Building flexible and secure IoT solutions

IoT summitDecember 2016

Nicolas Bacca @btchip

A trust layer between the blockchain and the physical world

For industrials, enterprises and consumers

Securing the first and last mile

LEDGER TECHNOLOGY

Without trust, data has no actionable value

node

node

node

node

nodeCloud servers

User on a PC or a smartphone Industrial

sensor / IoT

node

node node

Connected object

Blockchain/ITtrusted zone

Physical worldabsence of trust

Is this really you?

Am I allowed to execute this transaction?

Critical temperature data

Did the driver got switched?

Security issues : development and deployment

Trust and low cost production chain are conflicting issues

How to provision secrets

How to verify that a device is genuine

Security issues : runtime

Protect against invalid data fed to the solution (bug or fraud, Dieselgate)

Protect against software hacks and exploits

Protect against physical attacks

Security issues : firmware upgrades

How to deploy the firmware

How to verify the firmware integrity

How to avoid compromising a whole batch (see http://iotworm.eyalro.net/)

The ubiquitous Safe

Best technical solution for at scale (CHEAP) secure deployment

Best technical solution against physical attacks (theft, evil maid)

A configurable Safe

Lot of resources invested in secure remote management

Great portability of Java Card, at least on paper

Sweet spot yet to be found

More security

More flexiblity

Generic MCU MPU Crypto

accel. Enclaves

16 bits smartcard

ARM SecureCore

Additional I/Os

In the meantime

Build a flexible platform to accommodate different design choices

Build on top of the smartcard security & ecosystem whenever (cost) possible

Create Plug and Play security upgrades for existing projects

Default IoT object architecture

Software, hardware vulnerabilities

Trust the environment

MCUSensors

More secure IoT object architecture

Software, (less) hardware vulnerabilities

Can be leveraged as an oracle

MCU (master)Sensors

Security chip (slave)

Stateless security operations

Ledger BOLOS architecture

Security built in on the most secure component

MCU (slave)Sensors

Security chip (master)

Stateless I/O requests

Tamper evident logic(shield, MEMS)

Tamper notification

Ledger first Hardware Oracle

Cryptographically attestable anti-tampering sensors

￭ Secure chip ST31G480 (CC EAL6+)￭ Sensor￭ 3 axis anti-tampering MEMS￭ USB interface for blockchain computer

Ledger platform architecture

Trusted / Secure component (Secure Element or enclave) with limited I/O options

Non trusted component with more I/O options

Screen

Direct control from the Trusted component, proxied

Pairing at boot time

User app 1

User app 2

Button

Sensor

USB

Native ARM implementation

Native application 1

Native application 2

Native application 3

MicrokernelSecretdata

MMU lock

User modeSupervisor mode

System call

UI application

BOLOS platform APIs summary

Remote Applications (or scriptlets) Management

Sound cryptographic APIs (acceleration / power analysis / side channel resistance)

Auditable (Open Source SDK, non secure kernel)

Portability (Secure Element, Enclave, Enclave OS app, MCU)

Comparison of different BOLOS implementations

Security Cost Efficient Flexibility

Secure Element ++ - ++

Enclave + + +

Enclave OS app + - -

MCU - ++ +

Getting started with development

IoT development board to be announced

Nano-S resources : compiler and SDK - https://github.com/ledgerhq/ledger-nano-s

Sample applications : https://github.com/LedgerHQ/blue-sample-apps

Documentation in progress : http://ledger.readthedocs.io/

Developer Slack : http://slack.ledger.co

Documentation is getting put together, so don’t hesitate to ask on Slack

Thank you @btchip