We understand the extraordinary potential of the Internet of Things (IoT), but how do we move from where we are now to a world of a trillion connected devices? To seize the opportunities within this market we must ensure the products that we are developing are future-proof and secure. Also, we need to build trust in emerging technologies and the data they provide.
The expectation and awareness of IoT security is at an all-time high and with this, new guidelines, regulations, and companies have emerged to guide requirements and best practices. While this all shows great progress in the industry, it can still be a confusing place to navigate. With all IoT products having unique security requirements, it is challenging to identify these requirements, and communicate security best practice across the ecosystem.
To provide clarity in IoT security, Arm and Cypress Semiconductor® have created an application guide detailed the process of designing security into an IoT device. This blog gives an overview of what you find in the full application guide.
The guide uses a smart door lock as a working example and details the security design for the Cypress PSoC® 64 line of Secure MCUs, which can be used as the platform for smart door lock implementation. While this focuses on a smart door lock, all the details are applicable to any IoT product, ensuring you protect your brand reputation and speed up security design.
We lock our doors to protect our most valuable possessions and to keep our loved ones safe. When we turn the key or fasten the latch, it helps us feel secure. So how do we ensure that digital solutions provide that same peace of mind?
Companies developing smart door locks are taking advantage of latest technologies to transform their businesses and people's lives. A smart lock replaces or bolsters a traditional security system. It enables you to open or close a door using a smartphone, key card, a PIN, or even your fingerprint. The smart door lock can keep track of who is entering or leaving a premises and alert you to unusual activity. However, this increased functionality can come at the cost of additional security vulnerabilities, so architecting trust into a smart door lock is critical.
Knowing what security is required and how to implement countermeasures can be complex and time-consuming. The Platform Security Architecture (PSA) was created to provide the tools that are needed to design and build security into IoT devices at scale. Documentation and specifications enable the right level of protection to be designed into products, saving time and reducing the cost of implementation.
PSA is a four-stage framework;
Analyze: assess the potential threats to your device and identify what you need to do to protect it.
Architect: create a system architecture capable of meeting your security requirements.
Implement: use a trusted code base, such as Trusted Firmware-M to implement the security requirements from the architect stage.
Certify: PSA Certified offers an independent testing and evaluation scheme for IoT chips, software, and devices that you can use to build and communicate trust with your customers.
The Platform Security Architecture (PSA) provides a systematic framework for IoT security.
The PSA makes security more straightforward, even if you are not a security expert. It is aimed at different entities throughout the supply chain, from chip designers and device developers, to cloud and network infrastructure providers, and software vendors.
To find out more about the PSA and how you can create trusted IoT solutions, watch our on-demand webinar.
How do smart door locks work?
A typical smart door lock system is shown in the conceptual diagram below. Within this system, there will be assets, or components of your device, that are of value to you and your customers. They may include:
A typical smart door lock system.
Cyber-attackers target these assets in the same way as a burglar would search your home for an expensive watch, jewelry, or cash. In the case of a smart door lock, your digital assets may provide access to the physical ones. The question is, what are the weaknesses and how do you protect against them?
One attack example is an impersonator of a legitimate administrator, owner, or guest carrying out a malicious act. This attack could be countered through an authentication process - the device would authenticate the administrator before granting access to the lock configuration and logs, and before performing a firmware update, preventing impersonation.
Example attack flow: A hacker impersonates the owner of the device and gains access to the property.
The exact requirements vary depending on the product. However, the cost and effort involved in securing a device and the investment an adversary is likely to make in carrying out an attack needs to be weighed up.
The smart door lock application guide provides a practical guide walking through the four stages of PSA. Within this you will find:
For a real-life implementation of PSA for security design, download the Smart Door Lock Application Guide today.
Download the smart door lock application guide
Find more information about the four stages of PSA on our website.
Start designing-in security by reading our blog on the first stage of PSA - Analyze.
Learn more about Cypress PSoC 64 Secure MCUs.
Hi Sarah, I agree with you. A smart door lock can be connected to other IoT automation tools and devices, which can increase the attack surface. It's therefore very important to have the right security implemented to sufficiently protect against threats from many sources...
Hi Leonard, Thanks for your question. If the battery dies or power supply is cut then locks will have an emergency way to open it e.g. with a physical key or with an external power supply terminal etc.. I hope this helps...
This is an important article on security and also includes anything running with a LTE IoT chipset ?
These chipsets will make IoT much more accessible and so security then becomes even more important, I think.
Maybe I missed a moment, but what if I cut off the energy supply to the system, how it will behave