The document discusses securing edge devices and describes Zymbit's security modules. Zymbit modules provide whole device security through hardware-based key storage, encryption, authentication, and tamper detection. They integrate easily with single board computers and support features like the AWS IoT Greengrass Hardware Security Integration. Zymbit aims to provide easy but robust security for edge devices through their plug-and-play modules.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Understanding and Hardening the
Attack Surface at the Edge
Tim Mattison
Global Tech Lead, IoT Partners
Amazon Web Services
G P S T E C 4 0 2
Phil Strong
CEO, Founder
Zymbit

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Don't neglect edge security
"Attacks always get better,
They never get worse"
- NSA*
*allegedly

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Physical interfaces
• Console ports
• Serial ports / busses
• Flash

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secure flash/secure boot
• Secure flash protects a system from offline attempts to pull and
read/write the flash
• Secure flash DOES NOT usually protect a system from software
exploits since the flash is decrypted for them
• Secure boot makes sure the software at startup is from a trusted
source
• Secure boot DOES NOT protect a system from bugs, compromised
development systems, etc.

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network interfaces
• Over-the-air (OTA) updates
• Insecure services
• Remote DoS

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Development infrastructure
• Code repositories
• Continuous integration systems
• Staging areas for build artifacts

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Real world / social engineering
• Deployment processes
• Installation processes

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Attack surface for embedded devices at the edge
• Reduced capabilities of edge devices is a double edged sword
• Typically fewer things to attack
• Only if the hardware has sufficient capabilities to protect itself

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Attack surface for Linux devices at the edge
• SSH, username and password, shared keys, lack of two-factor auth
• Software updates
• Extra services running
• Running a lot more code that the customer didn't write…
• …and just because it's open source doesn't mean it has been audited

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
There is hope
If you only improve one aspect of the attack surface in an edge system…
NEVER HAVE PRIVATE
KEYS IN MAIN MEMORY

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secure elements, TPMs, HSMs
• Lock away the private key
• Similar to using STS for IAM, credentials have a limited scope in terms
of time
• Standard practice in the embedded space, becoming more popular in
the Linux world

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IoT Greengrass Hardware Security Integration
• HSI allows you to use your secure element, TPM, or HSM to secure your
credentials

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Greengrass config before HSI
"certPath": "core.crt",
"keypath": "core.key"

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Greengrass config with HSI
"PKCS11": {
"OpenSSLEngine": "libp11-kit.so.0",
"P11Provider": "libsofthsm2.so",
"slotLabel": "greengrass",
"slotUserPin": 1234
}
"privateKeyPath":
"pkcs11:object=iotkey;type=private"

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Zymbit Zymkey and HSI
• AWS Greengrass is being used in AWS data
centers to control the AutoCrib, an industrial
vending machine
• Current integration runs on Raspberry Pi
• Data Center Operations (DCO) tenet: Increase
the security and efficiency of AWS data
centers
• DCO chose the Zymbit Zymkey to add another
layer of security into this system

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Zymbit Zymkey and HSI
• Zymbit has created a production ready security device that interfaces
with the Raspberry Pi style header
• Let's hear directly from our partner…

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Zymbit Security Modules for edge devices
• For single board computers
• Whole device security
• Hard to penetrate
• Easy to integrate

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Edge devices live in the wild
• Outside of firewalls & physical infrastructure
• No operator or guardian
• Unsanctioned sensors, peripherals
• Intermittent power grid & network
• Service access sometimes required

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
They contain valuable digital assets, with outsized
impact
• Credentials to services & file system
• Application data
• Proprietary application code
• Commercial and physical impact if penetrated

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Keys to the kingdom
Keys protect valuable digital assets
But who protects the keys!?

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How kingdoms are protected
• A layered approach
• Defense in depth
• Whole device security

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protect the keys
• Secure element chip (SE)
• Generates and stores keys in hardware
• Private key never exposed
• Crypto engine
• Signs and encrypts data
• True random number generator
• Active shield in silicon
Your Physical Device
Single Board Computers
Zymbit Secure API
Zymbit Security Module
Zymbit Security
Supervisor
Secure
Element
Key Store
Crypto
Engine

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protect the secure element
• Dedicated security supervisor MCU
• Isolates SE from the real world
• Encrypted intra-processor sessions
• Adds application facing features
Your Physical Device
Single Board Computers
Zymbit Secure API
Zymbit Security Module
Zymbit Security Supervisor
Secure Element
Key Store
Crypto
Engine

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protect the supply chain
• Self contained plug-in module
• Integrate at point-of-system assembly
• Battery powered
• Real time clock
• Onboard physical tamper sensors
Your Physical Device
Single Board Computers
Zymbit Secure API
Zymbit Security Module
Zymbit Security
Supervisor
Secure Element
Key Store
Crypto
Engine

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protect communications
• Abstracted communication interface
• No direct communication to secure element
• Limited command set
• OEM flexible
Your Physical Device
Single Board Computers
Zymbit Secure API
Zymbit Security Module
Zymbit Security
Supervisor
Secure Element
Key Store
Crypto
Engine

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protect identity
• Unique measured system fingerprint
• Multiple factors
• Board components
• OEM sanctioned system peripherals
Your Physical Device
Single Board Computers
Zymbit Secure API
Zymbit Security Module
Zymbit Security Supervisor
Secure Element
Key Store
Crypto
Engine

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protect from physical attack
• Perimeter circuits
• Power monitoring
• Shock monitoring
Your Physical Device
Single Board Computers
Zymbit Secure API
Zymbit Security Module
Zymbit Security
Supervisor
Secure Element
Key Store
Crypto
Engine

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Whole device security
• Physical
• Digital
• Supply chain
Your Physical Device
Single Board Computers
Zymbit Secure API
Zymbit Security Module
Zymbit Security Supervisor
Secure Element
Key Store
Crypto
Engine

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Whole device security with Zymkey 4i
Physical tamper detection
Device authentication
Data encryption & signing
Secure key generation & storage
Real time clock
Hardware secure element
Ultra low power
Qualified Integrations

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Easy integration with Raspberry Pi
• Plug-in module
• Connects to GPIO header
• Simple API for C, C++, Python

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Whole device security
 Physical security
 Measured identity
 Secure element




38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Whole system security
• Easy integration with AWS IoT Greengrass

39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Easy integration with HSI
• Example video - accelerometer

40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Applications
Encrypted File System Secure Enclosure Design
AWS IoT Integrations

41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Documentation community.zymbit.com

42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Developer Kit
 Zymkey 4, 6 support
 Tamper switches x4
 Cable lock
 SD card protected
 12 to 36V power







43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Integration with Single Board Computers (SBC)
• With Pi Compatible GPIO • Other Linux SBCs (2019)
Beaglebone
OdroidAsus
Tinkerboard
Pi Flavors

44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Designed & Manufactured in California
• Built in ITAR compliant facility
• High volume capacity
• OEM custom solutions available

45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
OEM custom solutions

46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where to buy Zymbit security modules

47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Modules for IoT Devices
Hard to penetrate
Easy to integrate

48. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.