Five years ago, Galen Hunt’s life changed forever.

Hunt, a Microsoft distinguished engineer and managing director of the company’s Azure Sphere Linux-based operating system for IoT, was in his office in Redmond, Washington, when a colleague came in and showed him a floorplan for a chip to be used in an Xbox controller, which combined a microcontroller and radio on a single die. It was the first time that he had ever seen such a device.

Hunt said that he realized very quickly that what he was looking at represented what he calls “the fifth generation of computing.” There are more than 9 billion microcontrollers built and sold every year, and Hunt understood that one day soon, nearly all of them would be connected to the internet. This, he understood, would have a profound impact on the way that companies interacted with their customers, enabling the “democratization of network connectivity” that would serve as the foundation of IoT.

But Hunt, who delivered a keynote address this week at the Design Automation Conference (DAC) here, soon felt his wonderment give way to something else entirely. “I very quickly went to a second emotion,” he told the DAC audience. “And that emotion was fear.”

The fear was well-founded. Hunt, a 22-year Microsoft veteran who led early research into cloud computing, understood right away that billions of connected microcontrollers would mean connecting billions of devices that were never intended to be connected to the outside world to the internet. Quoting a colleague, Hunt referred to the internet as “a cauldron of evil.”

Microcontrollers have for decades been the fundamental brains of many types of electronic devices. But only in recent times have these devices been connected to the outside world. Microcontrollers have traditionally had, at best, very rudimentary security because, prior to the advent of IoT, attacks on these devices required physical access to them.

But the connected microcontroller changes the game. Adding the ability to connect to the outside world dramatically changes and expands the value of a microcontroller, providing a digital feedback loop that enables vendors to engage much more deeply with customers. But it can also enable bad actors to access the device through the very same channel.

Galen Hunt

Galen Hunt, a Microsoft distinguished engineer, speaks at the Design Automation Conference Monday

By now, we are all familiar with the worst-case scenarios, some of which have actually been realized and some of which are still theoretical. A few years ago, hackers gained access to a Las Vegas casino’s database after taking control of a connected thermometer inside the casino’s fish tank. In 2013, hackers stole the details of millions of accounts from Target stores after hacking into a company that serviced Target’s HVAC systems. In 2016, the Mirai botnet attack knocked out internet service to much of the East Coast of the U.S. after taking control of millions of internet-connected devices. Bad guys have also knocked out utility services and hacked directly into connected cars.

To Hunt, these examples are cases in point that, in the age of IoT, the security of every device matters. There is no longer a question about whether the device you are building is substantial enough to warrant security features, because every IoT network is only as strong as its weakest link. Take the casino example: Hackers gained access to the casino’s entire network through something as seemingly inconsequential as the temperature sensor in the fish tank. Once inside the network, they could stay there as long as they wanted because they owned a device in the network, Hunt said.

“So how are we going to secure the 9 billion microcontrollers that are being built every year?” Hunt asked. “You might think it’s impossible. But I’m here to tell you that it’s possible and it’s practical.”

Seven properties of highly secure devices

Hunt is the lead author of the paper “The Seven Properties of Highly Secure Devices,” which describes (you guessed it) the seven properties that the group deems essential to making secure microcontrollers. Microsoft bills Azure Sphere as an end-to-end solution built on Azure Sphere-certified microcontrollers, the operating system, and Microsoft’s cloud security service.

Perhaps not surprisingly, Hunt touted Azure Sphere as a solution to the problem of IoT security. But Hunt also had a call to action for the entire DAC audience, whether working with Azure Sphere-certified devices or not: Make sure that the IoT devices you are creating have all seven properties described in his paper.

“Make sure the devices you are building are secure; make sure the devices you are buying are secure,” Hunt said.

“I don’t care if they have Azure Sphere or not,” he added. “What I care about is [that] they are secure, because I want to live in a secure world.”

Hunt advocates a layered approach to security. Any device, he argues, is susceptible to a determined hacker. Focusing security entirely on trying to keep hackers from accessing the device is essentially futile. The question is whether you have enough layers of security to detect a breach and stop an attack in its tracks, Hunt said.

He also advised the audience that building highly secure devices requires the technical expertise to stitch disparate security components into a gap-free, end-to-end solution. Amazing engineering, security expertise, and operational excellence are all required to build and maintain a highly secure device.

Mediatek Sopris

Architecture of the experimental Sopris Wi-Fi–enabled microcontroller, developed by Microsoft and Mediatek. (Source: Microsoft)

Security can’t be an afterthought, either. It can’t be something that is bolted onto a device just before it begins shipping, he said. “Security is foundational. You have to build it into your device from the very beginning. It has to be part of your thought process. It has to be part of your design process.”

Hunt also warned that maintaining device security in a connected world is an ongoing process — 24 hours a day, seven days a week. Diligent security requires continual evolution and the development of mitigations against new attacks.

“If you are building a device that connects to the internet, your problems don’t end when the device ships,” Hunt said. “Your problems begin when your device ships, because that’s the day that hackers begin to attack your device.”