United States - Flag United States

Please confirm your currency selection:

Bench Talk for Design Engineers

Bench Talk


Bench Talk for Design Engineers | The Official Blog of Mouser Electronics

IoT Security: Place Your Trust in a Module Mark Patrick

Data security is a very hot topic at the moment. It’s rare to get through a day without hearing news of a large corporation or an individual getting ‘burnt’. That’s hardly surprising when virtually every facet of our lives involves technology and the storage of data: the streets of every town are thronged with people glued to their smartphones, just managing their daily existence. Of course, the more reliant on technology we become, the more complex the picture becomes, with increasing levels of product interconnectivity. Nowhere is this more evident than with the Internet of Things (IoT).


The IoT presents a particular problem in terms of security. This is rooted in the fact that many of the devices that are or could be connected into the network are amongst the most basic and simple products. They are highly likely to be mere nodes, consisting of little more than a basic semiconductor and an internet connection that enables them to relay on a minimal piece of information. The question of security is not going to have been uppermost in the thoughts of their designers.


With estimates of 20 or 30 billion devices being connected in the IoT by 2020, it’s not at all surprising that worries about security are finally surfacing. It’s often said that a company’s weakest point in terms of its data security lies in the users of its systems. There are any number of reasons for this. Passwords may not be changed as frequently as they should be (or may never be changed at all); users are likely to employ the most basic passwords (‘password’, ‘12345678’, etc.) because it’s too much like hard work to think up hacker-proof passwords for all of the different devices or systems most of us access on a daily basis – never mind having to remember them; users bring in devices from outside that may contain malware. The list of potential causes of problems is endless.


With billions of devices exchanging information, however insignificant its content, it stands to reason that many of them are going to provide a potential back door into users’ networks, whether those users are individuals or companies. It represents a data security nightmare.


The sheer scale of the potential problem is daunting. Given the exceptionally wide range of devices that are likely to be connected, it’s hard to envisage a common approach being taken to the implementation of security. Devices could range from the simplest telemetry meters stuck in a difficult-to-access location, possibly underground, to home security meters, automotive data reporting instruments, medical devices such as cardiac pacemakers or even applications as yet undeveloped.


Much of the development effort put into satisfying the requirements of the IoT and future-proofing it, to a degree, has been concentrated on technical aspects such as scalability and addressability. The development of version 6 of the Internet Protocol, IPv6, the most recent version of the communications protocol used to identify computers and route traffic across the internet, ensures that this vast array of devices will be able to be addressed. IPv6 is steadily being adopted globally.

So, IoT traffic can be addressed and carried, but how are users’ networks to be secured? The horse may not yet have bolted, but the stable door is definitely open.


Data encryption is a good solid way of ensuring that the contents of messages are sent and received safely. For the simplest IoT devices, symmetric encryption can be used, as the overhead it carries is lower and the computing power required is commensurately less. However, this type of encryption means users who need to encrypt data have to be issued with security keys. That immediately poses its own security risk in terms of potential misappropriation by third parties.


A far more secure way of protecting data is provided using asymmetric encryption. Public key infrastructure (PKI) uses a combination of public and private keys. Public keys are used to encrypt data and private keys to decipher it. While public keys are relatively easily derived from private keys, the reverse operation on the algorithms that underpin the encryption is considerably harder to perform.

The system uses a specially generated code called a hash to ensure that both sides of the communication know that the communication has been sent and received safely and no tampering has taken place. If the hashes generated by both send and receive ends of the message match, then the communication is ‘safe’. While the hash code is associated with the message, it cannot be used to decrypt its content. This code manipulation is carried out by the processor in a hardware trust module. Code is entirely separate from that of the application itself.


PKI, which was originally developed for mobile telephony and computing platforms, provides a good basis for the provision of security on the IoT. But maybe you can come up with something even smarter that can both protect devices on the network and safeguard the networks themselves from intrusion by those intent on causing harm or creating problems.


Ideas on a postcard – or maybe even a trusted hardware module – please.

« Back

Part of Mouser's EMEA team in Europe, Mark joined Mouser Electronics in July 2014 having previously held senior marketing roles at RS Components. Prior to RS, Mark spent 8 years at Texas Instruments in Applications Support and Technical Sales roles and holds a first class Honours Degree in Electronic Engineering from Coventry University.

All Authors

Show More Show More
View Blogs by Date