Partnership secures OTA updates for IoT devices

  • March 31, 2021
  • Steve Rogerson

Winbond Electronics, Nuvoton and Qinglianyun have combined technologies to enable a cloud-to-device process for implementing secure over-the-air (OTA) firmware updates in IoT devices

Taiwanese companies Winbond, a supplier of semiconductor memory, and microcontroller manufacturer Nuvoton have teamed up with Chinese security software developer Qinglianyun to introduce an integrated reference design for secure OTA firmware updating of IoT devices. The technology is secured from the cloud to the device’s code storage memory.

By providing a proven way to implement secure firmware updates on secure and certified hardware and software, the technology can reduce the time it takes to develop IoT devices, and helps OEMs get to market faster with products for smart city, smart home, metering, industrial control and other security-conscious applications.

The reference design is based on the Nuvoton M2351SF IoT security MCU, a multi-chip module consisting of the M2351 IoT security microcontroller and Winbond’s W77Q TrustMe secure flash memory IC. The M2351 is based on the Arm Cortex-M23 secure processor core with TrustZone technology. The module’s W77Q secure flash device is connected to the M2351 via an encrypted serial peripheral interface, which resists sniffer attacks on data transferred between the two chips.

To provide a trusted execution environment (TEE) for secure OTA firmware updating operations and communications with the cloud, the M2351 runs Qinglianyun’s TinyTee secure software stack in TrustZone-protected hardware. Using the 32Mbit secure storage provided by the W77Q, the reference design provides for storage of secure and non-secure firmware and data, authenticated access control to ensure the integrity of firmware and data, and rollback protection.

The TinyTee software on the M2351 connects to Qinglianyun’s secure cloud service, which provides a suite of IoT device management capabilities, such as device authentication, secure storage, encryption engine and true random number generator, and complies with the Global Platform TEE standard interface.

This system thus provides a secure chain of trust for the provision of OTA firmware updates from the cloud all the way to the W77Q secure flash memory, with no vulnerability to remote attack or exposure of private data.

The W77Q helps ensure robust, end-to-end security in IoT devices by enabling: secure storage; secure boot and root-of-trust; authenticated and encrypted data transfer between the flash device and the host; secure execute-in-place (XiP) of boot and application code; and system resilience, supporting the key security functions of protection, detection and recovery.

The M2351 microcontroller also offers multiple security capabilities including secure bootloader, hardware cryptographic accelerators, execute-only memory and tamper detection pins.

Nuvoton Technology was founded to bring semiconductor products to market. It was spun-off as a Winbond Electronics affiliate in July 2008 and went public in September 2010 on the Taiwan Stock Exchange. The company has subsidiaries in the USA, China, Israel, India, Singapore, Korea and Japan.

Nuvoton focuses on the developments of microcontroller, microprocessor, smart home and cloud security ICs for industrial, consumer and computer markets. It owns a wafer fab, featuring customised processes for analogue and power products. Besides in-house IC products, the wafer fab also provides part of its capacity for foundry services.

Qinglianyun Technologies is a vendor of IoT security products, specialising in network security, cloud computing and hardware security. Established in 2016, its headquarters are in Beijing.

Winbond Electronics is a supplier of semiconductor memory, backed by product design, R&D, manufacturing and sales services. The company is headquartered in the Central Taiwan Science Park and it has subsidiaries in the USA, Japan, Israel, China, Hong Kong and Germany.