The evaluation of the number of connected (IoT) systems by 2020 varies depending on the source, but we should see in the range of 30 billion IoT devices by that date. We already know some of the basic requirements: such a device will have to be connected, low cost, ultra-low power and… secure. The first three are key enablers, but we can accept to make some trade-off, like for example playing a small extra cost for a device being really low power, so you will only change the battery after 3 years instead of one. But do we really want to trade off the security? I think there is a consensus about the fact that an IoT device will have to be protected against external aggression, hackers and other malwares. If some developments will certainly be made at the software level made to increase the security of such IoT system, it’s probably a good idea to start at the H/W level to use a secure MPU core, like ARM SecureCore SCx00 family, which is currently serving secure markets like smart card for Pay TV, banking or SIM applications.
If we zoom to the secure ARM core area (below pictured: A modern application processor combining a TrustZone® based TEE and hypervisor) we see that the TrustZone vertical band build a physical and logical separation between the “trusted execution environment” (on the right) where only trusted Apps are allowed to run on Trusted OS and the left part of core, where you can run Enterprise or Personal Apps. If you want to know more in details about the various features developed to guarantee that the core is secure, you should read this white paper from ARM:
“GlobalPlatform based Trusted Execution Environment an TrustZone ready” here: TrustZone WP
Among others, you will learn:
Processor Security Controls Limit Access and cannot be Bypassed
Legacy systems can often provide unnecessary modes of operation which when misconfigured or left enabled, can allow security controls to be bypassed. An example of this cited by CESG, is the ‘System Management Mode’ (SMM) of x86 architectures. The TrustZone® security extensions have a monitor mode which provides a single point of entry into the Trusted World which cannot be bypassed
Direct Memory Access (DMA) is Limited and Controlled
The TrustZone® security extensions place an additional bit, known as the NS (or Non-secure) bit on the AXI system bus. These bits indicate if a transaction can be secure, and are used to indicate the processor state when the transaction was requested. For instance, when executing within the Trusted Execution Environment the transaction will be secure, and non-secure while in normal operation and executing within Android, Linux or any other conventional operating system.
DMA from External Devices is Additionally Protected
It is strongly recommended by ARM that the NS bit if taken off chip, forces all transactions from external masters to be non-secure and so secure peripherals, whether RAM, fuses, or IO, can only be controlled by on-chip bus masters. Once exposed off chip, with access to the rest of the AXI system bus, if an attacker could force the line to the secure state, they could force a secure address access.
Secure Credential Storage
The Trusted World can be used to securely store and manage private keys. The actual encryption or decryption can then occur within the Trusted World at the request of applications in the Normal World, without ever compromising the security of the keys.
Thanks to the Silicon Valley Bank (SVB), you can have an idea of the segmentation of the IoT market into ten segments. I have made a tentative ranking in term of security needs for each segment. The goal is to rank into « Life Critical », « Industry » (sensible data at company level) or « Wallet » (linked to the need to protect your day to day payment). If we consolidate these data, we can see that no less than 33% of the companies have a secure need at the « Life Critical » level, 64% deal with company sensitive data and only 6% with data directly impacting your « Wallet ». In fact, this means that all of the IoT players will need to build secure sustems, and some of them, dealing with life critical data, may need to add extra level of security (like redundancy for example) to process and protect the data.