On this episode of the IoT For All Podcast, Ryan Chacon is joined by Crypto Quantique’s Founder and CEO, Shahram Mossayebi, to discuss the evolution and future of IoT security. They open the podcast with a high-level overview of the current IoT landscape then Shahram gives advice on how to approach security and overcome common roadblocks in the industry. He then goes into greater detail about protecting yourself in the IoT journey, how root of trust works, and where he sees the future of IoT security heading. Ryan and Shahram wrap up the podcast with a conversation about how this niche has changed during the pandemic.
Before founding Crypto Quantique, Shahram worked as a self-employed cybersecurity consultant and security solutions architect at CyNation, a risk management company. Of his current role, he says, “After years working in the cybersecurity industry, I have seen how companies are continually choosing between expensive and complex security or highly scaled systems without meaningful protection. Recognizing the need for a holistic solution that is easy-to-use at scale yet delivers robust and reliable security for everything from connected cars to high-end consumer goods, I founded Crypto Quantique.” Shahram, who lives in London, holds an MSc in Information Security and a Ph.D. in Post-Quantum Cryptography, both from Royal Holloway, University of London.
Interested in connecting with Shahram? Reach out on Linkedin!
About Crypto Quantique
Crypto Quantique is a London-based company with a scalable architecture for quickly and securely connecting IoT devices to the cloud. Their architecture has two complementary, but independent elements QDID, a hardware IP that generates random, unique, unforgeable identities and cryptographic keys on-demand in silicon, and QuarkLink, a universal IoT security platform for connecting devices to in-house or cloud servers.
Key Questions and Topics from this Episode:
(01:39) Introduction to Shahram and Crypto Quantique
(03:09) Founding Story
(05:15) Current IoT security landscape
(07:34) Advice on IoT security
(09:50) Roadblocks to adoption
(13:15) Protecting yourself in the IoT journey
(16:32) Root of trust
(18:16) Future of IoT security
(20:05) Changes in security during the pandemic
Transcript:
– [Voice over] You are listening to the “IoT For All” Media Network.
– [Ryan] Hello everyone. And welcome to another episode of the IoT For All Podcast, the number one publication and resource for the internet of things. I’m your host, Ryan Chacon. If you are watching this on YouTube, we’d really appreciate it if you would like this video and subscribe to our channel. If you’re listening to us on a podcast directory, please be sure to subscribe, to get the latest episodes as soon as they are out. On today’s episode, we have Shahram Mossayebi, the CEO and Co-Founder of Crypto Quantique. They are a company that is building a very secure end-to-end IoT security platform, helping with building and making available a scalable architecture to quickly and securely connect IoT devices to the cloud. Very interesting company. The conversation I had was fantastic. I think you need a lot of value out of it. We cover everything from IoT security opportunities, problems with IoT ecosystem at the moment, what can be done, how could people be thinking about that kind of stuff, and what companies need to do to protect themselves on security front and explaining what root-of-trust means, what PKI means and why these are often hard to create. So a lot of stuff around security in this conversation, I definitely employ as you check out Crypto Quantique, see what they’re doing. It’s very interesting and fast unique company. I think you’ll get a lot of value, like I said, but before we get into this… If any of you out there are looking to enter the fast growing and profitable IoT market, but don’t know where to start, check out our sponsor Leverege. Leverege’s IoT solutions development platform provides everything you need to create turnkey IoT products that you can white label and resell under your own brand. To learn more go to iotchangeseverything.com, that’s iotchangeseverything.com. And without further ado, please enjoy this episode of the IoT For All Podcast. Welcome Shahram, to the IoT For All Podcast. Thanks for being here this week.
– [Shahram] Hi Ryan. Thanks for having me.
– [Ryan] Absolutely looking forward to this conversation. I love it if you could just kick us off by having do a quick introduction about yourself to our audience.
– [Shahram] Sure. I’m Shahram Mossayebi, Co-founder and CEO of Crypto Quantique. Crypto Quantique is an IoT security company based in London. We are now six years old, about 40 people.
– [Ryan] Fantastic. Tell us a little bit more about the company, kind of, what does Crypto Quantique do? Yeah.
– [Shahram] Okay, so basically what we do is securing the connected world with zero trust, By connected world we mean anything that is connected from sensors to connected vehicles or industrial things. By zero trust we mean, if today, the end users or the OEM wants to achieve end to end security for the connected devices, they need to work with multiple players on the supply chain. And because of that, they need to deal with a lot of complexities costs and trust issues. We’re taking all of that away, making it very simple to have a unified security from the device all the way to the cloud side. And by doing so with reducing the cost and lowering their risk.
– [Ryan] Fantastic. And I love it because it’s not every guest that I have on here is also the founder of their company. Tell us a little bit more about the history of the company coming into existence, the opportunity you saw to start the company and kind of the journey.
