Why care about IoT security?

Editor’s note: In this guest blog, our partner Trustonic explains the need for reliable security in IoT, and why its Trusted Execution Environment comes bundled with ARTIK.

Security. I’ll bet it’s the last thing on your mind as you develop your internet-connected Thing. You’re probably thinking, “I’ll secure it when it’s in production”, “When it’s successful enough I’ll worry about security”, “That’s someone else’s problem”, or “What’s the worst that could happen?” But you need to pay attention to security from the earliest stages of product development. And Trustonic has brought its security expertise to Samsung ARTIK.

Every day we see IoT security making headlines for the wrong reasons. Search the web for hacking cars, Wi-Fi kettles, IoT doorbells, pacemakers, and dolls, for just a sample. Crypto-ransomware, extorting users by denying service, doubled in 2015; imagine your IoT’s core functionality getting locked down until a ransom is paid.

Trustonic’s Trusted Execution Environment (TEE) technology addresses these threats in over 500 million smartphones worldwide. That same technology can protect your privacy in home monitoring systems, your money in mobile payment applications, and now your internet-connected Things. That security is available to Samsung ARTIK developers.

What is a Trusted Execution Environment?

A TEE is an area set aside in the processor where the security and integrity of the code being run can be guaranteed. You can be sure that the code running in a TEE has not been modified in any way, and that the data used there is kept secure.

The TEE also protects the authentication, authorization, and session keys so that only authorized users can access the data as the module connects to the cloud.

The Trustonic TEE works in conjunction with Hardware Secure Element built into every ARTIK module to provide your customers the confidence that their data will not go astray.

Why use a Trusted Execution Environment?

Increasingly we see Linux as a force for driving IoT – lots of developers understand it, it’s open for adapting to devices, and lots of apps already exist. For all the flexibility and cost saving that Linux brings, it also brings vulnerabilities. Some argue that open source means more eyeballs on the code checking for bugs, so there will be fewer vulnerabilities. It’s all too easy to assume that others are doing the checking when in fact nobody really is.

It’s critical for customer confidence and your business that you keep your devices secure. The TEE ensures that the environment running sensitive apps and data is uncorrupted and secure. We’ve all seen what happens when news erupts about a device or operating system getting hacked!

Consider the following areas that the TEE can protect:

  • Inputs – Cameras, microphones, and fitness sensors all generate tons of data which must be kept private. Insecure connections or hacked code can end up streaming that data to the wrong eyes.
  • Outputs – Commands to start a motor, unlock doors, open garages, or turn off power all can have a real-world impact on user safety and security. It’s important to ensure the commands that are executed are coming from authorized sources.
  • Communications – Protecting the authentication, authorization and session keys means that you can be sure your IoT device only makes authorized connections.
  • Processing – Application software must be verified for authenticity before being run, but it must also run on a verified environment. Any modifications must be flagged and acted upon.

In a future blog post, we’ll dig into specific use cases for the TEE. Until then, keep your systems secure!