This post was originally posted on 2nd September 2020 and updated on 16th March 2021 to reflect PSA Certified Level 3 security certification.
Silicon Laboratories have worked hard on an IoT security portfolio for some time, they specialize in antenna connected devices, focusing especially on 2.4 gig and sub-gig connectivity. Silicon Laboratories have long been a part of the PSA Certified partnership and they recently became the world’s first silicon provider to achieve PSA Certified Level 3 from Riscure for an implementation of their Secure Vault technology. To celebrate this achievement, we sat down with Mike Dow, Senior Product Manager for IoT Security to discuss IoT, Secure Vault and regulations.
Tell Us a Bit About Silicon Laboratories
Silicon Laboratories, Inc. (which is well known as Silicon Labs) is a fabless global technology company that designs and manufactures semiconductors, other silicon devices, and software that are sold to electronics design engineers and manufacturers in Internet of Things infrastructure, industrial automation, consumer and automotive markets worldwide. We focus heavily on connecting devices, figuring out what level of connectivity is needed for the best solutions, whether that’s Zigbee, Z-Wave, Bluetooth Low Energy (BLE), Mesh, Thread or others. As the Internet of Things has scaled and hacking has increased, especially in regard to ransomware, we’ve turned to support the market with more robust IoT security solutions. It’s safe to say that for the last 20 years, attacks have been coming from the cloud-side, but now all hackers are looking at the devices themselves.
Where do the Biggest Problems Lie in Regard to IoT Security?
We see that it’s typically high-performance devices with on-device processing (for example devices that run Linux) being hacked, a good example is the thermostat in your house. These types of devices are attractive to hackers as there are many ways to use them to find vulnerabilities. Examples of hacks include:
- Botnets: One very common way is the rise of botnet hacks, where hackers get hold of thousands of devices (like the connected thermostats) and try to use that to attack something like a website or critical infrastructure.
- Insecure firmware upgrade: Devices could also be hacked to target businesses, for example if that same thermostat is used in a business control system. A hacker could get a USB stick, plug it into that device and infect it with malware, which it gives them another route in.
- Communication attack: A third example is the communication mechanism – if you can compromise this, you can deliver malware into the higher-level systems and do this type of pivot attack.
These types of hacks targeting Linux based devices are important to Silicon Labs, as we’re in the subnet under the Linux box and we want to ensure that our solutions inside our customers’ devices are not vulnerable. We’re very sensitive to the fact that the subnet is basically a means of getting into a device and doing a pivot attack and that’s why radios we make, need to be secure.
Why Did You Choose PSA Certified?
If I’m honest, when I first heard of PSA Certified I was skeptical – at its inception all the silicon vendors were doing their own thing and I wondered if it was realistic to get all of us to align on a single way of securing devices. However, it’s clear to me that as PSA Certified has matured it has been built using a lot of research, both from the companies involved and the security experts within the silicon vendors.
I personally align with the admirable goal of aligning around a hardware Root of Trust, which the IoT industry have built together. I’m a big believer in standards. While Silicon Labs can differentiate in a lot of other ways, our customers need security and security solutions need to be done correctly. Customers will find it difficult to understand the inner workings of security architectures, but what they can understand is a security standard and label – this is why security certifications like PSA Certified is needed.
What’s particularly great about PSA Certified is that it’s not mandating a specific security implementation or architecture. It’s saying, you need to have a secure world and a non-secure world, plus a way to divide up the tasks that need to be executed in the secure world – it just makes sense!
What Value Does PSA Certified Add?
We have customers asking us to prove our security and despite all the emerging schemes in the marketplace we never had something specifically for the chip. PSA Certified offers silicon level security certification and that’s unique in the market right now. It provides a way for devices makers to judge whether a microcontroller or MPU has the necessary security level they need.
With PSA Certified I essentially get to show a piece of paper to my customer, and then my customer can use that piece of paper to do less work on his end product certification. Ultimately this is a huge benefit, as everyone will eventually have to prove their security credentials due to emerging privacy and data security regulations.
You Briefly Mentioned the Root of Trust – Why is Having a RoT (like the PSA-RoT) Important? What Does it Enable?
