Security Optimized Embedded Solutions

The security crisis in embedded devices is a burning problem that needs to be addressed strategically to avoid system breaches and violations. With so many incidents of cyber-attacks reported daily, it stands to reason the significance of ensuring complete protection of data handled by the embedded system. Assuring a secure and reliable embedded system gives developers an extra opportunity to differentiate and add value to the product.

Embedded devices play an integral role in many of today’s emerging applications. They reign today’s technology-driven industry due to their unique characteristics and functionalities, such as:

• Custom and scalable architecture
• High performance
• Low power consumption
• Real-time computation
• Cost-effectiveness

These devices are increasingly being deployed in any application that you can think of, starting from simple use cases such as remote controls, microwave ovens to many complex applications such as AI/ML edge analytics, cloud virtualization, smart devices in IoT, etc.

Why is security a pain point?

Embedded devices are highly customizable, that can be programmed to satisfy specific user requirements. Often, these systems are deployed in remote & harsh environments and have to deal with real-time data, sensitive information of the user, making them highly vulnerable and prone to attacks. With the explosion of connected devices and the IoT revolution, the amount of possible attack vectors is also growing exponentially. An embedded system in a smart application can be violated to take control of the entire system from smart thermostats to industrial automation.

The cure needs to be imminent and at the root

Security should not be an afterthought. It should be at the forefront of everyone’s mind. It is a quality issue that, if not taken, seriously can affect the reputation of the product as well as jeopardize the existence of the manufacturer.

iWave Systems is taking measures to address the security challenges in embedded devices with turnkey software/hardware safety mechanisms that ensure complete reliability and value to end applications. iWave’s embedded devices are designed and implemented to be robust and reliable. They are secured with cryptographic modules and advanced safety procedures to ensure security from the early stages of design to development.

It involves different approaches to secure an embedded system. The key measure that we deploy are discussed below:

High Assurance Boot – HAB

Almost all embedded systems are working based on certain instructions given through flashed images. Imagine if a hacker can flash his own instructions to an embedded device, then he can take full control of what needs to be done on that device. Embedded system OS images can flash from different mediums such as MMC, SD card, SATA, Ethernet, etc. Hackers can alter the SW by changing the boot Medium or by replacing the SW. Implementing security checking on the medium will be difficult since mediums such as SD cards can easily be replaced.

Moreover, one can alter the OS images after flashed into these mediums. So, implementing a security check only before flashing the image will not be sufficient to address this issue. Then how can we perform a security check for making sure our OS images are well secure? The answer is HAB (High Assurance Boot).

HAB offers a security check before booting the SW. If the boot medium contains authorized SW, then only the device boots up.

iWave’s i.MX8 SoM modules include a dedicated Security Microcontroller (SECO) to perform the security functions, and it will take care of the HAB process. iWave makes use of the SECO controller to verify the authenticity of the Uboot, Linux, and RTOS binaries. The binaries are signed with a certificate that is stored in the module’s immutable storage.

If the hacker is replacing the binary with some unauthorized certificates or without a certificate, then the system will detect the security violation during the HAB process, and it will not allow the system to boot.

Why HAB 

• Security checks before images are taking control of the system.
• Allow multiple root keys.
• Make use of digital signature – the most efficient way to secure the OS images.
• Appending security directly to the OS images without affecting the OS image functionalities.
• Processor level checking with OS image validation gives complete assurance of the secure booting.

HAB is one of the best solutions to prevent unauthorized access to OS images. Embedded systems which are dealing with sensitive data should incorporate HAB to prevent external sources from taking control of the whole system.

Also, refer to the following link to learn why OPTEE on NXP‘s i.MX6UL is the best for security and privacy:

Cryptography

Data is the new dollar. Just like we secure our hard-earned money with the utmost caution, it is equally important to secure the data processed and transmitted in an embedded system. So how can this be achieved? The answer is cryptography.

Cryptography is the art and science of securing data by scrambling data, so it is unreadable by external parties. Once encrypted, the message becomes a messy combination of random characters. Equipped with the secret key, the message can be decrypted to find the original message.

In addition to the cryptographic procedure being robust and unbreakable, its speed and overall effectiveness also matter. Today, there are a number of cryptography algorithms and hardware encryption methods to keep prying eyes out of your devices.

iWave modules come integrated with Cryptographic Acceleration and Assurance Module (CAAM) available in the SECO controller for encryption and decryption. This process is performed by the CPU’s hardware module and not by the OS. Since the process is happening in a trusted area in the CPU, cryptography happens with more speed compared to software encryption/decryption.

We have validated the below-mentioned encryption and decryption algorithms can be performed using the CAAM module in the CPU.

• AES-CBC
• AES-CCM
• HMAC-SHA256
• SHA256
• Random Number Generation
• ECDSA using 256v1
• RSA

That cryptography is a must-have in embedded systems is no longer a point of debate. Equally important is choosing the right method to ensure the speed and reliability of the mechanism. It is in this regard that iWave adds value by implementing secure and validated cryptography standards and ensures high assurance protection of data.

Blob

A blob is a cryptographic data structure that CAAM uses to protect data. Generally, a randomly generated key is used to encrypt/decrypt the data. Sometimes, we are doing the encryption and losing the key, causing the precaution taken to secure the data uselessly. The key which is going to be used for encryption also needs to be handled wisely. Using the blob mechanism, the keys will be stored in an encrypted form and are then stored along with the encrypted data, so the third party will not be able to decode the data. The combination of encrypted key and encrypted data is called the blob.

iWave provides test applications to create a blob file, to perform encryption/decryption, which works under AES-CCM and AES-ECB.

iWave’s security optimized solutions, backend by industry-leading expertise in embedded platforms, give developers the competitive edge needed to be at the forefront of technological developments.

For further information or inquiries please write to mktg@iwavesystems.com or contact our Regional Partners.