Leveraging on PUF, to address the IoT security challenges as connected IoT devices grow exponentially

All of the major leading companies that specialized in insightful research analytics in the Information Technology industry like Gartner, IHS Global Insight, ABI Research, and IDC and Harbor Research have all predicted the continually increasing use of the IoT technology (Lueth, 2019).  According to Cisco and Ericsson because of the increasing desire for connectivity of devices, it is estimated that around 50 billion devices will be using the IoT by 2020 which will eventually grow to about 500 billion by 2030 (2019). The question is, does this exponential growth rate of the IoT pose a security risk to industry and individuals?

Learning from the Past.

Siemens which is one of the leading companies in the fields of IoT technologies is also a global giant when it comes to industrial controls and other electronic ancillaries became a victim of a targeted attack in 2016 when its industrial products were targeted. Sergey Ulasen was the first to find the Stuxnet worm which was designed to attack primarily Siemens Programmable Logic controllers (PLCs) and Supervisory control and data acquisition (SCADA) systems.

The malware programmer used some pirated digital certificates for this attack (Jacinto, 2019). It was a panicking moment for the industries that relied on Siemens PLCs and SCADAs because the worm caused most of the industrial devices to reboot frequently.

Some people think the malware was created to serve a purpose which worked to perfection according to an article by Fruhlinger that “we now live in a world where code can destroy [war] machinery” (2019). However, think about the cost also in terms of job losses and also potentially life-threatening situations for personnel on critical platforms.

General IT Security threats

In computer security lingo a threat infers to anything that has the potential to result in serious harm to a computer system and its related connected networks. Information security threat includes the deployment of viruses, trojans, back doors to outright attacks from hackers and also the physical harms to IT peripherals. These acts are usually carried out by internal or external agents [individual crackers or a criminal organization]. Threats could also be accidental due to force majeure [natural catastrophes or acts of God], through an act of war or terrorism, civil or military disturbances, and nuclear attack.

But generally, the man-in-the-middle attack (MITM) is one of the commonest forms of attack. In this form of attack, the attacker usually directs packets between the client and server to go through a system that the attacker has access to or control over. There are many methods to launch this form of attack, however, hackers and IT criminals normally use any of these techniques regularly that is, abstraction of browser cookies, IP spoofing, DNS spoofing, HTTPS spoofing, SSL hijacking, ARP cache poisoning, packets injection, Wi-Fi eavesdropping, and other stealth techniques (Spivey, 2006). I have learned over the years from field experiences and also from other seniors in the security field, that there is nothing secure! The reason is simple, security systems are the creations of humans and humans have weaknesses which eventually translate into our systems. In a typical work setting, the work of the security professional is to try and make the IT system so secure close to near impossible malefic intrusions.

The very recent mass malware attack was around 2016. The mirai malware was designed to target devices that run on the Linux Operating system. The Linux operating system is the Operating system that drives many embedded devices. Taking advantage of this, the mirai malware programmer turned Linux embedded devices into bots which could be controlled remotely. By this mode of attack, large-scale damage could be achieved. Devices like routers, IP cameras, DVRs etc which are on networks were largely affected. (NJCCIC, 2019).

How do we secure IoT namespaces?

As we increasingly connect our devices to the internet, we need to be concerned because most of the encryption techniques used in the field of IT security are weak. That is the reason why security firms continually design programs to mitigate these shortfalls (Paar et.al 2010).

According to the risk assessment report which was conducted independently by Ponemon Institute LLC and published in March 2018, it revealed that 78 percent believe that loss or theft of data could be caused by IoT and also 76 percent also think a cyber-attack could be executed through IoT (Ponemon Institute LLC, 2018).

What is PUF and how does IoT user benefit from IT?

PUF is an acronym that stands for a physical unclonable function. The PUF mimics the fingerprint form of biometric authentication. The Physical unclonable functions (PUFs) make use of the inherent intrinsic randomness of grain formation in physical material to create signatures only for that particular system. This uniqueness in materials can be exploited by security cryptographers to design a fingerprint-like authentication system. For instance, during a typical semiconductor integrated circuit manufacturing process, the process generates inescapable structural variations. These are random and permanent which are efficiently impossible to clone by even the semiconductor manufacturing company. This feature is the basis of Silicon kind of Biometrics. This unique feature enables the system, and by inference any object or device it is attached to or embedded within, to be distinctively authenticated using challenge-response pairs (CRPs).

The Physical Unclonable Function (PUF) Authentication Process. 

