IoT gets a security boost on hardware level
TOKYO — NXP Semiconductors is bringing to edge devices for Google IoT Cloud the same level of security used in banking.
The Dutch semiconductor vendor is unveiled Monday “a solution for secure, scalable connections of devices using NXP’s A71CH to Google IoT Cloud.”
NXP calls its A71CH “a trust anchor,” because NXP pre-injects private device credentials into the A71CH for autonomous cloud onboarding and authentication, while public keys are delivered to the customer via a NXP web interface.
By implementing its trust provisioning service “at the chip level,” Philippe Dubois, senior director and general manager of IoT security solutions at NXP, told EE Times, “Keys are never exposed to any party during the lifetime of a device.” This allows “offloading the cost of ownership and complexity of key management from OEMs,” according to NXP.
‘Security by design’ made easy
“Security by design” is a familiar mantra, but for a first-time IoT system designer, what does it exactly mean? What would it take to implement the rigorous security that appears to be demanded of IoT devices in recent days?
This pressure applies, for example, to the development of connected industrial devices, sensor networks, IP cameras, smart home devices, home gateways and smart cities.
Asked about traditional steps to bring security to IoT devices, Dubois laid out several paths.
First, a manual provisioning process is often used in small deployment. For example, there is the “provisioning of devices with credentials done one by one,” he noted. However, this is not optimal, because “it’s not secure (manipulating key in plaintext) and lends itself to errors (human error),” said Dubois. Especially, “it is difficult to scale when more devices are needed… impossible for deployment of millions of devices.”
A second option is an “in-house provisioning system” for large deployment.
Dubois explained: “Some OEMs invest on a costly manufacturing line for secure provisioning, to ensure keys are kept safe, and credentials are injected in a trusted environment, in a facility with security features like tightly controlled access, careful personnel screening, and secure IT systems that protect against cyberattacks and theft of credentials. This is what is called PKI infrastructure.”
For small and medium deployment, the cost vs. revenue balance makes this unprofitable, according to Dubois. PKI infrastructure “has a very high cost and is limited only to large deployment," he said.
Third, presumably, one could provision via contract manufacturer (CM). This is an option for a majority of OEMs. Dubois explained that some OEMs choose to provision devices at their CM. But in this case, the OEM has no “grantee” on the trust of his credentials. It’s because “keys may be stolen at CM and communicated to malicious parties, or infrastructure at CM may be weak, especially when the CM is in regions like China,” he added.
Dubois noted that this system poses major inconveniences. For example, if an OEM is linked to a CM through the provisioning system, there’s little flexibility to move to another CM. It’s because this change would require the OEM to invest in a new connection to a new CM provisioning system.
“NXP Secure Trust Provisioning service, implemented at the chip level,” makes sense, according to Dubois. “With the A71CH, designers can safely connect to IoT clouds and services without writing security code or exposing keys for applications,” he noted.
Are there other chip vendors offering similar solutions with pre-injected credentials?
Dubois told us that Microchip has one. However, NXP’s A71CH, “allows high customization for regions with different requirement,” he stressed. “That’s what differentiates us.”
Dubois added, “NXP also focuses on the China market.” It has “developed in parallel a purpose-built solution security solution for service providers there including Baidu and Alibaba.” Hence, NXP’s claim for scalability.
He claimed in a statement, “Our solution aims to solve scalability and complexity issues commonly associated with securing and managing edge devices. We’re happy to see Google Cloud embrace and encourage security in next-generation devices.”
NXP explained that injection of device credentials can be made at NXP secure manufacturing facilities or through NXP approved programming partners.
— Junko Yoshida, Global Co-Editor-In-Chief, AspenCore Media, Chief International Correspondent, EE Times