The IoT has been evolving for more than two decades and we’ve been talking about security for just as long. Security now focusses on the wireless connections and new legislation is forcing OEMs to rethink IoT development. With more protocols now in use, where does security fit in?
Personal and local area wireless networking is dominated by the IEEE 802.15 and 802.11 families of protocols. This normally presents a choice to be made, mainly because no single standard can meet all our requirements for range, power, and bit rate. Now, security must take priority in that list of requirements.
A common frequency, 2.4 GHz, makes it possible to support more than one protocol with one physical interface: the radio. This commonality at the hardware level creates opportunities for integration. The availability of multiprotocol wireless microcontrollers (MCUs) is growing. A single device that has an IEEE 802.15.4 compliant radio can, in theory, support Bluetooth, Thread, and Zigbee, as well as proprietary protocols.
The security features of most standardized wireless protocols have improved over the years in response to demand. Many of those security features are optional at implementation, so OEMs need to understand what security features their application needs, what their chosen protocol offers, and how to implement them. New legislation for IoT security will emphasise the importance of these features.
Bluetooth is arguably the most versatile and actively evolving standard in the wireless personal area network (W-PAN) portfolio. It fits alongside protocols such as Thread and Zigbee, each having its own unique advantages. Its security features have improved with every release of the core specification.
More recently, Matter has emerged as a common layer to provide greater interoperability between devices designed for different ecosystems. Matter targets the smart appliance industry, making it simpler and more secure to onboard new devices to an existing network. Matter runs over Thread and Wi-Fi, but Matter devices use Bluetooth during the device commissioning phase to discover and join a network.
The introduction of Matter, in response to a real need, is a perfect example of why modern connected devices need multiprotocol MCUs. Wireless networks need to become more tolerant of different protocols. This goes beyond coexisting in the same part of the radio frequency spectrum. It means creating networks able to use different protocols when communicating.
With limited power budgets, space, weight, and cost, it is important to choose a multiprotocol device that can deliver as much as possible in a single, highly integrated, low-power solution. And in today’s connected environment, the need for security at the chip level has never been more important.
Adding security to wireless connectivity
Unlike some protocols, Bluetooth was conceived as a replacement to cable connections, so it has always offered flexibility in its application. It quickly became the standard for audio peripherals when mobile handsets became ubiquitous and this, in some ways, has defined its development. But at its core, Bluetooth is a low power wireless communications solution that can be applied in many ways.
Version 5.4 of the core specification brought four major enhancements, making Bluetooth even more useful in W-PAN applications. These were:
- Periodic Advertising with Responses (PAwR)
- Encrypted Advertising Data
- LE GATT Security Level Characteristic
- Advertising Coding Selection
At a high level, each of these enhancements adds greater flexibility and convenience with improved security.
For multiprotocol MCUs, like the STM32WBA5 Series form STMicroelectronics, Bluetooth is only one of the wireless protocols supported. Bringing the same level of security to all wireless transmissions requires dedicated hardware.
An integrated hardware element provides the foundation for security, on which all other features can build. This foundation is called a root of trust (RoT). A RoT is responsible for verifying other components, including hardware and software, in a system. The integrity of those devices and their authenticity is checked by the RoT, which is normally itself a hardware element that has been designed to be tamper-proof and protected against cyberattack.
The European Union’s Radio Equipment Directive (RED) and forthcoming Cyber Resilience Act (CRA) stipulate the measures manufacturers must go to, to have their products placed onto market in the EU. In addition, all RF equipment must also comply with specific articles in the Cyber Resilience Law as of August 2025.
Compliance will be mandatory, but it is not yet clear how to achieve that. What is clear is that hardware elements certified to industry standards for security will be essential. The Security Evaluation Standard for IoT Platforms (SESIP) is seen as an interpretation of the Common Criteria for Information Technology Security Evaluation, for IoT devices. SESIP is a European standard (EN 17927) and recognized across the European market.
The hardware elements in the STM32WBA54 and STM32WBA55 wireless MCUs lines have been designed to enable OEMs to certify their IoT devices to SESIP Level 3. This will align with the requirements of the US Cyber Trust Mark and the EU RED/CRA.
Certification to SESIP Level 3 involves independent assessment and a vulnerability analysis. The assessing body looks for ways into the device, known as attack paths. The independent lab will have access to the source code of the RoT firmware and full documentation of the underlying hardware.
The STM32WBA series from STMicroelectronics are the first wireless MCUs in the market to be assessed and awarded with SESIP Level 3 certification. Developing products using a SESIP Level 3 certified wireless MCU means the end product will more easily achieve RED and CRA requirements as they become mandatory. As the MCU is the primary vulnerability in connected devices, it means the OEM can confidently apply for the same level of certification for the end product.
Hardware Root of Trust
The STM32WBA5 series is a based on the Arm Cortex-M33 core with TrustZone. The Armv8- M extension supports secure and non-secure states. The core has four boot modes, including RSS (root security services). These services are embedded into the device’s flash memory during ST production. Each device also has a unique 96-bit identification and certificate.
Two AES (advanced encryption standard) hardware accelerators are integrated: secure advanced encryption standard (SAES) and AES. Both can be used to encrypt and decrypt data using the AES algorithm. The AES supports a 256-bit software key held in the key registers, while the SAES also supports derived hardware unique key (DHUK), boot hardware key (BHK) and exclusive-OR of DHUK and BHK.
Other secure hardware features include a public key accelerator, HASH hardware accelerator, and a true random number generator. They also include a cyclic redundancy check calculation unit. The devices are also protected against differential power analysis and related side-channel attacks.
Conclusion
The cost of poor security in the IoT continues to make headlines. New legislation around the world aims to correct the direction of travel, putting pressure on OEMs to implement resilient security measures.
In conjunction, there is a trend toward using more wireless protocols, which could possibly increase the attack paths. Adding security measures that protect all physical interfaces is now critical.
OEMs should look for certified solutions that offer greater flexibility in the wireless protocols used while simultaneously increasing the security of the underlying platforms. The STM32WBA5 series from ST is the first wireless MCU to meet the SESPIP Level 3 certification requirements and offers multiprotocol capability.
The post How multiprotocol devices with increased security are changing the IoT appeared first on IoT Business News.
