Grappling With IoT Security

By Ed Sperling & Ernest Worthman

As the IoT begins to take shape, the security implications of connecting devices and systems to the Internet and what needs to be done to secure them are coming into focus, as well.

There is growing consensus across the semiconductor industry that many potential security holes remain, with new ones surfacing all the time. But there also is widespread recognition that these problems need to be solved at every level, beginning at the architectural stage.

By all accounts this is a multi-dimensional problem, involving the entire software stack as well as how data moves through hardware and from one system to another. Yet it’s also an evolving problem with many unanswered questions. It isn’t clear yet is how all of the pieces will fit together, what can be carried forward from previous designs, and how that will change as devices are assembled quickly for new market segments that didn’t exist in the past.

“IoT issues are becoming clearer year by year,” said Frankwell Lin, CEO of Andes Technology. “In particular, you have to be able to prevent hacking. People are noticing that now.”

For one thing, data breaches are becoming more sophisticated. The recent breach of the SWIFT system, which is used by 3,000 banks to send payment orders, has raised new questions about what is good enough and how long it will remain good enough. And with IoT devices on the horizon that have never been tested before—some of which may be designed to last for a decade or more—threat levels in some areas range from vague to completely unknown.

“With the IoT you can build any device for any market, but the device that wins will be the secure one,” said Jen-Tai Hsu, vice president of engineering at Kilopass . “Power is the most important factor today, but soon it will be security.”

That opinion increasingly is shared across the semiconductor ecosystem. This is partly due to the fact that systems vendors are writing specifications for their suppliers that include security. It’s also partly because software and hardware IP vendors recognize that something has to be done if they are to be successful in the future.

“Existing architectures are prone to attack,” said Zach Shelby, vice president of IoT marketing at ARM. “So is the channel between the device and the Internet. This needs to be dealt with at every level, from secure manufacturing to key rotation to efficient crypto. With every system you need to look at end-to-end security.”

Shelby said this frequently works better with hardware than with software for many devices. “A lot of the software security developed is thrown out. But if you put it in the chip at the beginning, it stays there.”

Changes required
The problem isn’t always about security being added into chips, though. Sometimes it’s how entire systems are architected in the first place, with the threat of breaches rising as they are connected to other systems.

One of the key ways that design teams have dealt with problems in the past is to provide an entry point for test, patches, updates, remote access and many other capabilities. While these are considered advantageous for standalone devices, they can turn into system-wide vulnerabilities for a variety of devices.

There is much discussion these days about the risk of these so-called back doors, but these entry points have been designed into chips for years. Until recently they have not been considered a threat. In fact, the opposite is true. However, that mindset is changing as attackers utilize multiple ways to leverage these entry points.

A simple attack vector is to alter the hierarchical privilege rings (levels) within the architecture of the chip. By doing that, attackers can gain access to the most trusted or physical hardware of the chip, such as the CPU kernel or chip memory. Other potential attack vectors include hidden parameters or redundant interfaces and redirect; lack of separation between environments; flawed hardening, and exposed data.

The easiest method to utilize these vectors is to have the source code. If there is no direct access to code, another approach is to ride in on the patch mechanism. Over-the-air patching is an increasingly popular way to update, fix bug, and alter programming in the field, both for the manufacturer, and the hacker. It’s also potentially the most vulnerable because it is done wirelessly. And considering the massive deployment of IoT devices over the next few years, most of which will likely require patching of some sort, at some point, that is an attractive new avenue for hackers.

None of this is happening in a vacuum, of course. Patching techniques are becoming more closely guarded by chip manufacturers. Those who understand the security implications of over-the-air chip access typically use a public key for that process, while safeguarding the private key to access the chip.

This kind of over-the-air updating is critical in markets where all possible use cases, conflicts, and security holes are not known at the time products are released. While most chipmakers are used to hardware corner cases, systems vendors are dealing with corner cases that frequently are a combination of hardware, software and interactions with the outside world—some of which are developed after a product is already in the market.

Those updates have been common for years in computers and smart phones, where they are characterized as bug fixes, security patches or feature updates. But increasingly they are being use in markets that have little experience with them. Tesla owners see regular updates to their software and firmware when they plug in their cars, and other automakers are wrestling with similar updating schemes. The challenge for cars is that they have to stay current for much longer than a mobile phone or a computer because they’re going to be in use for up to five times longer. (See chart below)

Source: Compilation of data from IHS, U.S. Department of Transportation, European Automobile Manufacturers Association and Statista.

