Call for IoT security paradigm change

As Internet-of-Thing (IoT) is growing fast, the concern on IoT security is also escalated. The root problem is the fact that most of IoT companies including device manufacturers and service providers have been interested in deploying lightweight objects only for low-power and low-cost needs. They also have ignored embedded security aspect on IoT devices because security is considered expensive and difficult. As a consequence, the most of IoT devices became vulnerable to be hacked easily and used for massive attacks into Internet system.

Even though multiple warnings have been raised for comprehensive countermeasures against a variety of security vulnerabilities on IoT devices over the last several years, there is no effective countermeasure yet except several guidelines including Broadband Internet Technical Advisory Group (BITAG)’s recommendation and GSMA’s IoT Security Guidelines for Endpoint Ecosystems, both issued at November of 2016. To meet these guidelines, industry leading companies suggested to use existing microprocessor unit (MCU), not secure chip, with a secure element (SE) chip. However, even though this combination provides much better security feature compared to just a regular, non-secure MCU, it creates a new set of problems: cost. Two chip solution not only costs more due to system complexity but also does not provide enough security features for the cost. A secure MCU with embedded SE functionality, therefore, is needed. Such secure MCU shall have security features including secure booting, secure storage, true random number generation, unique key retention, code signing update, and so on.

I am pleased to explain eWBM’s secure SoC, MS500. This is the unique MCU which satisfies most of chip related security guidelines, but with minimum cost increase: MS500 provides Trusted Computing Base (TCB) suggested by GSMA’s guideline. One can enjoy powerful computational performance with 100MHz ARM Cortex-M0 core with both hardwired symmetric (AES/SHA) and asymmetric (RSA/ECC) cryptography engines.

In addition, thanks to MS500, it is now possible to have higher level of end-to-end security solution using mutual authentication. With MS500, Perfect Forward Secrecy (PFS) using ephemeral asymmetric key pair is possible between any Endpoint architecture (Device to Server, Device to Device). One can also protect data stream between Endpoints using highspeed symmetric cryptography engines built in MS500 (up to 50MB/s).
Therefore, one can claim that IoT device security level using MS500 is in fact stronger than that of LTE device, which provides authentication only security using SE chip. So far, many people made excuses not to provide strong enough security features for IoT devices due to price and power consumption issue. Such excuse is no longer accepted thanks to MS500. Now, the paradigm of IoT security is changing from no/lack-of secured device to stronger than ever secure device.

Leave a Reply

Your email address will not be published. Required fields are marked *