In this IoT era of connected devices, microcontrollers have begun taking on new roles and gaining new capabilities revolving around embedded security. MCU vendors are embedding ever-more sophisticated security features into their MCU devices and other supporting security solutions.
As the Internet-of-Things (IoT) phenomenon proliferates, platforms of all kinds are getting more connected—everything from factories to cars to consumer devices. For their part, microcontrollers (MCUs) are key components in those connected systems. In turn, those MCUs have in recent years had to embed ever-more sophisticated security features on chip.
No single category of technology is the sole piece of the embedded security puzzle. The problems are multi-faceted: preventing intrusions by hackers, encrypting the data in case an intruder gets in, ensuring the components themselves aren’t tampered with—there are many layers to consider. Everything from application software to operating systems to data storage has a role to play in security. For the purposes of this article, we’ll focus on the technology solutions in the form of security-focused MCUs, software tool solutions and dedicated security edge devices. Over the last 12 months, the leading MCU vendors have beefed up those embedded security capabilities in a variety of diverse ways.
According to Julian Watson, senior principal analyst, IoT Connectivity at IHS Markit, the exponential growth of IoT devices is expected to continue on its upward trend and is predicted to jump an average of 12% per year from 27.8 billion units in 2017 to over 135 billion units in 2030. More IoT devices in the market means that more of consumers’ personal data is at risk and designers of these devices need to be responsible for ensuring that the IoT ecosystem is genuinely safe and secure for users.
PSOC MCU FOR IoT SECURITY
Exemplifying those trends, in February Cypress Semiconductor released a new line of its PSoC 6 MCUs aimed at IoT security. The PSoC 64 Secure MCUs integrate standards-based system layer security software with the hardware layer features available in the ultra-low-power PSoC 6 architecture. Specifically, PSoC 64 Secure MCU devices provide an isolated root-of-trust with true attestation and provisioning services (Figure 1).
In addition, the product line includes devices that deliver a pre-configured secure execution environment supporting the system software of various IoT platforms, providing TLS authentication, secure storage and secure firmware management. The MCUs also include a rich execution environment for application development, with an embedded RTOS from Cypress’ ModusToolbox suite that manages communication with the secure execution environment.
PSoC 64 Secure MCUs were one of the first Arm Cortex-M processors to be certified as Level 1 compliant within the Arm Platform Security Architecture (PSA) certification scheme, PSA Certified, utilizing a secure Trusted Firmware-M (TF-M) implementation integrated into the Arm Mbed OS open-source embedded operating system. The line is well suited for cloud-connected products that require protection of user data and trustworthy firmware updates, including personal healthcare devices, medical and chronic disease management equipment and home security solutions.
The line of PSoC 64 Secure MCUs is supported in Cypress’ ModusToolbox suite, which will allow designers to select the system firmware of secure IoT platforms—such as Amazon Web Services (AWS), Arm Pelion and Alibaba—to develop their application, and then configure and verify their secure boot images. The MCUs include a hardware-based root-of-trust consisting of secured storage and firmware, establishing a command-based set of trusted services. The root-of-trust includes hardware accelerated cryptography, as well as true random number generation (TRNG).
ULTRA-SMALL SECURE MCUs
The latest MCU from Renesas Electronics with an IoT security twist was rolled out in July. The company announced four new RX651 32-bit MCUs supplied in ultra-small 64-pin BGA and LQFP packages. The MCUs are aimed at addressing advanced security needs for endpoint devices employing compact sensor and communication modules in industrial, network control, building automation and smart metering systems operating at the IoT edge. The new lineup expands Renesas’ RX651 MCU Group with a 64-pin (4.5 mm x 4.5 mm) BGA package that reduces footprint size by 59% compared to the 100-pin LGA, and a 64- pin (10 mm x 10 mm) LQFP that offers a 49% reduction versus the 100-pin LQFP.
The RX651 MCUs integrate connectivity, Trusted Secure IP (TSIP) and trusted flash area protection that enable flash firmware updates in the field through secure network communications (Figure 2). The increase in endpoint devices operating at the edge has increased the need for secure over-the-air (OTA) firmware updates. The new RX651 devices support this reprogramming requirement with integrated TSIP, enhanced flash protection and other technology advancements that offer a more secure and stable solution than other available solutions on the market.
