IoT-ID: A novel device-specific identifier based on unique hardware fingerprints

A significant number of IoT devices are being deployed in the wild, mostly in remote locations and in untrusted conditions. This could include monitoring an electronic perimeter fence or a critical infrastructure such as telecom and power grids. Such applications rely on the fidelity of data reported from the IoT devices, and hence it is imperative to identify the trustworthiness of the remote device before taking decisions. Existing approaches use a secret key usually stored in volatile or non-volatile memory for creating an encrypted digital signature. However, these techniques are vulnerable to malicious attacks and have significant computation and energy overhead. This paper presents a novel device-specific identifier, IoT-ID that captures the device characteristics and can be used towards device identification. IoT-ID is based on physically unclonable functions (PUFs), that exploit variations in the manufacturing process to derive a unique fingerprint for integrated circuits. In this work, we design novel PUFs for Commercially Off the Shelf (COTS) components such as clock oscillators and ADC, to derive IoT-ID for a device. Hitherto, system component PUFs are invasive and rely on additional dedicated hardware circuitry to create a unique fingerprint. A highlight of our PUFs is doing away with special hardware. IoT-ID is non-invasive and can be invoked using simple software APIs running on COTS components. IoT-ID has the following key properties viz., constructability, real-time, uniqueness, and reproducibility, making them robust device-specific identifiers.

We present detailed experimental results from our live deployment of 50 IoT devices running over a month. Our edge machine learning algorithm has 100% accuracy in uniquely identifying the 50 devices in our deployment and can run locally on the resource-constrained IoT device. We show the scalability of IoT-ID with the help of numerical analysis on 1000s of IoT devices.