IoT Security: Challenges, Differences from Traditional Internet Security, and Capability Building

With the rapid development of Internet of Things (IoT) technology, its impact on daily life is expanding, but IoT security technologies lag behind, creating serious risks.

1. IoT Security Background – IoT devices are proliferating across industries, leading to security threats that can affect personal safety and critical infrastructure. Notable incidents include large‑scale power outages caused by cyber attacks in 2003, 2008, and 2016 (e.g., the Mirai botnet DDoS attack involving over 800,000 IoT devices).

2. Differences Between IoT Security and Traditional Internet Security

Fragmented device types and limited resources make it difficult to run full‑stack security solutions (e.g., TLS may be too heavy for many micro‑controllers).

IoT devices often run continuously without user interaction, making compromises hard to detect.

Specialized communication protocols (ZigBee, Bluetooth, NB‑IoT, 2/3/4/5G) are not covered by conventional Internet security policies.

Traditional network boundaries disappear; devices are globally distributed, reducing the effectiveness of firewalls and IPS.

Embedded operating systems (uClinux, FreeRTOS, bare‑metal) cannot use standard endpoint protection (EDR) designed for Linux/Windows.

IoT applications involve device‑to‑cloud and device‑to‑app communication, requiring new authentication, OTA, and hardware encryption mechanisms.

Development processes must address embedded security, logic security, cryptography, authentication, interface security, storage security, and protocol security.

Regulatory compliance is still immature; existing standards (e.g., China’s “等保0”) are recent and not widely adopted.

3. Building IoT Security Capabilities

Two core problems must be solved: identity authentication and link security. Tencent Cloud IoT Product Center has evolved its security stack from TLS certificates → Secure Element (SE) chips → ARM Trusted Execution Environment (TEE) → Software hardening.

3.1 TLS Certificate Chain – While X.509 certificates are standard for HTTPS, they consume significant RAM/ROM (≈56 KB RAM, 105 KB ROM) which is prohibitive for many MCUs (e.g., STM32F103 series). TLS‑PSK reduces the footprint but still adds ~36 KB RAM and 104 KB ROM.

3.2 Secure Chip – Secure chips (derived from smart cards) provide tamper‑resistant storage for keys and support ISO‑7816 APDU commands. The following APDU set is defined for the Tencent Cloud TID protocol:

GetChallenge   CLA=00  INS=84  // generate random number
ImportSessionKey CLA=80  INS=5A // import temporary session key
SymCrypto       CLA=80  INS=F0 // symmetric encrypt/decrypt
AsymCrypto      CLA=80  INS=F2 // asymmetric encrypt/decrypt
GenerateKeyPair CLA=80  INS=F4 // generate temporary key pair
GenerateSharedKey CLA=80 INS=F6 // generate shared key
GenerateSessionKey CLA=80 INS=F8 // generate session key inside SE
ComputeDigest   CLA=80  INS=FA // compute digest
GetTid          CLA=80  INS=FC // retrieve device TID
GetVendor       CLA=80  INS=CA // retrieve chip vendor info
SecurityStorage CLA=80/84 INS=E2 // custom data read/write

3.3 TEE (Trusted Execution Environment) – For ARM Cortex‑A devices, TEE provides an isolated execution environment for Trusted Applications (TA) that protects keys and code even if the Rich OS is compromised. Tencent Cloud IoT leverages OP‑TEE to implement TID‑compatible TA and client applications.

3.4 Software Hardening – Two low‑cost approaches are used:

White‑Box Keys : Keys are never stored in clear; instead, a white‑box transformed library or key table performs cryptographic operations without exposing the secret.

Code Obfuscation : Techniques such as control‑flow flattening, instruction substitution, and fake control flow (e.g., via Obfuscator‑LLVM) make reverse engineering significantly harder.

4. Industry Standards – Tencent Cloud collaborates with the TEG security platform to define IoT security specifications, including a scoring system for smart‑lock products and a visual compliance badge. The goal is to promote consistent security practices across the IoT ecosystem.

Overall, the article presents a comprehensive technical overview of IoT security challenges, differentiators from traditional Internet security, and concrete capability‑building measures (TLS, secure chips, TEE, and software hardening) supported by industry‑level specifications.