When you’re deploying thousands of connected devices in a smart city or an industrial operation for an internet of things (IoT) installation over a low power wide area (LPWAN) network, attempting to configure each and every single device for connectivity will be costly and time consuming. In order to lower the entrance barrier for large scale rollouts, the cost of IoT endpoint deployment and configuring their connectivity becomes an important aspect.
That’s because there’s significant complexity in an IoT network, with no universal way of connecting devices to the network. It’s very different to connecting handsets to a mobile network which most people are used to. In essence three main vectors differentiate IoT devices compared to mobile handsets: there are many more different original equipment manufacturers (OEMs) producing the devices, there are hundreds of different applications and not just one, and there are many different silicon vendors’ chips in the endpoint devices.
The massive fragmentation is not very conducive for low-cost mass market devices, and classical connectivity management technologies such as the (e)SIM are too expensive for high volume deployment, too limited in their configuration capabilities and even consume too much battery power.
One solution to enable out-of-the-box connectivity for IoT devices is to move the SIM functionality from the physical SIM card directly to the chipset. This approach is specifically suitable for low-cost devices in mobile IoT applications with a long life-span, such as asset trackers or smart motion or temperature sensors. An integrated SIM provides a minimum hardware and software footprint for cost-efficient implementations with minimal power consumption. It also brings simplicity as well as cost and time savings along the IoT value chain.
For device manufacturers, the benefits are many. There are more versatile design options available because of the smaller package size and extended battery life. There is also no need for SIM logistics and IoT service providers can use a simple digital process to implement the operator's credentials onto the device during manufacturing.
This digital provisioning of credentials is based on a Root of Trust (RoT), which is the core of a device’s unique identity in an IoT network and can be enabled without any user interaction – also known as ‘zero-touch provisioning’. The same RoT can also then be used to automatically provision non-cellular network credentials for LoRaWAN, long range Wi-Fi, BLE (Bluetooth Low Energy) and other connectivity methods.
The RoT is essential not just for network credentials verification, but as the foundation for ensuring a device is secure throughout its lifecycle on the network – from deployment, to being in service, and until its end of life, when its credentials need to then be removed to avoid potential future security breaches.
How to realize zero-touch connectivity for IoT devices
So how can this zero-touch RoT-based provisioning be enabled for thousands of IoT devices quickly and cost-effectively? The answer is a system which manages the seeding of the RoT at product development and manufacturing, as well as managing the ‘secure key’ infrastructure across all stakeholders as well as through the product lifecycle in an IoT network.
Secure Deploy manages the seeding of the RoT at product development and manufacturing, as well as managing the ‘secure key’ infrastructure across all stakeholders as well as through the product lifecycle in an IoT network.
Secure Thingz and IAR Systems provide the ability to define a flexible RoT at the beginning when an IoT device’s firmware is in development, and this also includes support for connectivity options such as integrated SIM. With the Embedded Trust tool, a multi-purpose RoT can be defined according to the IoT device’s requirements.
In the next stage during device production this RoT can be seeded in millions of devices, with the necessary authentication credentials for cellular and non-cellular networks also provisioned, using a tool such as Secure Deploy. It also enables in-field provisioning of authentication credentials based on the RoT, which is initialized with cryptographic keys provided by Secure Deploy.