Experts at the table, part 2: Mirai, Shodan, and where the holes are in security; establishing a chain of trust from a solid root; how to future-proof security.
Semiconductor Engineering sat down to discuss security issues with Asaf Shen, vice president of marketing for security IP in ARM’s Systems & Software Group; Timothy Dry, principal staff marketing manager for the Industrial IoT segment at GlobalFoundries; Chowdary Yanamadala, senior vice president of business development at ChaoLogix; and Eric Sivertson, CEO of Quantum Trace. What follows are excerpts of this discussion. To view part one, click here.
SE: Do we have a handle on what needs to be done to secure connected devices?
Dry: With the Mirai attacks, there was security in place. But there is an education process that isn’t being followed. Is it fair to say they were not secure? Maybe.
Sivertson: People were possibly lazy, too. They don’t want to do security. It’s hard. I love my Apple watch and my Apple laptop. I open it up, I twist my watch, and I don’t have to log in. I hate passwords. Most people do. I don’t like it when my bank says I have to update my password. But I would bet almost everyone has at least one password that is at least five years old. It’s the ease of things that the bad guys take advantage of. We have to make security better and easier for the consumer.
SE: Shodan is an interesting search engine because it tells you all the devices that are connected and, potentially, which ones are not secure. So in that context, how do you build a chain of trust if all the pieces aren’t secure or if people aren’t using them properly or effectively?
Sivertson: You’ve probably heard of the term, ‘Make your mark,’ which is thousands of years old. It’s the root of trademark. Today, in the electronic world, we have to rely on a cryptographic key put into a device as a root of trust. That is not working very well. The root of trust is where you start, and where you get that initial signature that tells us we can rely on this device and that it hasn’t been tampered with or cloned, or that it isn’t tricking us. Once we establish that root, now we go through the layers of manufacturers that are involved. The foundry has a role. They can tell you that it’s not a counterfeit chip. They made that chip and they stand behind it. They need to be able to give you that next level of trust. Then the IP vendors, which includes ARM and companies ChaoLogix and Quantum come in. You need to be sure the IP that’s working on that chip is trusted. and then, as a company such as Renesas starts to put together a complete SoC, they need to be able to give you the trust in what they’ve done. And finally, as the operating system and application guys put their software on, they need to access that trust, as well. That chain of trust will become very critical. You really need to go down to the root as a starting point, but anywhere along that path can be compromised. This approach has been proven to work in the enterprise model, and it will work for IoT. But it has to start at the core as unclonable and trustable.
Yanamadala: There are two aspects. One is securing the chain of trust, which does start with hardware-based security, and you need to address this in the hardware design and manufacturing stages as early as possible. That’s a key requirement. And then there is this aspect of future-proofing, because something will always go wrong. Having the ability to update and revoke code belonging to different stakeholders is a key component in repairing and updating things. The Mirai source code was published and well-known, but a lot of these devices could not be updated.
Shen: This root of trust literally is the kernel around which the entire security system will be spun. It is something that cannot be inserted later. It is a hardware solution. This has to happen in the architecture phase. It’s very important to weave security into the fabric of the design rather than making it a bolt-on solution. It’s going to be very difficult to establish a root of trust afterward.
Sivertson: That’s the problem today. If you look at smart cards and SIM modules, those are the most trusted entities out there. Now that the U.S. is moving to it, the attacks are starting to come at the smart card level because ultimately that trust is only found with a key that got programmed into the card. Once you find that key, you can make 100 cards identical and go 100 times to empty out the same guy’s bank account. If you don’t have a foundation you can build on—something that is unclonable so it can’t be modified or tricked—then you potentially run into trillions of cloned devices. That’s why this chain of trust down to a really solid root is critical. If you don’t get that right, you can’t get that future-proofed, or secure enough where someone is trying to compromise one link in a chain.
Yanamadala: You can establish a root of trust and then a chain a trust, but that has to be secured all along. It’s not enough to just establish a root or chain of trust. You can start with an unclonable ID. But as the key is processed, the chain can be broken. They go hand in hand.
SE: As we start connecting more devices and add more capabilities, they cross what traditionally were vertical market lines. What is secure in one area may not be as secure in an adjoining market. How do you deal with that?
Dry: That’s one of the promises of IoT, which is enabling new business models across adjacent verticals. It’s standards-based. If these things interoperate with each other, then they should be able to leverage across at the same level of security as you would expect.
Yanamadala: It’s about learning. Not everything has to be reinvented. Mobility is one example. Smart cards are another. A lot of the components of the security challenge have been solved. There are things we can learn from verticals where there is more mature security. What is secure enough in IoT is not secure enough in a financial application. But what was secure in 2014 will not be secure enough in 2017.
Dry: It’s cost-based, as well. Smart meters adopted some of the concepts from the smart card market. But if you look at the U.S. electric smart meter, the total average selling price was about $50 to $80, depending on the feature set. Adding a secure element would have bumped up their cost by about $1, but there was a lot of pushback. So instead, most of the vendors opted for software security early on. They’re still waiting for security to be added into MCUs with on-chip security modules and other nice anti-tamper features. There was some government intervention, as well. The regulatory agencies are mostly adhering to guidelines set by NIST (NIST 7628), so when they drive for a solution, it’s standards-based and well-proven.
Shen: When you look at verticals and you analyze the use cases, this is the extension between usability and security. You identify the assets, the factors that are relevant, and the mitigation means. And you try to keep that balance. Once this device is all of a sudden tied to different use cases, it’s no longer the same analysis. That could make it more vulnerable because the attack vector might be different due to the value of these assets.
SE: If there is progress here, you’d be hard pressed to prove it. There are so many attacks and breaches these days that no one is even reporting them anymore. And there is another piece in this, namely the supply chain. How do we secure that and make sure what’s supposed to be in devices is actually there?
Dry: Having secure processes and being able to show that and be audited on that has been in place for some time around smart cards and with the military and defense. It’s regulated by ISO 14508, which lists out all the processes. There is also X.509 certificate handling and provisioning by distributors. Avnet is going that as part of the Renesas Smart Element supply chain. That’s one aspect, which is tracking who has the keys and how the keys are injected. The other big breakthrough is for each side to have its own unique ID. And then, to some extent, there are guards at the gate. It is a physical thing, as well.
Sivertson: The technologies that are used today on your signing of the code and what is going to be the functionality of that chip and the IP packages is critical. But you’ve got to have the rood of trust to do the signing. Ultimately, if we can know the pedigree of the devices and the code and the firmware that’s running on them, then that starts to fix the problem. There are very few IP companies today that are being forced to sign their IP. That’s one of the first steps, and it can help a lot.
Dry: The EDA companies are also in this space, looking at and tracking the authenticity of IP and making sure they’re authenticated, as well, so there are no Trojan horses.
IoT Security Risks Grow (part 1)
Side-channel attacks, botnets, ransomware all loom as attacks become more sophisticated on connected devices.
Making Secure Chips For IoT Devices
Technology is improving, but so is awareness about the need for security.
Side-Channel Attacks Make Devices Vulnerable
The number and type of attack vectors are increasing as more of the world becomes connected and vulnerable to hackers.