Nor is this trend limited to automobiles. In the home market, appliance makers are looking to boost prices with new features. But if those features become obsolete within a couple years, consumers will wait as long as possible to make expensive new purchases. That’s not a good business model for tech companies, and the simplest way to solve that is by utilizing over-the-air updates based on architectures that can be easily updated.

“With the IoT, you may have to consider how often the fridge gets an update from the Internet,” said Gordon Allan, product manager at Mentor Graphics. “So you can validate the design with a secure check, but you also have to make sure there is no crossover inside the design. That requires identifying which parts are the most vulnerable and making sure you can avoid side-channel attacks.”

One approach is essentially to air-gap the critical functions, while allowing updates to non-critical features. But that also makes it harder to leverage existing designs by just adding connectivity. That’s a typical scenario for improving the usefulness of commercial machinery. But unlike the information technology world, in these markets there is no history of connectivity and no established IoT ecosystem.

“In the cloud, there is a history of key management and analytics and over-the-wire device upgrades that can happen in a secure way,” said Philip Strong, CEO of Zymbit. “That’s not the case in the commercial world. They need the same kinds of authentication, time-stamping, encryption and key management. The approach is that they will standardize later because a lot of the hardware is low cost. But the real value is in the data stream.”

Triggering
Updating devices requires trigger codes. To successfully hide a trigger it takes two floating point registers, 2*80 bits (160), as the input. Assuming these are fired off a specific pair of values, this is good enough to prevent random discovery. If there is concern that this is too easy to discover, and someone may stumble across the entry point by accident or brute force, the CPU can check more than the two normal input registers.

Firing off this trigger can be done a couple of ways. The best way is to use native code. If that isn’t possible, another option is to use a JavaScript engine to emit a floating add (fadd) and trigger it. but if that call is patched in it will become noticeably slower. A third alternative is to create a trigger through JavaScript by patching a repeat string operation with some manipulation that can set up the particular “key” followed by a block copy.

However, the easiest is simply to get a copy of the design. If this entry point is covertly implanted, whoever is responsible will likely have that code. With that it becomes easy to use debug logic triggers, or performance counters. This way, the it can be set to fire and open the back door when an arbitrary JavaScript is run.

Once a vulnerability is discovered and triggered, it can be accessed. Generally, all one has to do is find a port to open. There are several ways to do this. One way is to scan ports in the system. Many devices have unused port numbers that are not likely to be used in normal operation. All the hacker has to do is find one that isn’t secure. The port can then be used to send a command to the device or chip, or to commandeer it.

Another way to access a system is to use “stale” devices or systems. A stale device is one that is not used or monitored regularly. Often these have weak encryption, as well. These can be surveillance systems, for example, that do nothing except monitor and report. Such encroachments come in without leaving any footprints, so generally no one is even aware that the system is being compromised.

Nothing is 100% safe
“There is no way to make a chip bulletproof,” says Richard Newell, senior principal product architect for the SoC Products Group at Microsemi. However, security can be made much more effective and harder to crack with a good understanding of the risks. The best approach is to keep the entire production process, from design to general availability, under tight scrutiny. That is done with trusted elements from the design team to the foundry. However, that is a rather difficult avenue to take in a very competitive market, especially where security is still not as valuable a criterion as it should be.

Next on that list is detection. If the production ecosystem cannot be verified, the next best approach is detection. This methodology can be implemented in various places in the production process, from the gate level to post-fabrication, and it can be done using a variety of existing tools such as .

“Formal deals quite well with propagation of information through a device,” said Dave Kelf, vice president of marketing at OneSpin Solutions. “If you have a secret key, you can run a simulator and propagate a stimulus through a device on every signal the key goes through. This is a big database. Basically what you’re doing is looking at the key and all of its outputs, and the formal tool figures out where there are potential problems.”

A third approach is concealment — making entry points invisible to attackers, or making them look like something else. Techniques such as power resets, data obfuscation, sequence manipulation, and signature cloaking are the most common.

All of these techniques help, but none of them is completely effective by itself or even in combination with others. If the target has enough value it can be compromised. The challenge is to put enough barriers in enough places so the return on investment for breaches is no longer sufficient to warrant the effort. But as the IoT rolls out in more markets and more devices are connected, there is no simple formula for balancing new threats against the need to keep products current and connected. There simply aren’t enough data points.

The good news is that awareness is rising. The bad news is that the number of new threats is rising, as well, and it will take time to assess and manage all of this as the IoT continues to unfold.

Related Stories
Unexpected Security Holes As more things are connected, security holes are showing up in places no one considered.
The Race To Secure The Car Connectivity and complexity are raising concerns about safety and reliability.
Battle Looms Over Mobile Payments Host card emulation and secure element are vying for the instant payment market. Much is at stake.