– [Shahram] Sure. So my background is in physics and after I graduated, I started working as a software developer and that’s how I was introduced to security aspect of things and cryptography, which was fascinating to me. So I did a master degree in cryptography at University of London. And then towards the end of it, I came across quantum cryptography and seemed like the destiny for me coming from physics and cryptography. So I was lucky enough to be offered a PhD position at University of London. After graduating graduation, I started to work as a cyber security consultant, and that’s how I actually came about understanding real world problem when it comes to security, which kind of led into, okay, try to do something new and on my own and starting having ideas of how quantum technologies have cryptography, how hardware software security can come together to solve real world problems. And IoT was around the corner back in 2016, all these big hacks started to surface in the industry from Mirai attack to Jeep getting hacked, et cetera, et cetera. So it was keep coming. And for me was well, starting learning about why that is happening, kind of realizing all of it is happening because there is no real end-to-end security inside those devices. So anyone could basically communicate with those devices, which was the main problem. So, yeah. So that’s how about I went about founding Crypto Quantique.
– [Ryan] That’s fantastic. Appreciate you kinda sharing that with us. So let’s talk about IoT security for a second and high-level, how do you kind of view the current IoT security landscape and the general just IoT security opportunity that kind of exists for companies like yours?
– [Shahram] Okay. Let’s take it a little bit at the higher level. Let’s add a little bit of a business to it. So Mackenzie predicted that the IoT market value will be up to $12 trillion by 2030. So obviously there’s this huge opportunity out there. There’s a caveat to it though. So in reality, scaling IoT is not easy. It’s time consuming, it’s difficult, it’s costly. And it’s kind of discouraging people, to actually deploy at a scale. When you look inside the main problems at the heart of it, there are like four things which are kind of all around somehow security. One is for instance, when you want to do an IoT project, there’s a lot of IT work that needs to be done and system integration that needs to be taken care of. You’re dealing with now edge security compared to the traditional enterprise security. So it’s a little bit different. Some seemingly a straightforward task such as secure connectivity in reality is actually very complex to get it done. Interoperability previously of the data. These bits are current challenges that are still exist around IoT and haven’t been solved. And the reason is ecosystem is very, very fragmented and no one really owns those problems to solve it. And there is no unified solution out there that the OEM or the end user says, okay, if I integrate this by design into my product, then I’m done. I can just now focus on creating value from my IoT rather than concentrating on how to deploy.
– [Ryan] Absolutely. When we’ve talked about security in the past, it’s been a very interesting conversation. There’s many different kind of thoughts and approaches to how security is implemented and how it’s thought about, but from your perspective, what general advice do you have for companies out there who are starting to venture down that security conversation? Because obviously it’s never too early to get the security element kind of in place and be thinking about it, but just from a general sense, how do you… What advice do you have for companies out there that are starting to kind of go down that security path, starting to talk about it and maybe work with partners on how to kind of sort it out?
– [Shahram] Yeah. So I’m gonna answer this with somehow also trying to tell your audience how those problems can be solved. I guess, for an OEM or device manufacturer who try to build an IoT device, the question is how to trust the ecosystem or how to trust the device. If you have a way to trust your device that you are supposed to build, and then if you can automate that trusted relationship with the device between all the parties involved in manufacturing deployment, and then value creation on the IoT side, you basically are able to solve those problems and then be able to deploy at the scale. How do you trust the device? By exploiting unforgeable identity inside the device. Unforgeable identity is something that comes from the DNA of the device. Is unique to that device, is unforgeable as the name suggests, is unpredictable, is unknown to everyone, and in-cryptographically provable. So you can use it as a trust anchor to the device and then to build that trusted relationship. So the first step as a OEM, as a user of the IoT, is to look inside your device to ask your semiconductor company, do you have an unforgeable identity inside the MCU or inside the secure element that you’re selling me that is supposed to go to my IoT device? That’s basically the first system.
– [Ryan] Gotcha. Okay, fantastic. Now, when you all kinda look at the market and kind of see how things are going in the IoT ecosystem in general, what do you see as the biggest problems that kind of exist right now, the biggest roadblocks to adoption, and what do you feel like can be done to kind of solve all that?
– [Shahram] Yeah, I think it’s complexity. It’s the fact that again, no one really owns this. And if an end user OEM really wants to get this done, they need to jump through a lot of hoops. They need to pay multiple vendors. They need to connect things together and hope for the best that they’re gonna work well. And the answer to that is actually if semiconductor companies, which are the basically first step of building an IoT device provide some extra services on top of their hardware that they’re selling. So if they already integrate unforgeable identity root-of-trust into their devices, into their pieces. And then on top of that, they provide those trusted services. Those that provide that trust relationship between all the vendors involved, then these problems can be solved and they’re well actually placed. And funny enough today I’m at GSA, Global Semiconductor Alliance, and I can see that a lot of people are talking about, okay, it’s time for semiconductor industry to go one step ahead of just selling hardware. Some critical services needs to be provided by them to help the ecosystems to move forward. And this is one of them.
