The Internet of Things security crisis persists, as billions of inadequately secured webcams, refrigerators, and more flood homes around the world. But IoT security researchers at Microsoft Research have their eye on an even larger problem: the billions of gadgets that already run on simple microcontrollers—small, low-power computers on a single chip—that will gradually gain connectivity over the years, exponentially expanding the internet of things population. And that connected electric toothbrush needs protection, too.

The challenge with internet of things security so far has been the cost of implementing hardened features. It's cheaper and faster to develop a product without spending time and resources on security. Devices rush off the line without adequate protections, often riddled with bugs, and rarely have a mechanism for manufacturers to distribute patches. An attacker who penetrates those IoT devices can potentially steal data, rope the unit into a botnet, or even use it as a jumping off point to infiltrate other parts of a network.

At least for those full-featured IoT devices, fixes exist, even if they're rarely or poorly implemented. Smaller peripheral devices that run on microcontrollers, though, don't have the compute power to spare on security steps like encrypting data, or scanning for anomalous behavior. So Microsoft Research has poured its IoT efforts into Project Sopris, placing the IoT security focus to microcontrollers, while keeping costs down.

“Everything you interact with that you don’t typically think of as a computer has some kind of microcontroller in it, and over the next five to 10 years we believe that those devices will all be replaced by versions of the devices that will be interconnected,” says Galen Hunt, the managing director of Project Sopris. Think blenders, hair dryers, and other unlikely but inevitable connected accessories. “The manufacturers of those devices are very woefully unprepared for the security challenges of the internet. So what we set out to do was see if we could figure out how to help those devices be secure and also accelerate the learning of the manufacturers of the devices."

7 Habits of Highly Effective Microprocessors

The Project Sopris microcontroller prototype is designed to incorporate what Microsoft terms the "Seven Properties of Highly Secure Devices," a common-sense melange of best practices. It includes the usual suspects, like enabling regular software updates, and requiring devices to store cryptographic keys in a secure part of the hardware. Hunt says they built the chip with “recognition that you build in security and then you also have to have mechanisms so that if in the future hackers get more clever, you are able to—without the consumer doing anything—be able to update and improve the security on the device.”

'The manufacturers of those devices are very woefully unprepared for the security challenges of the internet.' Galen Hunt, Microsoft

Stuffing so many elements onto a microcontroller asks a lot of such a tiny processor, so the Sopris chip includes a secondary security processor that handles much of the cryptographic overhead. That specialized processor also does periodic software audits to check for deviations or any misbehavior. If it finds something, it can reset individual processes—or the whole device—as needed.