JETFIRE: A Low-Cost, Trusted IoT Security Gateway (CMU-CyLab-20-002)

Many studies have pointed out security problems with IoT deployments. Given the diversity of devices and the lack of concerted efforts from device manufacturers to adopt best practices, recent efforts have recommended pragmatic “bolt on” security gateways at the network layer to secure IoT deployments using software-defined principles. While such gateways are an attractive option, they raise two natural concerns: (1) Can the gateway architecture be trusted? and (2) Can we deliver these benefits to low-cost deployments? This paper presents JETFIRE, a practical, low-cost system with built-in trust for software-defined security gateways. In designing and implementing JETFIRE, we make three key contributions: (1) A practical and deployable basis for trust using a micro-hypervisor root-of-trust; (2) A scalable low-cost system design and implementation to support fine-grained per-device policies; and (3) A formal analysis of the protection JETFIRE offers against infrastructure threats by construction.We demonstrate that JETFIRE provides intrinsic security against a broad spectrum of known attacks against such software-defined architectures. We also show that JETFIRE offers security at low cost; e.g., a $35 Raspberry Pi can effectively support custom per-device IPS instances for a small IoT deployment of 50+ devices. We also show an end-to-end validation of JETFIRE on a representative home IoT deployment.