– [Ryan] Absolutely. Yeah. What other conversations are you seeing kind of through your travels and conversations with total customers? What are you hearing as some of the, kind of maybe more a advances or things that really are kind of becoming front and center of problems that are being solved and kind of being taken care of to help us kind of move forward in the industry?
– [Shahram] Yeah, it has been much, much better now compared to, I don’t know, like five years ago. There is a better understanding of the value of root-of-trust or unforgeable identities in the past couple of months. And in recent days, I can see that when we are talking to some conductor industry about providing that very first layer of trust for their end users, as a service, it resonates with them much, much better. They get the value they see because now the customers also asking them about those things. So it seems that the semiconductor industry is realizing that while there is this amazing opportunity around semiconductor and their market on its own is growing very fast and there is this soaring demand of chips, etcetera, et cetera. There are other opportunities around that they can unlock with minimum investment, which could help giant ecosystems, such as markets, such as IoT to also grow faster. And in turn, they also could get more revenue from those markets. So I can see that people are kind of being more receptive and being, yeah, it’s reserving with them.
– [Ryan] Absolutely. That’s fantastic. So we’ve talked about, earlier on we were talking about the kind of advice you had for companies, but just generally speaking, what should companies be doing to really protect themselves when they’re going down kind of the IoT journey that they’re on? Is it really aligning with the right partners and companies? Is there kind of a thought process internally that needs to be had? Like just generally speaking, what would do companies really need to do to protect themselves?
– [Shahram] I think the very first step, if you’re a manufacturer to build an IoT device is to don’t look at security as an afterthought. Security needs to be inside the product by design. So needs to be part of the product development, basically, rather than something that you add on later on, because now something bad happened or one of your customer wants something. Or now, because now you need, you need to be compliant to some standards. So you have to do it. You’re forced to do it basically. So security by design is the first step. You need to think about it as a piece of your product. That’s the main thing. How to do it is you basically need two main components. You need to look at root-of-trust, having unforgeable identities inside your device. And then you need to have that very first layer of trust inside your devices. So people can easily deploy and then just focus on value creation. These two by the way, are things that we do. So we have a root-of-trust called QDID and we have that piece of software and embedded tools called QuarkLink that easily unify these two things and make it easy for people to have security by design into their products. So that’s… But that’s on the manufacturing side. Now, if you’re an end user and want to just deploy and use the IoT, I guess the challenge for you is, you need to care about edge device security. And traditionally, we are only used to enterprise security, which usually is about network security and securing the assets within that network. But when you add IoT to your network, now that device is able to communicate with other services outside your enterprise network. So the device edge security becomes important. So as an end user, you need to question your vendor, whether you can easily establish an end-to-end security to any service that you want. Can you control the identity and keys inside the device? Are you able to rekey or renew the certificates inside the device? Are you as by the way, the last thing I said is required now by IEC 62443, are you able to send friend update over the air securely to your devices, which is required by California IoT Security Act. So these are the bits that you need to be aware and really question your vendor that is the device you’re selling me has these capabilities? So I don’t need to worry about these things anymore. I just deploy and focus on the other side.
– [Ryan] You mentioned root-of-trust. Can you tell us exactly what that means and kind of why that’s something to really focus on, maybe why it’s hard to create in general.
– [Shahram] So root-of-trust and unforgeable identities are being used in the same meaning, so basically are synonyms. Root-of-trust is a value inside your device that is being created through an intrinsic behavior of your device. So it’s actually coming from the fabric of the device. And because of that, if it’s done properly, there are multiple route of trust out there, whether they are really secure or not is questionable. What we do is, to generate root-of-trust, is to actually read quantum tunneling or process quantum tunneling phenomena inside Silicon to generate that root-of-trust. So it comes from some intrinsic processes inside the device that no one knows about, and no one can predict. So you are able to create these values inside your device, that then are random enough and can be used for cryptographic purposes. So later using that cryptographic purpose, you can verify the identity of your device wherever it’s in the field, without sharing any secrets with anyone about that device. So that’s the key thing about root-of-trust. So basically it’s an intrinsic value inside each device that is random and no one knows, and it allows you through some processes to verify or authenticate the device.
– [Ryan] Interesting. Okay, great. Appreciate you kind of explaining that. Where do you see the kind of future of IoT security going? Like where do you see the kind of the space moving towards and just, you know, how should we be kind of thinking about the evolution?
