The Internet of Things (IoT) is a term used to describe the fact that wireless connectivity has been added to many microcontrollers. These are the chips, or devices, that power most consumer and industrial electronics. Connectivity adds a lot of scope for new functionality but it also presents significantly higher security risks.
The IoT runs on microcontrollers, not microprocessors. Microprocessors are the chips used to power servers, PCs and phones. The fact that the names and certain functions of these two classes of chips are similar can get confusing. The key difference between them is scale.
The mid-range option of the iPhone 11 costs around $1500 (at the time of writing) and is powered by Apple’s Bionic Microprocessor made from an estimated 4.3 billion transistors. An educated guess at the chip cost might be $100 – $200. The Arm M0, a mid-range microcontroller often used in IoT applications, costs approx $2 for the version with Bluetooth capability, and uses between 100 and 150 thousand transistors. The microcontroller is 50 times less expensive and 28,667 times smaller in terms of transistor count.
This example is just illustrative, as there are different classes of devices with broad ranges of size and cost. But you can imagine, there are things you just can’t do with a microcontroller, like run a cell phone for example. It is also true to say that a microprocessor would never be used to carry out a function that a microcontroller could manage.
There is another distinction in the approach to the chip design of microprocessors and microcontrollers. Microprocessors are always being pushed to be more powerful whereas microcontrollers are design-driven to perform a simple function in the smallest, most cost-effective way. Every additional chip feature is measured for its utility in terms of cost, size and power consumption. While this approach has powered growth into new consumer markets, it throws up security challenges.
There are far more microcontrollers in the world than microprocessors. Estimates vary, but semiconductor suppliers shipped approximately 25 billion microcontrollers in 2019, which is 20 times the unit shipping of microprocessors. This fact is often masked when market comparisons are made by dollar value.
Microprocessors can address significantly larger external memory when compared to the internal memory available in microcontrollers. As a result, they can run much larger blocks of application code which includes all the security features we are familiar with on our PCs and phones.
A single microcontroller operating a vacuum cleaner or fridge simply cannot mimic these security features. Microcontrollers therefore represent a security risk to the manufacturer’s design IP. Competitors may hack their products in order to copy them, and this process can be relatively simple in comparison to hacking a microprocessor. Counterfeiting, or over-production alone represents a significant risk to companies’ revenues but as concerning as that is, there is an arguably graver risk once a microcontroller is ‘connected’ as it can now be exposed to external liabilities.
Once you connect a microcontroller to the Internet this security issue increases considerably. Now a simple consumer product with limited ability to protect itself can be used to launch malicious attacks on global Internet infrastructure. As the connected IoT ecosystem the microcontroller inhabits gets more complex, the number of security risks multiplies drastically. You only need here to see the consequences of these attacks.
Governments globally are working on how to legislate for responsibility for these security breaches. The landscape is complex but what is certain is that the companies who produce simple connected devices will have to consider security in their designs in a way they have not done so before. Also, the responsibility for design lapses that end up exposing the public to security threats will fall directly at the feet of the executives running these companies.
In 2019 the percentage of the 25bn microcontroller units that shipped with connectivity was small. This trend is changing fast. A microcontroller can have Bluetooth added to it for as little as 50 cents. The scope of applications and the market opportunity is huge. This combination of the production of huge quantities of lightly powered devices coupled with connectivity lies at the heart of the security problem.
There exists a class of microcontrollers today which implements both of these solutions. We use them daily in our SIM cards and credit cards. These chips, which have an identical form factor and design structure, are made in volumes of 10s of millions at a small number of large secure programming facilities globally. The code to program them is well developed and mature.
However, one issue for IoT manufacturers is that there are a widely diverse number of chips and applications. Volumes are large but lot sizes are small. The market is not concentrated to a few companies or a few geographies. The software, hardware, and programming services ecosystem is still being developed.
Security is a specialized and complex subject, and legislation is still under development. It is not easy or cheap for companies to build in robust security solutions that protect their customers and themselves. In a very cost-sensitive marketplace, how to develop a robust but cost-effective solution is a non-trivial challenge.
EPS offers Programming-As-A-Service to OEMs and CEMs and has operations in all of the major global electronics manufacturing markets.
We are currently working with selected software partners to bring new solutions to the market in 2020. Our aim is to identify partners who can work with us to deliver a global end-to-end security solution for our customers.
Customers will have the ability to encrypt their data and send it to EPS for volume provisioning of devices. Matching hardware and site security at our Programming Centers will ensure our customers’ IP is protected, ensuring the devices cannot be counterfeited or over-produced.
EPS will also be able to add unique IDs and security certificates to IoT devices. These will allow the chip to recognize a valid code update from its manufacturer, and distinguish that from a malicious attack, ensuring security throughout the lifetime of that device.
We hope to announce partnerships in Q1 2020 and deliver solutions based on those partnerships during the early part of 2020.
This will deliver solutions to help our customers meet their security and cost objectives anywhere in the world.