ALLPCB
Overview
Malicious third parties can attack connected devices in many ways, from distributed denial-of-service (DDoS) attacks to privacy breaches. As IoT developers, you must build security features into connected products from the start rather than waiting for vulnerabilities to harm users and damage reputation. The Internet Society recently found that "53% of consumers do not trust connected devices to handle their privacy and information responsibly."
To comply with data protection regulations such as GDPR and HIPAA, and as a matter of sound practice, IoT device manufacturers must protect user data and avoid sharing it without consent. Integrating security by design into IoT devices is challenging: developers must address data privacy while ensuring devices cannot be hijacked by attackers. Cypress's PSoC 64 Secure MCU implements application security using a hardware root of trust, secure key storage, hardware-accelerated cryptography, and a trusted execution environment (TEE). Combined with ultra-low power, flexible processing, and a small footprint, PSoC 6 architecture is suitable for many wearable applications.
Embedded Security Architecture
Security requirements vary by application. Some systems must restrict all access to a device, while others only need to verify firmware integrity. Cypress combines an MCU with programmable security levels, wireless connectivity, and firmware to provide a complete embedded security solution and supports end-to-end privacy with common cloud services.
Security Levels
Fitness trackers and smartwatches often include GPS in the paired smartphone or the device itself, and they can store personal health information such as heart rate, activity, and sleep patterns. Users do not want this information to fall into the hands of malicious actors. Because data is transmitted from the watch to the phone and onward to the cloud, each layer requires protection.
After certain fitness services made users' activity heat maps public, overseas U.S. forces were instructed to disable GPS tracking on mobile devices because the exposed data could create safety risks.
Although most attackers do not target users' health levels specifically, aggregated data points can reveal patterns such as when a person is likely to be away from the office or home. In military contexts, publicly available heat maps or location data could allow non-military actors to monitor exercises or infer base layouts. Many smartwatches connect to the internet via wireless links such as 4G or Wi-Fi, increasing the potential for remote compromise and unauthorized access to email or other information.
Identity and Root of Trust
One method to protect user data is reliable identification. For most wearable devices, fingerprint or biometric identification is sufficient to authorize access. For applications requiring higher assurance, a security MCU such as the PSoC 64 can provide a protected device identity, known as a root of trust. The root of trust supports a secure boot chain and offers additional security services such as mutual authentication and secure storage and protection of cryptographic keys.
Cloud Integration and Architectural Features
To enhance security, Cypress's IoT platform software provides integrated, validated cloud functions including MQTT, data collection, and device auditing. It also supports secure cloud features such as Transport Layer Security (TLS) and firmware-over-the-air updates (FOTA). Key architectural security features include isolated dual Arm cores, hardware-accelerated cryptography, true random number generation, non-volatile memory, and encrypted external flash. The PSoC 6 architecture offers a small-package, flexible-processing, ultra-low-power design commonly used in wearable devices.
