It’s not just the IP in one chip that’s vulnerable. It’s also the IP in low-cost devices that can connect to that chip.
The world is being flooded with Internet-enabled devices, from smart toothbrushes to smart appliances to smart aircraft, and everything in between. Some of this is expected to be connected to the Internet, and some has been for quite some time. But devices such as smart toothbrushes and smart socks pose a whole new challenge.
The issue is that even low-end chips need some sort of IP, but if they contain third-party IP they are a potential entry vector for exploitation. With expensive or extremely high-volume devices, there is no question that the best security available will be included. Trying to protect the inexpensive stuff is another matter because vendors cannot, or will not, pay for it. Even the simplest cryptography solution can cost more than the chip it is designed to secure, which makes adding a basic cryptographic layer around the chip in a pair of smart socks quite a challenge.
Securing IP at any level has ramifications. The IP in military aircraft, for example, needs to be hardened. For that market, every precaution will be taken to make sure that no one, or thing, can compromise the chips or the IP. These are the high-value type of targets and hackers—think governments or organized criminal networks—will commit serious resources to hack them. That warrants added expense and effort.
The IP in a pair of smart socks is another matter. It clearly isn’t a high-value target in itself, but it can be the doorway to other high-value targets. And there lies the foundation for a growing debate. From the sock vendor’s standpoint, it’s the system manager who is liable for protecting the system. From the consumer standpoint, it’s both. The chain is only as strong as its weakest link, and if that link is a smart sock, then it has just as much significance as the television or set-top box in a home network.
“From our vantage point the IoT/IoE is broken down into four areas—the end device, data collection, the network and the data center,” said Mike Gianfagna, vice president of marketing at eSilicon. “There has been a lot of build-out in the data center and the network. Those pieces have been focused on security for a long time and everyone understands what it takes to be secure. The other two, which involve the devices and the data collection, are much more vulnerable, and historically they have not been that important to protect. That’s changing. People are now looking at how you can hack into a pacemaker or a hearing aid, and right now there is not a lot of protection. As an ASIC supplier we’re constantly evaluating new IP, and that’s expanding to security IP. But there is also the IP itself. How do you know malicious code has not been inserted? And when you output that IP to the foundry, there are a lot of hands that touch this.”
This creates new challenges for chipmakers, and can create uneasiness between suppliers and customers throughout the supply chain. There has been much written about who is liable if something goes wrong. In general, most of the liability associated with IP falls on the general contractor—the chipmaker, the device manufacturer, and the system vendor. But with security, problems can crop up months if not years later, and in a highly connected IoE world issues can be caused by unrelated devices that didn’t even exist when a device was designed and the IP within that device was selected.
That raises some interesting questions about liability, which in the IP world has always come down to the end user license agreement (EULA). “Basically, an EULA is just a contract, between a provider and end-user,” said Jonathan Kaplan, an IP attorney based in Portland, Ore. “And freedom to contract is very broad.”
So broad, in fact, that IP licensing has withstood years of finger pointing and legal challenges. That also appears to be the direction that services will go, as well, at least until there is some experience gained with upcoming legal and technical issues.
While layers of software security have varied effectiveness, with the voluminous amounts of data that the IoE is going to channel, that effectiveness will be increasingly strained. “There are significant issues around software, open source, and IP in the semiconductor space that are going to get a lot more complicated over the next few years,” notes Paul Kocher, president and chief scientist for Rambus‘ Cryptography Research Division. “Once you start putting security requirements into devices, you have a lot of critical software that will need to be produced by companies that have security expertise. That is not the conventional way that software gets written.”
The issue is not so much that software can’t do a decent job. But to be effective requires tremendous resources, and it requires expertise that takes time to develop.
In a recent story in the Wall Street Journal, Brian Dye, Symantec’s senior vice president for information security, said antivirus protection is effective on about 45% of cyberattacks. Many software experts view antivirus software as necessary but insufficient for many applications.
Software-based security is good for higher-level application and bounded networks, but it’s far less effective at the lower, simple-device layer where computation power is at a minimum and physical chip resources (memory) are scarce. For these limited-resource devices, the best solution is cryptography IP in the chip.
At the cloud level, in contrast, there is plenty of room for adding that kind of security because compute and storage resources are much more readily available. Symantec, for one, is targeting embedded security, with signing as a service, to ensure IoE devices are running only authorized code. That may well be a model of things to come.
The model for building IP already is beginning to shift. All of the major CPU vendors have described to partners how they have architected security and how to utilize those features effectively. That represents something of a seismic shift for companies, and much of it is happening in preparation for a groundswell caused by the IoT/IoE. In an analyst briefing this week, Ruediger Stroh, executive vice president at NXP, said there will be 30 billion devices online by 2020 and an additional 1 billion consumers online.
While predictions vary greatly from one vendor to the next, all agree the number of devices will be huge, and so will the demands on vendors to find way to provide secure devices at all levels. Even for the less critical stuff, just grinding out IP for handling non-secure tasks is going to change because of the fact that what was once just a local device handling local tasks, is now going to be Internet enabled. That means that putting the same IP blocks in every piece of hardware will not continue.
“There are a lot more compromise points,” said eSilicon’s Gianfagna. “You can’t assume semiconductor IP will do exactly what you expect it to do. Once you hand it off to the mask shop, you’re getting GDSII from multiple sources in one place.”
The importance of IP will expand significantly in this case, for a variety of reasons. “It will be updated frequently and managed constantly,” said Rambus’ Kocher. “To have a device that is minimally secure doesn’t add that much to the cost of the product. A dime, maybe, plus a bit of up-front engineering costs is about what it would take to engineer a device that will be acceptably secure over its lifespan. But I don’t believe, on this new frontier, that there is any way you can succeeded without spending some money on security.”
How that security gets amortized varies greatly, depending on the IP. With ARM’s TrustZone, for example, the IP is amortized across the cost of billions of processor cores. The company has taken a similar approach with its secure mbed software. But there are many other IP blocks that need to be secured, as well, and all of that security has to work together and separately.
There is some open-source software available for this segment, as well. And while that offers a lower up-front cost, increasingly the cost of security is management and updates.
To become a serious player in the brave new world of the IoE, security will have to be owned for the lifespan of the device. It doesn’t matter if it is a sock, a TV, a car, or a private jet. Obviously, some lifetimes will be longer than others, but for whatever the lifespan, security will have to be held.
“One of the fundamental, unanswered questions is the value proposition for putting the various device on line at net positive or negative,” notes Kocher. “The security risks go up with complexity, but generally functionality does not. Doubling the processors in a mobile device will not double the functionality or performance. But it will increase the security requirements.”
This is a complicated landscape, and it will become increasingly complex over the next decade as security moves from a bolt-on afterthought to the level of architectural planning, where IP choices may depend upon a track record for breaches and vendor support over time. None of this has been well defined yet, but it will have to be in the near future.