To ensure trust in an IoT device on a network, its identity within the network communication sphere must be identified and verified. This process involves two stages namely the Enrolment and Verification processes.

During the first stage, the IoT device is enrolled by the trusted verification authority within the operational sphere of the IoT device. To achieve this, the trusted authority randomly selects some challenge-response pairs (CRPs). These CRPs are applied and stored both on the IoT device which is PUF capable and also stored on the secured database of the verification authority. When this process is completed, the device can be deemed as a trusted client which will pass (CRPs) verification process.  Below are the stages of a typical IoT PUF verification process;

  1. During the first stage as depicted in the sketch ❶, an IoT device registers its intention to communicate.
  2. During this phase, the verification authority ❷ sends a challenge question C to the IoT device. This challenge question C, is a question that has never been used before.
  3. To complete the verification process, the IoT device send R’ to the verification authority. This R’ respond is compared with the R challenge-response pair (CRP) stored in the database of the verification authority.
  4. During the final stage ❸, if R’ matches the correct Response R, the IoT device is authenticated else denied access when the matching criteria fail.
  5. To prevent MITM attacks the challenge question C is never used again, this means that Verification authority will have to generate another challenge-response pair (CRP) for its next authentication session.

Benefits of the PUF Authentication system

One of the key advantages offered by the PUF authentication system is that it can be used as low-cost security in electronic devices.  The small size of the PUF and its low power usage means that it can be simply used in any already existing field-programmable gate array (FPGA) based architectures and its applications. The mass creation of RFID cards that are used for bad intentions by deviants at workplaces can be effectively be checked. Also, there are many people, who are against the use of biometrics as the basis of authentication, for such people the PUF can be used to mitigate the frequent request of biometric scans when ID is being prepared for such individuals.


What I learned after watching the movie CHAPPiE by Blomkamp offers a lot of food for thought for emerging IoT and Robotic technologies. The programming core of CHAPPiE is called the “genesis.dat” file. It was on this base file that the “consciousness.dat”   which was uploaded by Deon [Dev Patel] gave the robot consciousness. When CHAPPiE was hacked by Vincent [Hugh Jackman] he gained access to “genesis.dat.” he then infests this file with malware which disables all the Police Patrol robots which created huge unrest in the cities under the controls of the robotic police force (2015). Technologies like PUF in conjunction with fingerprint biometrics could have made it difficult for Vincent [Hugh Jackman] to gain access to the base file. Although I am for Robotics and ML and AI technologies, security problems that can render systems in operational and ineffective are very disturbing. To pre-emptively address critical situations like this, the PUF technology offers one of the best solutions to this old-age problem of security on information technology platforms. Remember, it has been projected that billions of devices will be connected online soon. These include autonomous cars, trains, IIoT, and many other IoT devices. Think for a moment! What will be the scenario if a malware infests an autonomous vehicle Operating System?

The pre-emptive leveraging of PUF driven security authentication systems is the way forward to minimize any foreseeable chaos before it happens because there are malefic people in societies across the globe.

Reachable at www.selmaderben.com


Ponemon Institute LLC. (2018). The Second Annual Study on the Internet of Things (IoT): A New Era of Third-Party Risk. Michigan: Ponemon Institute LLC.

Blomkamp, N. (Director). (2015). Chappie [Motion Picture].

Cisco. (2019, June 23). https://www.cisco.com. Retrieved from https://www.cisco.com/c/dam/en/us/products/collateral/se/internet-of-things/at-a-glance-c45-731471.pdf

Fruhlinger, J. (2019, August 29). https://www.csoonline.com/. Retrieved from https://www.csoonline.com/article/3218104/what-is-stuxnet-who-created-it-and-how-does-it-work.html

Jacinto , J. (2019, August 1). https://www.totallyintegratedautomation.com/. Retrieved from Totally Integrated Automation: https://www.totallyintegratedautomation.com/2010/09/building-a-cyber-secure-plant/

Lueth, K. L. (2019, August 5). https://iot-analytics.com/iot-market-forecasts-overview/. Retrieved from https://iot-analytics.com/iot-market-forecasts-overview/

NJCCIC. (2019, August 11). https://www.cyber.nj.gov/. Retrieved from NJCCIC: https://www.cyber.nj.gov/threat-profiles/botnet-variants/mirai-botnet

Paar, C., Pelzl, J., & Preneel , B. (2010). Understanding Cryptography: A Textbook for Students and Practitioners. Berlin: Springer.

Spivey , D. M. (2006). Practical Hacking Techniques and Countermeasures. New York: Auerbach Publications.

0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments