Most of the IoT security companies I speak with are building network-based products that analyze network traffic and look for rogue devices. On the device side, larger companies such as Microsoft and Google are working with the chip firms to provide secure elements on the silicon that can share keys with a cloud-based service. Doing so ensures that the device is what it says it is and that it belongs on the network.
These two approaches are complementary, and I expect in most enterprise settings we’ll see both types of security. NanoLock Security, a three-year-old startup, is tackling device-side security, but from a different area of the chip. NanoLock is based in Nitzanei Oz, Israel, and uses flash memory as the base for its secure element as opposed to a dedicated section of the processor.
Yoni Kahana, VP of customers at NanoLock, says the company has taken this approach because it needs to create a secure runtime environment. When malicious software comes in over the air with the aim of overwriting the current software, NanoLock software checks for a key. If the key isn’t correct, it won’t allow changes in the device’s memory. The key communication runs over a “trusted” channel with a cryptographic element, but Kahana says it isn’t traditional encryption.
The approach requires flash memory makers to offer a NanoLock-certified chip. About 80% of the memory market — including Micron, Winbond, and Cypress Semiconductor — now offer a such a chip. By basing security in flash memory, the NanoLock product prevents attacks on the device runtime. That means attacks that can affect device memory, such as Spectre, wouldn’t succeed.
The approach works on robust IoT devices such as gateways as well as more constrained products, such as sensors and embedded controllers. Customers interested in adopting this technology have to buy devices with a certified chip, so unless the buyer wants to replace the flash memory inside, it won’t protect a product retroactively.
However, going forward customers can buy NanoLock-certified flash memory and keep it in reserve without paying for it. Only when a device is activated by a client will they have to pay. This will work especially well for long-lived products that may take years for a manufacturer to use. For example, a chip inside a car’s telematics might be purchased in 2019 but not need activation until the car hits the dealer lot two or even three years later.
French aerospace provider Thales is a NanoLock customer. So far, the company has raised $7.5 million in outside funding.