– [Shahram] Yeah. So I believe there is still a lot to be done on the semiconductory industry in order to provide better cryptographic features and better root-of-trusts, et cetera, et cetera. So you have better hardware security inside the parts that you buy to build your IoT device. I believe those services dashboards that we provide that first layer of trust now will be provided more and more with semiconductor companies to help their end users, to be quicker in deploying at a scale and not worry about security anymore much. And I think around the corner is post quantum cryptography. I believe in couple of years, we need to start to update our cryptographic blocks inside the hardwares. We need to start supporting cryptographic algorithms that are secure against quantum computers, something that is known as post-contact cryptography, and these standards are already getting there. So needs the standard is about to be announced that specific cryptographic algorithms should be used moving on that are kind of til now known to be secure against quantum adversaries. And that will be the next kind of version of security in the ecosystem that regardless of whether you are an IoT or anything else, if you are using any cryptographic features, you need to make sure is post quantum secure.
– [Ryan] Fantastic. Let me ask you this one question is kind of just to generally speaking, when we’re talking about kind of the state of the industry and stuff like that, did you notice any change or anything different in the security space during the pandemic and kind of how did the company kind of handle the growth or I guess, handle the situation and kind of come out of it well?
– [Shahram] Yeah, that’s a very good point. Pandemic been a horrible experience around the globe for everybody. When it comes to technology though, actually I think it did good, ironically. I think pandemic made a lot of people to think smarter when it comes to IoT to actually deploy IoT in full meaning of IoT. To realize the value of connectivity and value of being able to control their environment and their devices remotely, which basically means IoT. And obviously at the bottom line was, oh, am I secure in doing so, so then you brought up the kind of create more colorful environment around security challenges and make people to properly think about how to get things done securely. So I think IoT ecosystem and IoT applications grown suddenly in the past two years from digital doctors to digital medical devices, to tracking devices that track their vaccine shipments around the globe for COVID. So suddenly, we see it jump into IoT applications during the pandemic, which also brought more focus on security aspect of it.
– [Ryan] Absolutely, yeah. It was a very interesting kind of in the conversations that I’ve had over the last number of months, it’s been interesting to kind of just understand and get different perspectives on how the pandemic influenced businesses in the IoT space, not just the companies themselves, but the demand, the shift in use cases, the shift in interest in IoT. And yeah, so I was just curious, kind of from security standpoint, kind of what you all saw and what you noticed. So that’s fantastic to hear that you all been doing pretty well kind of coming out of it. And it sounds like a lot of optimism going into the future, which is great. Last thing I wanna do before we grab up here is just for audience out there who wants to learn more, follow up, kind of maybe ask some questions just generally kind of in that sense of things, what’s the best way to do that?
– [Shahram] So we have amazing whitepapers on our website. If they visit our website, cryptoquantique.com, we regularly produce good blogs on the website. You can follow us on LinkedIn and also Twitter, yeah.
– [Ryan] Fantastic. And anything exciting new coming out in the future, like in the next number of months that we should kind of keep an eye out for?
– [Shahram] Of course. I mean, we just announced a couple of very exciting partnerships. One is with Microchip. So now we have integrated our services, the whole unified end-to-end security to Microchip trust flex tool sets. So if you are using Microchip secure elements, et cetera, you could easily deploy a QuarkLink link, our software and by doing that, you don’t need to worry about key provisioning, secure firmware provisioning, firmware update rekeying, et cetera. So all of that is taken care of. We also announced recently a partnership with Andes, which are a RISC-V core provider, which is another exciting kind of environment for us. RISC-V, I believe is democratizing computing or the power of compute for everybody. And it’s kind of, I can see synergy between us because we in turn also trying to democratize security or IoT security for everyone.
– [Ryan] Right.
– [Shahram] But create something that is agnostic and is unifying all beats and pieces and give them freedom. So, yeah. So these are exciting things we will be in the embedded world on couple of our partners stands such as Renesas and STMicroelectronics. So if your listeners are around, please come check us out.
– [Ryan] Fantastic. We really appreciate your time. This has been a great conversation.
– [Shahram] Thank you.
– [Ryan] I think our audience will get a ton of value out of it. And I’d love for us to explore other ways we can do content together ’cause I think you guys have some great insights and expertise that our audience can get a lot of value from. So thanks for so much for your time and look forward to hopefully speaking again soon.
– [Shahram] Thank you so much, Ryan, for having me. Thank you.
– [Ryan] All right, everyone. Thanks again for watching that episode of the IoT For All Podcast. If you enjoyed the episode, please click the thumbs up button, subscribe to our channel, and be sure to hit the bell notification so you get the latest episodes as soon as it become available. Other than that, thanks again for watching and we’ll see you next time.