A hardware Root of Trust essentially guarantees that the inner workings of your device are secure. The Root of Trust is primarily used in a secure boot process, which ensures when the processor boots that the code is authentic and hasn’t been modified – all things stem from that. Once the code is authenticated, the system can check security of other things in the system. It can be quite a technical explanation, but the thing to remember is that if you skip an immutable and updatable RoT – security in connected devices is nowhere near as robust.
You Specifically Mention Hardware Root of Trust, Why is it Important to have Hardware Security?
Hardware security is especially important, as it’s nothing like software when you can patch the problems later when you find the bugs. That’s why it’s important to have things like a good solid hardware RoT that has been vetted and proven – which is essentially what PSA Certified provides. There are some ways to patch hardware security, for example, Silicon Labs have a security subsystem which uses its own core. As that subsystem has its own core with its own firmware we can do a certain amount of secure patching over time if we need to. However, there are always going to be certain pieces of it that can’t be patched and there are limits to the amount of patching that can be done. That’s why it’s important to invest time into the hardware RoT to make it as perfect as possible so that you can depend on it for 20 years or more.
What is Trending Right Now in IoT? What are your Customers Concerned About?
It’s clear to me that the industry is being driven by privacy and data security laws and regulation – just in the USA right now we have seven or eight states considering different laws for IoT security, and that’s before you think about the rest of the world. There is also a lot of work happening for different applications and verticals, for example in medical there is a great deal of focus on connected consumer health products, as that’s likely going to be the primary cause of lawsuits first. Therefore, right now, the emphasis is on protection of people’s private medical data, but the health risks are real. If you can hack a pacemaker, you can kill someone. This is just one example, as all verticals are making different plans – from smart meters, to smart lighting in cities, to medical and wearables. This movement is starting to scare a lot of our customers, as they don’t distinguish where a product goes geographically, or its application (for example that aforementioned thermostat and whether it’s used in a business or the home).
How can we Overcome the Issue of Regulation and Stop it Hindering IoT?
Ultimately, we have to figure out a way for IoT security certification to be scalable. If we don’t, we risk stunting the growth of the IoT market with all these regulations, as ultimately there is a lag whilst you wait for products to get their seal of approval, the industry needs to collaborate together. PSA Certified is making good headway in this space for two reasons: first OEMs and manufacturers can inherit the hard work done by the silicon vendors and second, it has a rational approach with a lightweight protection profile.
At the end of the day, the consumer just wants to be able to get a product and just know that it’s protected. They don’t really care about the detailed analysis and testing that device went through, it just needs to be the right level and they need to be assured that it got the scrutiny it needed for what it does.
What Use Cases do You See Secure Vault Being Used In? What Exciting Opportunities does it Unlock / What Role does it Play in Securing IoT?
We see a lot of use cases for Secure Vault and the more we speak to our customers, the more we see our Secure Vault technology resonating as it ticks all the boxes for secure boot, secure debug and key storage. Secure Vault is in a great position because we have a great portfolio of radios and microcontrollers that have Secure Vault capability and an impressive roadmap to support it. Some of the key use cases include medical, smart metering, home automation and industrial.
What does the Future Look Like for IoT? What Will the World Look Like in 5-years’ Time?
A key thing to do is to see through the hype and to understand the real use cases that are going to add value – for example connected refrigerators are great but I’m not sure if, as a consumer, I need that kind of connectivity in my house. I personally think there are a lot of really cool use cases in smart cities, which save time and make a difference. A good example is parking spots – as it can save people time driving around trying to find a parking space, but it can also help with traffic flow and reducing air pollution.
Whilst I don’t get excited about my milk going off in my fridge, I do care about a part of my HVAC system being faulty and detecting that before it’s a real problem. You might think your HVAC system is running perfectly, until the hot summer appears and you suddenly realize that something is broken. IoT has the power to deliver some truly fascinating use cases which will change the world for the better.
Hear Mike discuss the importance of higher level security certifications and the increasingly vital role of silicon vendors in the #BeyondtheNow podcast.