend against these ever-growing pool of attacks and threats. Further, having easy network connectivity as an inherent feature, these IoT devices have become lucrative targets for remote attacks. Al- though techniques have been proposed for enhancing security and trust for connected devices, those may not be suitable solutions for lightweight IoT applications where processing capability, memory, and power are scarce. Moreover, most of such cybersecurity solutions are employed in the software domain which has its own set of challenges and vulnerabilities. Hence, it is crucial that one must explore, and, if suitable, employ hardware-assisted security as well with the software- only protections for IoT devices to thwart away prevailing and unforeseen threats. In this paper, we make a comprehensive study of recent hardware-based security solutions and high- light existing challenges and future research directions to offer a holistic security for IoT devices. The rest of the paper is organized as follows: in Section II, we provide preliminaries to common attacks and vul- nerabilities for modern day IoT devices and establish the threat model. In Section III, we analyze various hardware- assisted techniques for ensuring IoT security. In Section IV, we highlight some prevailing challenges and future research directions in hardware security domain for establishing a secure and trusted IoT system. Section V concludes the paper. II. COMMON CYBER- THREATS FOR I OTDEVICES Before employing a protective mechanism against various attacks on IoT devices, it is crucial that one understands the attacker’s capability and adversarial gains and targets. For a remote IoT device, an attacker may gain physical access to the device since regular monitoring and continuous protection for such lightweight and low-cost devices may not always be practically and financially feasible. A physical access to such a device opens up possibilities of probing attack, physical tampering attack, the inclusion of hardware bugs and Trojans, and replacement with fake devices [3]. However, in this work, we focus only on the cyber-attacks where the attack vectors are exercised via software and networks and a physical access to the device is not mandatory. We also assume that the network itself is untrusted and the attacker can gain access to the device without any loss of adversarial capability. Further, the attack itself is not transparent to the user, i.e., concealed from the the deployed security scheme, and the attacker can successfully launch the first phase of the attack without prominent changes in computation timing and processing power consumption. The adversarial gain of an attacker from a remote cyber- attack is either to ‘distort’ the output (and subsequent actions due to faulty data/control) of the device, or to ‘disrupt’ the on- going processes (e.g., denial of service), or to ‘disclose’ any secret information residing in the device such as secret keys and passwords [4], [5]. As shown in Fig. 1, an IoT device may be affected by a variety of attacks as follows.