Inside Microsoft’s Azure Sphere hardware for secure IoT

As more and more smart devices are deployed, securing and managing them becomes more and more important

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

It sounds like the set up for a bad joke: What do a cricket bat and a coffee machine have in common? The answer is, at least after exploring the recent Microsoft Build show floor, Azure Sphere, Microsoft’s secure IoT platform that mixes silicon and software.

We’re all aware how insecure the internet of things can be: Much of the hardware and software in use has minimal protections, and there are many cases of devices hard-coding login credentials and exposing services on the public internet; even hosting massive botnets that have taken down key internet infrastructure. As more and more smart devices are deployed, securing and managing them becomes more and more important, reducing the risk to enterprises and to the wider world.

Securing the IoT microcontroller

Building on Microsoft Research’s Project Sopris, Azure Sphere goes beyond Sopris’s silicon to deliver a three-part solution: a secure microcontroller, a managed device operating system, and a cloud service. It’s an essential combination; you can’t have a secure IoT platform with out all three elements. Miss one, and the result is unstable, and like a two-legged stool is easy to topple.

The initial release of Azure Sphere is based around a secured microcontroller, being developed with Mediatek. Built around a three-core MT3620 microcontroller, the first-generation Azure Sphere hardware has a primary ARM Cortex A7 core for the Sphere OS, and two Cortex M4 cores for handling controller operations.

A fourth Cortex M4F core is the heart of the Pluton security subsystem, which gives the Azure Sphere board a managed hardware route of trust that can monitor the operation of the rest of the microcontroller and ensure that it’s protected from tampering and from side-channel attacks. The security subsystem also offers secure boot capabilities, implementing security configurations in a one-time programmable e-fuse block.

To continue reading this article register now