One of the greatest challenges when designing new connected devices is impeccable security. This is why ST will hold a hands-on lab on secure boot and firmware update during its Developers Conference that will take place in Santa Clara on September 6. IoT has taught us one thing: nothing is safe! One of the big security scandals this summer took place because a self-balancing scooter had not secured its firmware and mobile application. It hadn’t “implemented firmware integrity checking”, according to the security firm IOActive, which opened users to the possibility of hackers remotely controlling their vehicle and propagating the malware to surrounding devices.
Secure boot and firmware updates are indispensable security pillars. The latter is self-explanatory, it often takes place wirelessly (over-the-air), and is crucial because it’s the best way to immediately fix any vulnerability. Perfect security doesn’t exist and companies must design a contingency plan when things go wrong. Likewise, secure boot is absolutely fundamental because it makes sure the first piece of software that runs when the device turns on is safe. After all, if nothing protects or guarantees the first lines of code, anything else that builds on it, like the drivers or the operating system, can’t possibly be truly safe either.
Secure Boot and Firmware Update: No More Excuses
InfoSec (Information Security) and cyber security are extremely complex branches of computer science and this blog post, and the lab, will not go into too much theoretical depth for a simple reason: the point of this hands-on training is to show that implementing these two features can be easier than expected, even if engineers don’t have an extensive knowledge of the underlying principles. As we sat down with the Strategic Security team at ST that will lead the lab, they explained that the presentation has little prerequisites and that they were aiming for the broadest appeal possible. As a result, people who attend this presentation will receive a USB key with an IDE (IAR), as well as application examples and source codes. ST will simply ask them to sign a licensing agreement.
The idea is to take the complexity out of these security measures. After a brief introduction, the lab will present the blocks that must come together to implement diverse features. Hence, the presentation will be practical and high-level enough so all the attendees can reproduce at home what they did at the conference. The only requirement is that participants have a cursory knowledge of C and that they bring a PC running Windows 7 or up. Macs running the Microsoft operating system through a virtualized environment, or Boot Camp, are welcomed. The lab will use a NUCLEO-L476RG board, but the tools and procedures will be general enough so they can be applied to other ST platforms.
Practical Building Blocks for Your Secure Empire
The Strategic Security team explained that the presentation will build on some of the security measures that are commonly found on STM32 devices like the firewall, a system designed to secure specific code or data stored in the Flash or SRAM. This protects against memory dumps or access to sensitive information by hackers. This part of the lab will also cover other memory protection mechanisms that shield the system from harmful read or write operations by explaining why they are useful and how to use them. Similarly, other sections of the labs will touch on the APIs of the crypto-library and how to use them in a safe manner.
Hence, the lab will be modular, because the whole point is to guide attendees through the use of all the tools at their disposal. The best approach to security is a holistic one and although the focus is on secure boot and firmware update, the presentation has a general and practical purpose to invite all engineers to adopt best practices that maintain a flow of control and a trusted environment at all stages of the user’s experience. It’s not enough to say that a product uses a specific cryptographic method or a particular feature if no one closes the debug port! From the earliest stages of conception, engineers must understand that all the security layers and services work together.
Securing a Spot
This is a very crucial talk because even people with little to no security knowledge will come out empowered with tools and experience that can help them secure a vast number of devices. Attendees who’d like a little more background information can also attend the session “Platform Level Security for IoT Devices” from Bob Waskiewicz. The lab is called “Introduction to Secure Boot & Firmware Update Hands-on Training”. Unfortunately, it’s possible that some may not be able to attend if space runs out. We therefore advise attendees to line up early. The more cautious participants can also read the license agreement in advance.