The small 64-pin MCUs with enhanced security features are based on the high-performance RXv2 core and 40 nm process that provide superior performance with a 520 CoreMark score at 120 MHz, and strong power efficiency with a 35 CoreMark/mA score as measured by EEMBC Benchmarks. The integrated dual-bank flash memory enables engineers to realize high root-of-trust levels through a combination of TSIP that protects the encryption key; encryption hardware accelerators including Data Encryption Standard (3DES), Advanced Encryption Standard (AES), Rivest–Shamir–Adleman (RSA), Secure Hash Algorithms (SHA) and true random number generator (TRNG)—and code flash area protection to protect boot code from reprogramming. The dual bank flash function supports both BGO (Back Ground Operation) and SWAP, making it easier for manufacturers to securely and reliably execute in-the-field firmware updates.
LoRa DEVICE SECURITY
LoRaWAN continues to be a key wireless connectivity technology for IoT applications. According to Microchip Technology, as the LoRa technology ecosystem accelerates, security remains an area for improvement in the market due to vulnerabilities that leave the network and application server keys accessible in the memory of modules and MCUs paired with a LoRaWAN stack. If keys are accessed in a LoRaWAN device, a hacker can impersonate it and authorize fraudulent transactions, which can result in a scalable attack with substantial losses in service revenue, recovery costs and brand equity.
Addressing those issues, in February Microchip Technology, in partnership with The Things Industries, announced the industry’s first end-to-end security solution that adds secure, trusted and managed authentication to LoRaWAN devices at a global scale. The solution brings hardware-based security to the LoRa ecosystem, combining the MCU- and radio-agnostic ATECC608A-MAHTN-T CryptoAuthentication device with The Things Industries’ managed join servers and Microchip’s secure provisioning service (Figure 3).
The joint solution significantly simplifies provisioning LoRaWAN devices and addresses the inherent logistical challenges that come with managing LoRaWAN authentication keys from inception and throughout the life of a device. Traditionally, network and application server keys are unprotected in the edge node, and unmonitored, as LoRaWAN devices pass through various supply chain steps and are installed in the field. The Common Criteria Joint Interpretation Library (JIL) “high”-rated ATECC608A comes pre-configured with secure key storage, keeping a device’s LoRaWAN secret keys isolated from the system so that sensitive keys are never exposed throughout the supply chain nor when the device is deployed.
SAFELY PROVISIONED KEYS
Microchip’s secure manufacturing facilities safely provision keys, eliminating the risk of exposure during manufacturing. Combined with The Things Industries’ agnostic secure join server service to the LoRaWAN network and application server providers, the solution decreases the risk of device identity corruption by establishing a trusted authentication when a device connects to a network.
Similar to how a prepaid data plan works for a mobile device, each purchase of an ATECC608A-MAHTN-T device comes with one year of managed LoRaWAN join server service through The Things Industries. Once a device identifies itself to join a LoRaWAN network, the network contacts The Things Industries join server to verify that the identity comes from a trusted device and not a fraudulent one. The temporary session keys are then sent securely to the network server and application server of choice. The Things Industries’ join server supports any LoRaWAN network, from commercially operated networks to private networks built on open-source components. After the one-year period, The Things Industries provides the option to extend the service.
Microchip and The Things Industries have also partnered to make the onboarding process of LoRaWAN devices seamless and secure. LoRaWAN device identities are claimed by The Things Industries’ join server with minimal intervention, relieving developers from needing expertise in security. Customers can not only choose any LoRaWAN network but can also migrate to any other LoRaWAN join server by rekeying the device. This means there is not a vendor lock-in and customers have full control over where and how the device keys are stored.
