The challenge

Our customer is a leading provider of IoT solutions for various industries, such as manufacturing, healthcare, and smart cities. They wanted to protect their devices from unauthorized firmware modifications, malware attacks, and data breaches. They also wanted to have a centralized and scalable way of managing the device configuration, updates, and security policies.

The solution

We designed and implemented a secure boot solution for the customer’s devices using Variscite HAB and Azure API Management. Variscite HAB is a feature that verifies the authenticity and integrity of the device firmware before booting. It uses cryptographic signatures and encryption keys to prevent unauthorized or tampered firmware from running on the device. Azure API Management is a cloud service that enables us to create, publish, and manage APIs for the devices. It also provides security features such as authentication, authorization, rate limiting, and logging.

The solution consists of the following components:

• Device: The device is based on the Variscite DART-6UL system on module (SoM), which supports HAB. The device firmware consists of two parts: the bootloader and the application. The bootloader is responsible for initializing the hardware, verifying the application signature, and loading the application into memory. The application is responsible for performing the device functionality, such as sensing, processing, and communicating data. The device firmware is signed with a private key that is stored securely in an external trusted platform module (TPM) chip. The device also has a unique device identifier (UDID) that is used to authenticate with the API.
• API: The API is hosted on Azure API Management and exposes endpoints for device registration, configuration, updates, and commands. The API requires the device to present its UDID and a valid certificate to access the endpoints. The certificate is issued by a trusted certificate authority (CA) that is managed by Azure Key Vault. The API also validates the device firmware version and applies security policies based on the device type, location, and status. The API uses Azure Storage to store the device configuration details, such as encryption keys, firmware versions, and security settings.
• Portal: The portal is a web application that allows the customer to monitor and manage their devices from a single dashboard. The portal uses Azure Active Directory (AAD) to authenticate the users and Azure App Service to host the web app. The portal communicates with the API to retrieve and update the device information. The portal also allows the customer to generate reports, alerts, and notifications based on the device data.

The benefits

By implementing this solution, we helped our customer achieve the following benefits:

• Enhanced security: The solution ensures that only authorized and verified firmware can run on the devices, preventing malicious attacks and data breaches. The solution also encrypts the device data and communication using strong encryption algorithms and keys.
• Centralized management: The solution enables the customer to manage their devices from a single portal, reducing operational complexity and costs. The solution also allows the customer to apply consistent security policies and updates across their devices.
• Scalability: The solution leverages Azure’s cloud services to scale up or down according to the customer’s needs. The solution also supports multiple device types and models with minimal changes.

Conclusion

We successfully delivered a secure boot solution for our customer’s IoT devices using Variscite HAB and Azure API Management. We demonstrated our IoT security, cloud computing, and API development expertise. We also established a long-term relationship with our customers by providing ongoing support and maintenance for their devices.