IoT Data Security
With security centred design built in our DNA, Embien has been helping Original Equipment Manufacturers (OEMs) create rugged and highly secure product that differentiate them from competitor offerings. We keep our selves updated with knowledge of recent exploits and attacks, keep track of relevant Common Vulnerabilities and Exposures (CVE) and incorporate them in our designs and development. We ensure the hardware-based root of trust is established to begin with and the chain is followed. Even the peripherals are segregated as secure and non-secure zones using Trusted Execution Environment (TEE) such as Arm TrustZone etc and suitable policies applied.
Following best in class key management and secure key storage practices, to prevent a hacker gain access to data in the system, we encrypt partitions with such as LUKS etc in combination with Secure elements such as Microchip ECC508, ECC608, NXP SE050, etc. Since the private keys are stored inside the chips, even accessing the underlying NAND/eMMC devices, it will be impossible to decode the data. This silicon root of trust-based approach provides unparalleled advantage for security on IoT devices over conventional software - centered ones.
Primary functionality of the IoT devices is to send the acquired/pre-processed data to the cloud server. Also, the configuration and control commands are received from cloud. This calls for validation of the communication interface. As one of the leading IoT security companies, Embien has been working on latest crypto-graphics algorithms and protocols and have incorporated them into our designs. We ensure that none of the external communication are over plain-texts and instead are using SSL, TLS etc., We are well-acquitted with TLS1.3 implementation on embedded devices. Apart of the this, we ensure client-server mutual authentication leveraging trusted root certificates.
For Wireless connectivity like BLE, Wi-Fi, LTE etc, we ensure the relevant security guidelines are followed. For unprotected channels such as serial port, USB etc, we add custom mechanisms built over standard algorithms such as AES, RSA, ECDSA etc as and when needed. In some cases, we have enabled device identification and authentication mechanism such as using pre-programmed keys whereby only a pre-authenticated device can connect over mechanisms such as ADB etc.