The ATECC608A is agnostic and can be paired with any MCU and LoRa radio. Developers can deploy secure LoRaWAN devices by combining the ATECC608A with the SAM L21 MCU, supported by the Arm Mbed OS LoRaWAN stack, or the recently-announced SAM R34 System-in-Package with Microchip’s LoRaWAN stack. For rapid prototyping, designers can use the CryptoAuthoXPRO socket board and The Things Industries provisioned parts in samples with the SAM L21 Xplained Pro (atsamd21-xpro) or SAM R34 Xplained Pro (DM320111).
Safely storing data with sensitive information is a major issue for IoT device development. With that in mind, in January, Maxim Integrated announced its highly integrated MAX36010 and MAX36011 single-chip security supervisor chips. These security solutions are designed to make it easier for designers to implement robust tamper detection, cryptography and secure storage while safeguarding sensitive information via logical and physical protections, without having to be security experts themselves (Figure 4).
The MAX36010 and the MAX36011 both offer strong security that can be easily integrated into a design at any stage of its development. Additionally, if these parts are integrated later in the design cycle, there is no need to change the platform to accommodate them, thereby simplifying the implementation process. Compared to competitive solutions, the devices, due to their high level of integration, facilitate a 60% faster design cycle, while also lowering bill of materials (BOM) costs by 20%, says Maxim.
To ensure a higher level of security, these supervisors generate keys via a TRNG. The keys are then stored in battery-backed RAM along with certificates and other sensitive data. This data is erased when tampering is detected, a capability that meets the requirements of Federal Information Processing Standard (FIPS) Publication 140-2 at its highest security levels (Levels 3 and 4).
The MAX36010 and the MAX36011 both support symmetric and asymmetric cryptographic functions such as 3DES, AES, RSA and Elliptic Curve Digital Signature Algorithm (ECDSA). These secure cryptographic engines are designed and compliant to the requirements of Payment Card Industry (PCI) and FIPS140- 2 certifications. The MAX36010 supports symmetric key generation for AES and 3DES, whereas the MAX36011 supports both symmetric and asymmetric key generations for AES, 3DES, RSA and ECDSA.
The devices include temperature and voltage sensors, 1 KB of secure storage, dynamic tamper sensors, real-time clock (RTC) and TRNG—eliminating the need to use multiple discrete components. Host interfaces include SPI, Universal Asynchronous Receiver/Transmitter (UART) and I2C. No firmware development is required to connect to the host processor.
Battery-backed RAM provides storage for sensitive information. And dynamic tamper sensors detect hacking incidents and immediately delete sensitive information.
The latest IoT security solution from STMicroelectronics (ST) has taken the form of a comprehensive toolset for its STM32 MCUs. In July, ST launched its STM32Trust toolset aimed at guiding embedded system designers’ efforts to build strong cyber-protection into new IoT devices leveraging industry best-practices (Figure 5). STM32Trust combines knowledge, design tools and ready-to-use original ST software. These help designers take advantage of features built into STM32 MCU to ensure trust among devices, prevent unauthorized access, and resist side-channel attacks. All this averts data theft and code modification, according to ST.
Integrating all available cyber-protection resources for the STM32 family, STM32Trust helps designers implement a robust multi-level strategy leveraging security-focused chip features and software packages. The STM32 MCU family is based on the Arm Cortex CPU architecture and contains almost 1,000 variants used in smart appliances, remote sensors, wearables, e-health devices, IoT gateways, access-controlled storage, payments and many other connected devices.
Depending on the model, hardware cyber-protection can include features such as customized secure boot, a random-number generator to prevent hackers observing patterns in signals, dedicated encryption coprocessors, and secure storage for encryption keys. ST also builds in tamper detection, firewall code-isolation mechanisms and implements Arm TrustZone technologies for extra protection of the most sensitive code.
PROTECTION AT BOOT UP
Among the reference software packages X-CUBE-SBSFU demonstrates how to protect application code at its most vulnerable when being transferred into boot memory or updated in the field. X-CUBE-SBSFU reference packages are available for the STM32F4, F7, H7, L0, L1, L4, G0, G4 and WB. There is also a reference implementation of ST’s secure element STSAFE, which maximizes the security level of the final application.
