Trustonic secured IoT device auto-enrollment for Google Cloud Platform and Amazon Web Services

Enable IoT devices to securely identify and enroll themselves in the field

Companies, factories, utilities and cities deploying IoT systems need to know that data from sensors and devices is trusted and coming from an actual authentic device, not from a cyber-attack or from a hacker.

Consumers buying IoT devices want certainty that the device they have bought is the genuine article – not a fake built from stolen plans or a cheap clone that doesn’t meet functional or safety standards. Equally, manufacturers of those devices who are supporting large back-end systems need to know that only genuine devices can connect to their platforms. This is to ensure both that the data they exchange can be trusted and that their customers don’t associate their brand with a sub-optimal experience.

To achieve all of this, it is essential to be able to trust the device. Trustonic’s IoT security platform injects individual device identities and keys into hardware at silicon manufacture. The associated keys are only accessible in the most secure part of the device – the Kinibi-M Trusted Execution Environment (TEE).

The secure device identity is known as a Root of Trust (think of it as a digital birthmark) providing a unique and provable device identity. The TEE ensures protected keys and data cannot be accessed by either malware or other software-based attacks. It also enables a Trustonic-secured device to securely identify itself as authentic to a cloud service.

Secure provisioning for leading cloud platforms

Demonstrating the solution

Trustonic first demonstrated this concept live at Arm TechCon 2017, showing devices automatically enrolling with an AWS-based web service. Using attestation to prove that an AWS Certificate Signing Request originated from a legitimate device, the demonstration showed the corresponding TLS certificate being provisioned automatically. This was demonstrated on devices using both an ARM Cortex-A9 processor (the ARTIK 530) and an ARM Cortex-M23 processor (the Nuvoton M2351).

The concept was demonstrated again at Google Cloud Next 2018 and Arm TechCon 2018 with the automatic pairing of an IoT device running on a Microchip SAM L11 MCU with the Google IoT Cloud Platform. The Google IoT cloud leverages X.509 client certificates for security and Trustonic issues and enrolls client certificates automatically.

This live demonstration showed how a freshly-unboxed device can securely enroll with a cloud service, presenting cryptographic proof that it is a valid device from a given manufacturer. In return, it will be issued with an SSL client certificate. Once enrolled, the device can communicate using GCP IoT services, such as MQTT. Trustonic libraries running in TrustZone and associated strong identity can then be used for further security-sensitive services, such as handling of user data or securing access to peripherals.

Secure provisioning for leading cloud platforms

Secure provisioning for Google Cloud and Amazon Web Services

Secure provisioning for Google Cloud and Amazon Web Services.

  • MCU is “born secure” with unique identity and secure software
  • Module or device is built and marked as genuine, using Digital Holograms
  • Device is installed and turned on
  • Device generates an enrollment request (CSR) for associated cloud IoT services. This is signed in secure world software

Download the Automatic Cloud Enrollment PDF

IoT Cloud Security, Device Authentication & Enrollment

Automatic Cloud Enrollment

Secure automatic IoT device cloud enrollment, Enable IoT devices to securely identify themselves in the field with secured IoT device auto-enrollment.

Trustonic for IoT