Originally published August 26, 2016 by Paul Ridgewell
We spoke with Abhijeet Rane, VP Marketing at Sequitur Labs Inc., about the challenges associated with IoT security.
As a bit of background, Fall City, Washington-based Sequitur Labs was incorporated in 2010 and develops technologies designed to improve the security and manageability of connected devices. The company supports ARM’s TrustZone in its flagship product, CoreTEE, which is a standards-compliant Trusted Execution Environment (TEE) for ARM Cortex–A based microprocessor platforms.
With the growth of the IoT, there is a clear need to protect data and applications, and Sequitur Labs states that CoreTEE has been designed specifically with IoT security in mind. Indeed, for Rane, only when each node in the system is secure can system-wide security truly be assured. And once device integrity and authenticity have been taken care of, attention must then be turned to ensuring that the management of the system itself is secure, with commands to devices strictly verified and validated. This involves having a ‘root of trust’ on devices. Also, like all TEEs, which compartmentalise and isolate assets so they are safe from malware attack, it requires the embedding and isolation of certain components in a ‘secure world’ in order that incoming commands can be securely verified.
“The progression we’re seeing is the need to connect, secure and then manage the system. One of the things we realized early on is that security needs to be at the foundation of all of these devices.”
The priority is that security should be built in rather than bolted on, as this is the only way that device integrity and authenticity can reliably be achieved. Achieving this means security must be given due consideration early on in the design cycle. For example, if initial analysis suggests that cryptography components must be implemented, then that will have an impact on board design. Similarly, if the design dictates that persistent memory must be secured then the driver must reside in the TEE, which again has an impact on board design.
While few in the industry are currently engaging fully with such considerations, there is a sense now that awareness is growing, and that greater attention is being given to technologies such as TrustZone and CoreTEE. In particular, there is an expectation that the more security-focused sectors – such as financial, medical devices and automotive – will lead the way in terms of building in strong IoT security.
Rane also believes that the threat from state-sponsored hacking is currently under appreciated, and in particular that the potential for attacks on edge devices, such as web cams, is not being sufficiently considered. This includes cases where they are being used to monitor sensitive locations, such as factory floors or pipelines. Such threats, he believes, require Trustzone-like capabilities to be brought to the Cortex M class, something that is also beginning now to take place.
We wish to thank Abhijeet for his time and valuable insights into security in the IoT era. IoT is a key theme for Scrutinise Research and Analysis and we will be speaking with established and up-and-coming vendors in security and IoT, as well as regulators and industry and consumer associations as we put together our report “Securing the Internet of Things”. If you would like more information or would be interested in being a source, please get in touch.
Image source: Sequitur Labs
The progression we’re seeing is the need to connect, secure and then manage the system. One of the things we realized early on is that security needs to be at the foundation of all of these devices.
© 2018 by Sequitur Labs Inc. All Right Reserved.