Even as more and more reports are surfacing highlighting the growing “attack surface” associated with the expansion of the IoT, security solutions are being created that are not only outside the box (for example use of blockchain technologies) but outside our current sphere of definitions when it comes to keys and encryption.
Trustonic has, according to their data, provisioned security keys into over 1.2 billion devices to date. Their provisioning of devices embeds a “Root of Trust” which verifies each and every message coming from each and every specific device, and earlier this month announced an extension of their core technology with “Digital Holograms™.”
Richard Hayton, CTO of Trustonic explained these holograms enable web services to determine the full lifecycle of an IoT device, to discern its authenticity and rights to access the cloud service. “These holograms extend our key provisioning scheme, adding an extra aspect of defense through more granular root of trust personalization.”
When we asked why the current approach isn’t enough, Hayton explained that the IoT ecosystem is young and fragmented, and that traditional security is hard. Unless you make security simple, many manufacturers will simply attempt to do without.
“The Root of Trust and X.509 certificate are sufficient to secure one-time events, for example that the device was produced in a trusted factory with a key injected, but due to the complexity of its value chain, IoT requires more sophistication. However, in IoT applications, the same basic chip design or low-level module may be used in countless different devices from different manufacturers.”
This makes sense, particularly given the growing, dynamic IoT ecosystems fueling the maturation of large-scale, commercially viable IoT systems.
“For IoT, attestation of a whole series of manufacturing events is required,” Hayton said, “not just attestation of a single event.”
Curious about the choice of the word hologram, which many of us associate with virtual humans created through the transmission of dimensional light, Paul Butterworth, Strategic Marketing Director at Trustonic explained, “Holograms have long been used to verify the authenticity of physical products, like credit cards, and more. Holograms provide a literal multidimensional identity; our Digital Holograms do the same thing, adding layers of security beyond the initial key.”
In summary, Digital Holograms are secure serial numbers, which are distributed by Trustonic to OEMs, ODMs and others in the device manufacturing and distribution worlds, to represent a specific manufacturing or lifecycle event. They are later associated with a particular device.
For example, to record that a device has been assigned a specific model number, has passed through a QA process or been recalled or serviced, the product manufacturer can then add a new Digital Hologram.
Digital Holograms are injected into the device during the manufacturing process and are stored securely. For example, on an ARMv8-M based device, they would typically be stored in a region of the flash protected by TrustZone. They are chained together it a blockchain, to prevent anyone from tampering with a. device’s history.
Can Digital Holograms be stolen or otherwise breached?
According to Hayton, “Digital Holograms are single use only, and once they are bound to a specific device they are cryptographically protected against re-use or theft.
Multiple Digital Holograms can be embedded in the original manufacturing process, or at another point in the subsequent lifecycle. “What makes this approach different is that it solves for individual events,” Hayton said. “We’ve worked closely with smart product manufacturers and their partners to even solve for quality assurance in the security process. If a step is missed, for example, due to IP theft or overproduction, the faulty / counterfeit devices will miss one or more of the required Digital Holograms and the omission can easily be detected – either during a later stage of production or once the device is deployed in the field.”
Trustonic has also taken compliance into consideration; as pathways are lit up, the journey a device takes from inception to provisioning is recorded, enabling auditing with clear evidence and reporting.
Trustonic maintains meta data on all devices and Digital Holograms and can report back to the web service to confirm the series of manufacturing and lifecycle events that the device went through.
“The attestation message is cryptographically linked to a custom payload which enables the device to not only attest that it is genuine, but also that a specific message originated from it,” Hayton explained, “which we believe is completely unique to the market.”
The company continues to demonstrate how devices can automatically enroll with an AWS web service, for example, using attestation to prove the AWS Certificate Signing Request originated from a legitimate device, which triggers a corresponding TLS certificate to be automatically provisioned.
This was demonstrated on devices using both an ARM Cortex-A9 processor (the ARTIK 530) and an ARM Cortex-M23 processor (the Nuvoton M2351).
“We’re very active across any number of IoT security initiatives, building on our success in locking down smartphones and other pre-IoT endpoints,” Hayton said. “We’re leveraging the blockchain and see it as a significant advance, particularly when it comes to securing ecosystems where data is shared with many systems through APIs. We’re also confident that we are now aligned with the ‘silicon economics’ of consumer and industrial IoT. As the ecosystem scales up into millions and billions of end-points, the pricing of the tech that brings trust must work from a business perspective, to ensure smart end-points with affordable sensors, chips and software licensing models can be mass produced.”
Edited by Ken Briodagh