Filter results by
Device Protection and Trusted Code Execution
ARTIK offers developers a family of IoT modules, which are true systems-on-module (SoMs), with CPUs, networking, hardware-based security, wireless radios, and full system software stack, all build onto a single, easy-to-integrate package. These trusted hardware modules make ideal building blocks for everything from edge nodes, to gateways and hubs, to high-value hardware products. ARTIK IoT module hardware security features, in conjunction with ARTIK software and cloud security features, make the ARTIK platform secure from chip-to-cloud. All ARTIK modules are fully integrated with the Samsung SmartThings cloud — the Samsung unified cloud for IoT — which provides interoperability with both Samsung and third-party devices and clouds.
Device protection and trusted code execution are at the heart of ARTIK hardware and include the following features.
The ability to trust the software running on a hardware platform is one of the most fundamental principles of security. Many attacks on connected devices and systems rely on the attackers’ ability to replace or modify software running on the targeted platform. Therefore, it’s absolutely critical to ensure that the software running on a device came from the legitimate and intended source. Software needs to be signed by the software provider who owns it to ensure authenticity and permit code execution on the target device.
On Samsung ARTIK modules, the secure boot verification process starts when the system is brought up from a cold boot. A secure boot process consists of several bootloader stages. Software is verified using cryptographic checks and installed before executing the next bootloader stage. This process aims to prevent any unauthorized software from running by assuring the integrity of all boot images as each boot loader is called by the previous one. In this way, Secure Boot prevents unauthorized software from running when a device is powered up. This security control is foundational to assuring device integrity and preventing hackers from injecting malware.
KMS infrastructure for code signing
A secure boot solution is only effective if the private signing key is secure, safe and protected by business practices that store and control access to the private key. In order to enable a secure and easy-to-use signing process, Samsung ARTIK provides a Key Management Service (KMS), ARTIK CodeSigner service, deploying FIPS-certified hardware security modules (HSM) storing and operating the signing key and operation. In parallel, the public verification key is securely installed within the ARTIK IoT module to provide a hardware-based root of trust for the secure boot process on the device.
Most ARTIK modules include a Common Criteria EAL5 hardware Secure Element which is optimized for IoT and provisioned with X.509 certificates and corresponding keys and identities inside secure storage. This, along with Secure Element Secure APIs, protect these sensitive assets over the entire device life cycle, especially during execution of cryptographic algorithms depending on these keys.
Secure Element security features and APIs relieve developers of the complex tasks of managing private/public key-pair generation, issuing and managing certificates, and provisioning across the production and supply chain. The integration of Secure Element features and the ARTIK SDK further reduces the complexity of necessary security functions, such as establishing TLS exchanges for secure connectivity with the cloud, as well as other cryptographic operations. The ARTIK Secure Element comes pre-loaded with an individual device certificate and private/public key pairs which have been pre-registered with the SmartThings cloud. Customers deploying the SmartThings Cloud and using ARTIK IoT modules at the same time can enjoy ARTIK’s tightly integrated PKI, where both hardware Secure Elements and cloud servers are provisioned with certificates chaining to the ARTIK Root Certificate Authority.
The ARTIK Secure Element also allows OEMs to provision their own PKI using post-provisioning mechanisms.
Secure JTAG access
Effective IoT device security requires that external device ports be disabled or protected from an authorized use. Samsung ARTIK IoT modules provide Joint Test Action Group (JTAG) for debugging of the platform. However, access via JTAG opens up methods to bypass internally defined security mechanisms. To address this vulnerability, ARTIK IoT modules support Secure JTAG, which requires the use of a password unique to each ARTIK SoM to access the JTAG chain.