Let's Combine Azure Sphere And TR-069 to Secure the Connected Home

  • Posted on: 7 March 2020
  • By: Patrick Oliphant

According to Cisco, there will be 29.3 billion networked devices on the internet by 2023 of this amount Machine-To-Machine (M2M) connections will be 14.7 billion, that’s 50 percent share.  Families having their baby monitors hacked is a constant news item.  We need solutions that can make the connected home a more secure environment. Then after hearing about Microsoft’s recent general availability of Azure Sphere and knowing that we already have TR-069; I am thinking why not use the best of both to fix this problem.

Azure Sphere or the idea of it has been a research project at Microsoft for some time, but it was officially launched in April 2018 to the public.  The idea of Azure sphere is Microsoft’s “integrated security solution for IoT devices and equipment” in the cloud.  Though not as old as TR-069 it has a lot of potential to make IoT devices in the connected home more secure and protected.  Using the latest of today’s software and cloud technology Azure Sphere is able to mitigate security risk and close known security holes thus, making it harder for devices to be hacked.

As a first step, the computer chips supporting Azure Sphere are certified chips that are built by Microsoft’s partners.  These chips according to Microsoft provide the basis for security. The Azure Sphere chip provides the compute power and secured connectivity. The second step is, these chips or microcontroller runs the Azure Sphere operating system, which creates a secure software environment for software and services. Thirdly, is the cloud-based Azure Sphere security service. This security service connects with every single Azure Sphere chip, via the Azure Sphere operating system, and works with the operating system and the chip to keep the device secured throughout its lifetime.

To keep these devices up-to-date and secure Microsoft will provide ongoing security monitoring of connected devices and, as they identify new types of attacks and new emerging security vulnerabilities, they will upgrade the operating system and the cloud services to mitigate against those new kinds of attacks. So, Microsoft will provide ongoing support, and ongoing security improvements for these devices.

TR-069 is the Customer Premises Equipment (CPE) WAN Management Protocol (CWMP) that has been around for some time – introduced 2004 by the Broadband Forum.  It is the most widespread IoT management protocol that has made it easy for ISPs to manage subscriber devices such as broadband gateways, set-top boxes and SIP phones.

TR-069

For TR-069 to work as an end-to-end solution it needs an Auto Configuration Server (ACS) as shown above.  The ACS resides in the ISP’s network and manages devices in the subscriber premises over the internet. “It uses the methods, or RPCs, defined in the TR-069 specifications to get and set the state of the device, initiate diagnostic tests, download and upload files, and manage events.”  Unlike Azure Sphere, TR-069 is open with each ISP having them configured specifically for them, so it can be managed by their ACS server.  

According to The Broadband Forum TR-069 is secure; device authentication has a number of options such as username and password (HTTP Digest so the password is not sent publicly) and Secure Socket Layer/Transport Layer Security (SSL/TLS) where certificates can be used to mutually verify ACS' and device's identities.

TR-069 and Azure Sphere have distinct differences, the main is: TR-069 is a protocol which can sits on any operating system so, manufactures can choose which and who’s operating system  (OS) they want to put on their devices’ microcontroller; and Microsoft’s Azure Sphere is an all-in-one OS solution which sits on the microcontroller. I don’t think this should be an obstacle to achieving better security for connected devices.

With TR-069 been around for such a long time and Azure Sphere just arriving I think both can work together to make our homes more secure.  Current services that involves TR-069 seems only to cater for edge devices like home gateways and set-top-box.  However, with an increasing number of home appliances, such as refrigerators having internet connection capability and are connecting, there needs to be a service to keep these updated and secure.

Azure Sphere

Azure Sphere OS security approach is centralised; Microsoft will manage all its security updates and system upgrades as it does its Windows Operating system. The manufacture will also have an input as they will need to say; update the software on the device.  We might need this approach in the home where smart devices connected to the internet get updates when needed. How this will work, I will leave to manufacturers and others to decide – this could also be a business opportunity for those wanting part of this market.