No one knows exactly what the Internet of Things will look like in five years, but forecasters predict more than 20 billion devices will be connected, and Trustonic is sure fraudsters will come along for the ride.
U.K.-based Trustonic is planning to counter that fraud trend by creating a hardware security approach for IoT devices based on a "trusted execution environment" (TEE) that works like a fortress to protect sensitive data from the mass of ever-evolving threats to software from intrusions and malware.
The concept builds on the idea that payment credentials and other sensitive and confidential information must be protected within devices at their core—much in the way the secure element shields payment details inside an iPhone. But unlike the secure element model, Trustonic's TEE approach is designed to enable third-party access at any moment, while keeping data secure.
Targeting an expanding market of device manufacturers, service providers and app developers, Trustonic aims to monetize its services by supporting everything from simple, highly secure authentication methods including biometrics to managing tokens for high-value transactions, according to Andy Ramsden, Trustonic’s product marketing director.
The main challenge—and it's a big one—is that Trustonic has to be foundational to every device it supports, with TEE built into each device at the factory level.
To ramp up, Trustonic for the last four years has been working with device manufacturers including Sony, Samsung and LG to embed its TEE technology within tens of millions of smartphones, recently hitting a milestone of a billion devices. In addition to handsets, Trustonic is already embedding its technology in smartwatches with Samsung Gear, televisions via the Amazon Fire and certain auto manufacturers the company declines to disclose.
“We’ve laid a strong foundation with smartphones, and now we’re moving to the IoT, connected cars and machine-to-machine arenas,” Ramsden said.
Trustonic is hoping its investment will pay off as device makers find reasons to add secure payments to existing objects. While it's a speculative move, Trustonic says it has an edge because it's the only TEE permitting third-party apps to be provisioned after devices have been deployed, which will become a critical advantage for IoT devices that may have long lifespans and multiple users.
Banks, retailers and other organizations using Trustonic's TEE may beam sensitive data to handsets or other devices with secure keys protected by the TEE that could prevent a movie from being pirated or keep healthcare data safe from exposure, opening up rich commercial opportunities for device makers and digital applications, Ramsden said.
Trustonic has its work cut out, Ramsden concedes, as its business model largely depends on anticipating needs that haven’t fully materialized and footing the cost of adding security to third-party equipment.
Provisioning applications when devices are already out in the market also introduces some complexity; typically a Trusted Application Manager (TAM) is required to access the TEE, but it's much simpler than the third-party systems needed to provision devices with an embedded secure element, according to Ramsden.
“We see a big future in providing the security for services offered by banks, government [and] enterprises across the IoT and for anyone else selling content like music or video, including studios and mobile network operators on devices after they’re deployed,” Ramsden said.
Analysts agree that some form of embedded, future-proof security will likely become essential for the IoT, especially in devices like major appliances, vehicles and equipment. Amazon is already working with appliance makers to put its Dash purchasing system into dishwashers and laundry machines, for example.
"One of the challenges of the IoT is the lifecycle of the connected devices could be much longer than traditional technologies like smartphones," said Thad Peterson, a senior analyst with Aite Group. "A connected device could be functioning for a decade or more if it's in a major appliance or embedded in an industrial setting. There's no way to know how fraud will evolve, but it's certain to be present and a powerful, future-proof security capability will be core for devices connected to the IoT."
Trustonic's business model isn't a simple one. Manufacturers contribute to the cost of adding Trustonic’s TEE to handsets—Samsung uses it for the Knox security built into all of its Galaxy handsets—but Trustonic foots most of the bill, anticipating future revenue from licensing its services to a broad range of device makers, application developers and other organizations marketing content and data.
A current business for Trustonic is marketing its TEE services for banks and others looking to enhance security for Host Card Emulation (HCE)-based mobile payments, by combining its hardware approach with software.
"TEE security makes solutions like HCE much more resilient than software solutions alone could ever be, and it meets all the requirements needed for a tokenized payment solution such as HCE," Ramsden said.
Trustonic may be operating in a market that hasn't fully evolved yet, but Ramsden predicts it will soon be commonplace for smart devices to rely on hybrid hardware and software solutions.
"The battle against fraud is ongoing, and when you consider the future need for constant software refreshes to stay ahead of the latest threats, the TEE approach may be simpler than many other routes," Ramsden said.