It’s now an accepted fact that consumers rarely buy products solely for their security features. It is the user experience which attracts them and often drives purchasing decisions. More often than not, the product that has great features and a really slick mobile app will win out over the competitor that has equally good (or even better) features, but an unfriendly / difficult app. The beneficiary of securing something is the service provider – they protect brand reputation and gain control over devices accessing their services. The user is blissfully ignorant of the security details and assumes that the device will just “be secure”.
So, let’s look at an example. Last week, while in the US attending Arm Techcon 2017, I took the plunge and bought myself a drone. Choosing which one to buy was down to the features and price; Could it do HD video? How long is the flight time? Would it fit in my suitcase for the journey home? Do I care about whether the app or the drone itself is secure? Yes, but I expect that and any relevant details are lost in the noise, as I am just focusing on the features that I want.
Back in the hotel, I prepare for the maiden drone flight. I clear the flight path, download the mobile app that lets me fly the drone, register an account, connect to the drone’s wifi, scan the QR code on the box… Error! – “No network connection”. I realise that my mobile’s not set up for data roaming, so my new drone can’t be registered with the back-end system. It’s getting late, so flight aborted. Something to try later when I get back home.
To be fair, the user experience is slick – these are all things that I would expect to have to do. But I’m left wondering if it could be better. If the drone was manufactured with a secure root of trust, then couldn’t it just automatically register itself with the back-end system on power up? No QR code or registration phase would be required. If there was a secure OS both on the drone and on my mobile phone, then couldn’t these two devices automatically trust each other? In which case, it would be a simple pairing process for the user.
Trustonic has been securing mobile devices with its Trusted Execution Environment, Kinibi, since the days of the Samsung S3 and this is now present in well over a billion mobile devices. With Kinibi-M, Trustonic is extending its security expertise to secure IoT devices.