In addition, Secure Firmware Installation solutions for STM32L4 and STM32H7 MCUs provide protection while devices are being programmed for the first time. The solution offers a complete toolset to encrypt OEM binaries with the Trusted Package Creator software, the STM32CUBEProgrammer to flash securely the STM32, and the STM32HSM to transfer OEM credentials to the programming partner. The STM32Trust resources including tools, evaluated reference material and source code can be downloaded free of charge. A link is provided on Circuit Cellar’s article materials webpage.
GOOGLE CLOUD IoT CORE
As embedded developers migrate MCU-based applications to the cloud, they have to overcome complexities associated with communications protocols, security and hardware compatibility. Smoothinig the way, in February Microchip announced an IoT rapid development board for Google Cloud IoT Core that combines a low-power PIC MCU, CryptoAuthentication secure element IC and fully certified Wi-Fi network controller. The solution provides a simple way to connect and secure PIC MCU-based applications. It’s designed to remove the added time, cost and security vulnerabilities that come with large software frameworks and RTOS.
As part of Microchip’s extended partnership with Google Cloud, the PIC-IoT WG Development Board enables PIC MCU designers to easily add cloud connectivity to next-generation products using a free online portal at www.PIC-IoT.com. Once connected, developers can use Microchip’s MPLAB Code Configurator (MCC) rapid development tool to develop, debug and customize their application.
SECURITY FOR IoT EDGE DEVICES
Among the most recent IoT security solutions from MCU vendor NXP Semiconductor is its EdgeLock SE050 Plug & Trust Secure Element (SE) family of devices. Announced in June, the devices are designed to secure Industrial 4.0 and IoT applications—from edge to cloud. The Common Criteria (CC) EAL 6+ certified EdgeLock SE050 makes it easy to implement high- performance security for sensing and control (Figure 6). Additionally, it streamlines deployment of IoT services and onboarding of edge devices to public and private clouds, edge computing platforms and infrastructure.
The EdgeLock devices provide CC EAL 6+ certification up to OS level. This provides hardware and operating system security to protect against the latest attack scenarios and evolving IoT threat landscape. Support is included for 4096-bit RSA cryptography and integration of Elliptic Curve (ECC) cryptography with an expanded set of curves such as Brainpool, Edwards and Montgomery. A pre-integrated, flexible applet eliminates the need to write security code, and scalable software with built-in protections.
The EdgeLock devices also support I2C master functionality for direct control of critical functions as well as integrity and confidentiality of sensor data. They feature a contactless interface for late-stage parameter configuration of unpowered devices. The devices also integrate functionality typical to Trusted Platform Modules (TPM), combining it into a unique security solution of IoT connections, as well as IoT platform integrity and attestation. EdgeLock simplifies integration with different MCUs, microprocessors, operating systems (Linux, RTOS, Windows, Android) and major cloud platforms.
NXP EdgeLock SE050 Secure Element supports compliance to some of world’s most rigorous standards and protocols, including the National Institute of Standards and Technology (NIST), EU General Data Protection Regulation (GDPR), International Society of Automation Industrial Network and System Security IEC62443, OPC Industrial Interoperability Standard for Unified Architecture (OPC UA), and the Open Connectivity Foundation (OFC) specification. EdgeLock SE050’s compliance and certifications also illustrate NXP’s commitment to the Charter of Trust initiative and its binding rules and standards to build trust in cybersecurity and further advance the future of digitalization.
Today’s MCUs have evolved into systems-on-chips. And, like any system, they’re now also burdened with increased system-level responsibilities, and security is among those. To keep pace, MCU vendors have stepped up by continuing to add new embedded security functions to their device families and developing ways to help embedded system developers create secure, connected products for the IoT.
Cypress Semiconductor | www.cypress.com
Maxim Integrated | www.maximintegrated.com
Microchip | www.microchip.com
NXP Semiconductor | www.nxp.com
Renesas Electronics America | www.renesas.com
STMicroelectronics | www.st.com
The Things Industries | www.thethingsindustries.com
PUBLISHED IN CIRCUIT CELLAR MAGAZINE • SEPTEMBER 2019 #350 – Get a PDF of the issueSponsor this Article