ALLPCB
Because they connect to the Internet, portable health-monitoring products and wearable IoT devices are inherently vulnerable to hacker attacks. From using devices in distributed denial-of-service (DDoS) attacks to violating personal privacy, malicious third parties can damage unprotected consumer data in many ways. As IoT developers, you need to design security features into connected products from the start rather than waiting for a breach that harms customers and damages your brand and reputation. A recent Internet Society study found that "53% of consumers do not trust connected devices to responsibly protect their privacy and handle information."
Regulatory and design considerations
To comply with data-protection regulations such as GDPR and HIPAA, and because it is sound practice, IoT device manufacturers must protect user data and must not share it without consent. Designing security into IoT devices is challenging. Developers must address data privacy and also prevent devices from being hijacked by attackers. Cypress's PSoC 64 Secure MCU implements application security with a hardware-based root of trust, secure key storage, hardware-accelerated cryptography, and a trusted execution environment (TEE). These security features combined with low power consumption, flexible processing, and small board area make the PSoC 6 architecture suitable for wearable devices.
Integrated embedded security
The definition of a security system varies by application. Some systems require blocking all access to a device, while others only need to verify whether firmware has been tampered with or copied. Cypress integrates an MCU with programmable security levels, wireless connectivity, and firmware to form a complete embedded security solution (Figure 1), and it works with major cloud service providers to support end-to-end privacy.
Security levels
Fitness trackers and smartwatches that use GPS on a paired smartphone or on the device itself can report a user's location in real time. These products also store personal health information such as heart rate, activity, and sleep patterns. Users do not want that information to fall into the hands of malicious actors. Because data moves from a watch to a phone and then to the cloud, it must be secured at every layer.
Last year, after some fitness-tracking services published user activity heatmaps, overseas military commands ordered personnel to disable GPS tracking on mobile devices because of the potential risk to soldiers.
Although most attackers are not interested in a user's health per se, they can glean a great deal of information by analyzing collected data points, such as when a user is likely to be away from an office or home. In military contexts, publicly available heatmaps could allow nonmilitary observers to monitor exercises or infer base layouts. Many smartwatches connect to the Internet via wireless links such as 4G or Wi-Fi, giving attackers more flexibility to access devices remotely and reach email or other data.
Cypress's solution protects user data in several ways, one of which is strong identity. For most wearables, fingerprint or biometric authentication is sufficient to authorize device access. For applications that require higher assurance, a secure MCU such as PSoC 64 can provide a protected device identity, or root of trust. The root of trust anchors a secure boot chain and supports additional security services such as mutual authentication and secure storage and protection of cryptographic keys.
To increase security, Cypress's IoT platform software provides fully integrated, verified cloud features such as MQTT, data collection, and device auditing. It also provides secure cloud functions such as transport layer security (TLS) and wireless firmware updates (FOTA). Key architectural security features include isolated dual Arm cores, hardware-accelerated cryptography, true random number generation, non-volatile memory, and encrypted external flash. In addition, the PSoC 6 architecture offers a low-power design with small packages and flexible processing suitable for wearable devices. Figure 2 details the security features built into the PSoC 64 Secure MCU.
