Progress is being made in some areas, but as complexity increases so does risk.
There are many different opinions about how the Internet of Things/Internet of Everything ultimately will look, who is best positioned to take advantage of it, and how processing will be split between local devices, the cloud, and everything in between. But there is almost universal agreement on one point: It’s not secure enough.
“In the past, there wasn’t a lot of attack surface,” said Zach Shelby, vice president of marketing for the Internet of Things at ARM. Speaking on a panel discussion chaired by Kevin Krewell, principal analyst at Tirias Research, Shelby said we need to hit the reset button. “The IP and embedded systems we’ve developed are now exposed to hundreds of millions of devices. All the stuff that was never designed for the Internet is now exposed.”
But even where security is available, systems companies don’t necessarily take advantage of it. “We need to convince customers to do any security,” said Eduardo Montanez, senior systems architect for microcontrollers atFreescale. “We need to establish a level of trust so you get the product only to do what it is intended to do.” He said that requires better control of downloads, the addition of cryptography, and physical tamper resistance.”
And that’s just scratching the surface. Paul Kocher, president and chief scientist for Rambus‘ Cryptography Research Division, said software bugs are being created faster than they’re being fixed. “We need to build the foundation for more complexity and protocols in hardware. If you look at what’s being done in payment systems, there is work on areas where we can succeed. We’re looking at technology in 9 billion chips produced every year. There is more complexity, more devices and more information.”
Complexity is one of the big challenges. The more complex the chip, the harder it is to debug everything and figure out where are the biggest vulnerabilities. On the flip side of that, the more complex the security, the less likely it is to be implemented.
“One of the keys is not to make it overly complex for the end user,” said Montanez. “If you look at smart door locks that are controlled by your phone, you want that all to happen quickly. You need to pay attention to security and performance needs.”
Who pays for security?
Another big challenge is cost, particularly for components and IP in a device.
“People say they want security, but they don’t want to pay for it,” said Kocher. “We had to wait for Moore’s Law to make chips cheap enough to put into many of these devices so there could be a reduction in cost. That’s not the same with a secure factory versus an insecure factory. You have to look at what are your losses if you screw up.”
In some cases, those costs are justifiable. “You pay for it now or you pay for it later,” said Shelby. “Not only is it more affordable, but it has to be in there.”
There is some difference of opinion about which had security first—a CPU or an MCU or even a GPU—as well as which one is more secure today. But the reality is that all vendors are looking at security now in main processing elements of a chip and in the embedded code within them. The big question here is whether that will be enough.
“There will still be bugs,” said Kocher. “Some products are in the field for 10 to 15 years or more. But if you look at Microsoft, which has a lot of experience in this, if they can’t keep XP going for 15 years, then how are we doing to develop products that are supposed to be out there for 30 years? It’s a very hard problem to solve. If all you’re doing is adding a bunch more software into a device, you will be in for a rude surprise a few years down the road.”
Kocher noted that it’s not unusual to find several hundred bugs in any product. “If we had credible testing, it would reject every single product. Finding bugs is really hard.”
What’s important to note is that despite an almost universal concern about the security of connected devices, some chips are more secure than others and some IP is more secure than other IP.
“It’s gotten to the point with flash RAM where, given the die size, you can build reasonable security,” said Shelby. “The costs have gone way down, and if you look at it from a cost and volume standpoint, you can do asymmetric security in software if you have to. That’s very affordable. Internet efficiency is another matter, and we are seeing efficiency problems there with low bandwidth and meshes that are being bound by TLS (transport layer security) and asymmetric crypto. We need to optimize the spec. Right now, that’s not about hardware. It’s bandwidth efficiency.”
Kocher disagreed. “Performance isn’t really the problem. In pharmaceuticals there was a period early in that industry’s history where you could create any compound and sell it to people. That didn’t work out too well. There was a period where airplanes were the same. No matter what, though, if the next product is more complex, you have more security issues. If you have a mobile phone with twice as many CPUs, the risk increases. The risk is that if consumers perceive less value in more complicated devices, the technology industry will stall. If people make more purchasing decisions around risk, is an IoT device more valuable than a non-connected one?”
And Shelby disagreed back. “The Web has changed our world forever. Is there a black side to this? Absolutely. But there’s also an upside. If you look at improvements in agriculture, today we’re wasting less water and energy and growing more food. Will some people get hacked? Yes. Things always get attacked because there is money there. But if there is so little info on a device, it’s probably not worth hacking.”
Montanez, meanwhile, boiled it down to three questions. “What are you trying to protect, who’s trying to protect it, and how are you trying to protect it?”
As with all things on the IoE, experiences will vary greatly by market, by device, by region, and by usage—and all of that will vary greatly over time.