An unfortunate consequence of a well-connected world (i.e., the proliferation of the Internet of Things [IoT]), is that the cost of cybercrime has gone up – a lot. A recent report has put a number on it: worldwide, cybercrime costs an estimated $600 billion USD each year, up from $500 billion in 2014 1.
Poorly protected IoT devices can be a particular problem, providing new, easy ways for hackers to steal information or gain access to valuable data, networks or physical assets. (source 4) In fact, recent data suggests the cost of poorly protected device identities is between $15B and $21B or between 9% to 13% of the total U.S. economic loss caused by cyber events (estimated to be $163 billion)2.
All of these big numbers add up to one truth: the need has never been greater for trusted identification of connected devices. Enter Trusted Execution Environment (TEE).
Securing devices using the principal of isolation
Trusted Execution Environment (TEE) is a secure, isolated area of a main processor that provides ensured execution integrity of applications, along with confidentiality of assets such as credentials, certificates, keys and data. It provides high levels of trust in the asset management of that surrounding environment because these assets are protected at rest from “unknown” attackers external to the TEE on the device.
Specifically, the “trust” part of TEE requires that all TEE related assets, code and other components of the device’s boot chain (e.g., the boot loader, the operating system platform, installed application images) have been installed and started through a methodology that requires the initial state to be as expected:
Once integrity is verified, the bootloader enables access to the encrypted file systems and transfers execution to the next stage in the bootstrap process.
TEE employs next level security hardening
Isolation is the key to a more security-hardened device, and hardening is the process of securing a system by reducing its surface of vulnerability. Reducing available ways of attack typically includes changing default passwords, the removal of unnecessary software, unnecessary usernames or logins, and the disabling or removal of unnecessary services. Combining the concept of isolation and security hardening is the essence of TEE and is the enemy of our enemy (hackers).
Enhanced security
Hackers are notoriously smart. They make a living from devising methods of decrypting encryption. TEE goes beyond encryption – it creates locked-down “trust zones”, dividing resources of the processor package and peripherals into trusted domains. Quite simply, credentials, certificates, keys, etc. are stored in such a way that they are INACCESSIBLE to hackers - even when power is interrupted.
There’s no debate that TEE makes devices more secure, but it also can also increase performance and functionality.
Flexible approach to advanced hardware-based cybersecurity
The TEE is an evolution of the more fixed approach of Trusted Platform Module (TPM), which stores encryption keys on a specialized chip.
Increased performance and functionality
TEE is a supreme multi-tasker – encrypting content while it is stored in non-volatile memory and decrypting it while transferring to another section of memory. This frees up the processor and allows it to perform at a higher level. And, because TEE is a software (firmware) solution, its functionality can be customized and updated easily.
TEE is basically a hardened, super-performance enabler.
Just the kind of thing you need in your access control solution.
Access control devices live in the IoT universe
If you’ve read this far, you probably have some level of responsibility for your company’s physical access control system.
Regardless of how many buildings or devices you may have installed in your application, they are often networked to each other, to third-party devices, and to host client computing devices using an IoT or IP networking infrastructure – making them potential targets for cyberattacks.
We all remember how easy it’s been historically for hackers to access devices via the serial port, etc. With TEE, any attempts to modify the system would render it ‘unbootable’.
TEE-protected access control devices provide a higher level of trust in validity, isolation and protection of assets stored in this space. This then ripples down to an assertion that the trusted OS and applications executing inside that space are more trustworthy.
Security with Trusted Execution Environment | Traditional Security |
Isolated Execution | Confidentiality |
Secure Storage | Integrity |
Remote Attestation | Availability |
Secure Provisioning | |
Trusted Path |
*table courtesy of University of Cambridge
iSTAR Edge G2 from Tyco Software House is the first access control edge device to utilize TEE to guarantee confidentiality and integrity of code and data. This provides reliable storage of keys and other cryptographic materials and manages a secure boot process to guarantee authenticated sources for hardware and software.
iSTAR is already known as one of the more security-hardened IP edge portfolios on the market, and the addition of iSTAR Edge iSTAR Edge G2 and its TEE implementation bolsters its advanced cybersecurity protection.
Beyond TEE, iSTAR Edge G2 also features:
Hackers are here to stay. It’s an unfortunate reality, but one that has partially formed the industry and professions that employ many of us. These ‘bad actors’ evolve quickly, and so then must the technology used to impede them.
Trusted Execution Environment (TEE) is one such technology. It enables modern devices to provide a massive range of functionality, while at the same time meeting the requirements of software developers, service providers, and security professionals who care about privacy, attestation, authentication, validation, manageability and all aspects of security.
References