Intel® Secure Device Onboard: Onboarding Billions of Devices Just Got Simpler

Intel SDO

Today, at IoT Solution World Congress in Barcelona, Intel launched the Intel® Secure Device Onboard (Intel® SDO) service. Intel® SDO vastly accelerates trusted onboarding of IoT devices—from minutes to seconds—with a zero-touch, automated process. That process begins when the device is first powered on, and it ends when the customer’s Internet of Things (IoT) platform takes control. In this post, I will focus on the revolutionary security technology that Intel delivers to make the entire onboarding process for devices hardware-protected, private, and scalable.

Shipping default credentials, error-prone human authentication of headless devices, and potentially vulnerable software updates represent fundamental risks to IoT that grow the surface area available for attacks like the Mirai Botnet. That is why the IoT industry needs to automate security and leverage the protections that hardware can deliver. Given the sheer volume of IoT devices (Gartner predicts there will be 20 billion by 2020), security automation is essential to turning the tide. The Intel® SDO service delivers automated IoT security that protects each device during its entire security lifecycle: from protected boot and authentication at power on, to secure registration with the IoT platform, to an instant update of the device’s image.

At its heart, Intel® SDO leverages Intel® Enhanced Privacy ID (Intel® EPID), released in 2008, as a means to cryptographically authenticate Intel® platforms remotely—without putting Intel in the direct authentication path.

Intel EPID Diagram

Intel ratified this approach as an open standard with the Trusted Computing Group/International Standards Organization (TCG/ISO), and we have shipped 2.7 billion Intel® EPID keys inside Intel® processors’ trusted execution environments. The unique, privacy-preserving model enables a critical use case: to provide private, anonymous onboarding of devices, and to help to establish a secure, encrypted communication channel between the device and its control platform.

Intel has worked closely with more than 30 ecosystem partners to begin enabling their solutions for the Intel® SDO zero-touch/zero-worry onboarding model. 

Using our toolkits (available at no cost) and our cross-platform onboarding service, ecosystem partners can enable any device to onboard to any IoT platform in a single session, as opposed to a one-off configuration for each platform method.

Customers want maximum flexibility, and they will gravitate to open models, such as Intel® SDO and Intel® EPID, that span ecosystems and platforms. In fact, Intel has worked with ARM microcontroller (MCU) providers like Microchip, Infineon, and Cypress to ensure  IOT devices have an Intel® EPID credential to seed this zero-touch capability.

According to John Weil, Vice President of the MCU Business Unit at Cypress, “The PSoC 6 MCU architecture is purpose-built for the Internet of Things, with security, ultra-low power, performance, and flexibility as its key pillars. An onboarding solution that combines the strengths of PSoC 6 and Intel’s EPID technology and Intel® SDO services will enable customers to deploy their IoT systems safely and quickly.”

On the IoT platform side, providers gain a broader array of devices that can be onboarded in mass quantities by non-security technicians who just need to power on the device.

“We’re happy to see the work Intel is doing with the Intel® Secure Device Onboard service and EPID, which helps improve security in the industry,” said Sam George, Partner Director, Azure Internet of Things. “We recently announced the Azure IoT Hub Device Provisioning Services for secure and fast cloud-scale device provisioning and are partnering with Intel to enable the Azure IoT Hub Device Provisioning Services and the Intel Secure Device Onboard Service to work together seamlessly for SDO-enabled devices.”

IoT device distribution and supply chains also benefit from the seeding of Intel® EPID in the device. Today, as devices change ownership, the bill of lading and other paper-based tracking methods are slow and disconnected from the device activation process. Intel® SDO delivers a set of digital signing tools for the distribution chain that work with Intel® EPID to prove device ownership to the IOT platform dynamically, in real time.  This process will facilitate the integration to a number of services, including device provenance into blockchains.

Consider what happens when onboarding devices involved with time sensitive transactions or price sensitive commodities. For example, oil could be transacted and metered in a connected supply chain where all parties have a vested interest to record volume, place, and price data. Intel® SDO enabled meters and devices could onboard to an industry-neutral exchange ledger to record the transaction and relay onboarded device data to customer-operated platforms.

This is one reason why we plan to evolve Intel® SDO onboarding capabilities to leverage our recent investments in blockchain technology. With that alternative trust model, an SDO-enabled device could query the blockchain to find the device owner, and ownership could be programmatically reassigned to an authorized use.

The possibilities are exciting. Intel® SDO has arrived at an opportune moment for the IoT industry, which has been awash with headlines of hacks and threatened government regulations. With Intel® SDO, deploying billions of devices securely just got simpler.

I invite you to read my colleague Jennifer Gilburg’s blog post on our solution, and read more about how Intel® SDO will dramatically change the IoT landscape

For more complete information about compiler optimizations, see our Optimization Notice.