Securing Your Connected Devices with Winbond's W74M Product Family

By WPG AmericasSeptember 7, 2017

This article was originally authored by Fely Krewell, Business Development Manager at Winbond.

According to Gartner, there will be 50 billion (or more) connected IoT objects by 2020, all made possible using today’s mobile and computing technologies.  This presents an exciting opportunity for the electronics industry, but the biggest challenge and number one concern is security. Lack of trust or weak security in these IoT objects will inhibit the adoption and slow down the growth of the IoT industry.

Strong security is accomplished through both software and hardware.  The overall system security strength is a result of how much security services the system addresses and its ability to resist known security attacks or threats.  Security technologies built deep into hardware are less vulnerable to attacks.

Types of Security Services or Properties

Types of Security Attacks and Threats

Confidentiality, Integrity, Availability, Access Control (Authentication, Authorization), Attribution, Accountability, Audit, Attestation, Non-repudiation, Anonymity

Confidential Breach, Integrity Breach, Availability Breach, Authentication Breach, Privacy Breach, Anonymity Breach, Insider Threats, HW Attacks, SW Attacks, Side-channel Attacks

Using strong security design methods, like a military grade system that require all security services and counter measures against security treats, will add cost and tend to have a negative impact on system performance.  Many IoT edge and gateway devices are cost sensitive and most of these devices do not need military grade security. An IoT designer’s challenge is deciding how much security services to add while remaining within budget.

For decades, standard flash memory has been playing a role in hardware security.  Flash memory enables secure boot with its non-volatility and data retention capability.  The use of the flash sector or block protection feature adds insurance towards data integrity.  Data confidentiality can be accomplished when the stored data is encrypted and the encryption process is managed by the host processor or microcontroller.  Flash memory provides multiple sets of 256 bytes in the flash registers, which are One Time Programmable (OTP) by the end user.  The OTP sets are often used for storing manufacturers’ unique private keys to enable authorized access.  Most notably, Flash memory allows in-field code updates.

The latest security feature of Winbond W74M devices involves a multi-layer authentication process before accessing and executing code stored in the serial flash. Authentication is performed as needed and is initiated by the host.  IoT devices using standard serial flash can easily upgrade their system security using the same footprint, with minimal cost increase.

Winbond’s W74M product family comes with a standard key-hashed message authentication code (HMAC) SHA-256 crypto accelerator, four separate sets of 256-bit OTP Root Key storage, 256-bit volatile HMAC Key storage and nonvolatile 32-bit storage area for the Monotonic Counter (MC) values. Multi-layer authentication is accomplished with a “Challenge and Response” routine that involves the secret root key, a session key and the updated MC value. Each W74M12F can provide the Authentication security service for up to 4 different hosts or systems.

The W74M devices are available in densities ranging from 32 megabit to 256 megabit and use the same space efficient packages as conventional serial flash devices. 


Part Number


256 Megabit


WSON 8x6

128 Megabit


8-Pin SOIC, 208 mil

64 Megabit


8-Pin SOIC, 208 mil

32 Megabit


8-Pin SOIC, 208 mil

Winbond’s Authentication flash memory product family is ideal for system designs requiring Authentication and Integrity security properties.  The W74M devices can also prevent Replay Attacks, an example of an Integrity Breach, and Counterfeiting of devices or systems in the field, with minimum cost impact.

For more information about Winbond’s W74M product family, please contact a WPG Americas Specialist.