First in a special report series: Security is no longer just a software problem. It’s is now a combined hardware, software and networking issue—and a much, much harder problem to solve.
In just the past year, tens of millions of Target store customers had their customer and credit card records stolen, The New York Times and The Wall Street Journal were hacked, Adobe software had a security breach, Yahoo! was infected with malware, and Snapchat was hit with a bug that exposed user phone numbers. And this was just what was reported in the mainstream media. The threat, it turns out, is much bigger, more persistent, and much costlier.
The Ponemon Institute conducted a study in 2013 of 60 organizations and concluded the average cost per year of cyber crime for 60 organizations was $11.6 million per year each, up 30% from $8.9 million in 2012. Companies surveyed had an average of two successful attacks per week. McAfee, which sells security software, surveyed a number of reports that put the price tag as high as $400 billion per year.
There are studies that dispute these numbers, too. A report from Microsoft Research casts doubt on the statistics showing just how costly the problem has become. The bottom line is that most experts agree there is a serious threat, but there is no simple way to calculate the actual cost. And even if there was agreement, that’s only what’s reported. The most successful cyber crimes and cyber espionage aren’t discovered for months or years after they occur.
Semiconductor Engineering conducted its own study over the past three months involving 25 in-depth interviews with experts at universities, research houses, security firms, chipmakers and tools vendors. We also scoured dozens of technical papers and industry reports. The goal was to assess the risk from a technological standpoint and to understand whether and how the threat is growing. We also looked at the effectiveness of existing and future approaches, and the potential opportunities for improvement. While there are many facets to security, the reasons we are facing these threats in the first place can be boiled down into three basic areas:
Capability is the technical ability of thieves to hack sophisticated, secured systems, and it has emerged as one of the great ironies of the past decade. In university computer science departments around the globe a huge emphasis has been placed on curricula that deal with solving thorny hardware and software issues such as multiprocessing, parallel programming and, more recently, improving the energy efficiency of software running on hardware to increase battery life. Almost in lock step with that, what began as a wholly software-based threat has now crossed physical boundaries. It’s well known that hacking has progressed from egotistical mischief makers who get their thrills from breaking into school or government computers to software-savvy organized crime rings. What’s not as obvious is those crime rings are now expanding to include semiconductor engineers with detailed knowledge of both. And along with this growing expertise is the electrical engineering discipline to systematically dissect chips with the help of grinders, probes, and even scanning electron microscopes to find the weakest points of entry.
“We’re finding new pieces of malware that we’ve never seen before,” said Tiffany Strauchs Rad, senior security researcher and a member of the Global Research and Analysis Team at Kaspersky Lab—the company that discovered the Stuxnet virus, which was used to attack Iranian nuclear centrifuges. “We’ve seen this in financial malware. But we’re also seeing it in industrial control systems with programmable logic controllers.”
That trend is corroborated by the U.S. Dept. Of Homeland Security. In a report issued last spring by the agency’s Industrial Control Systems Cyber Emergency Response Team investigated last year, there were more than 200 incidents involving critical infrastructure sectors.
What’s also becoming evident is that software isn’t necessarily the easiest point of entry anymore, particularly for thieves who also understand hardware. Rad’s independent research tested out this theory with a home security system. Rather than spending time trying to gain access through the secure network, which historically has been the primary target and which has been relatively well defended, the Kaspersky team gained immediate and easy access through the firmware on a floodlight motion detector. This used to be the work of spy agencies, but increasingly it’s ordinary criminals carrying out these breaches.
“There are people with labs in their kitchens and garages where they remove the cover over the chips, remove a port and pull out the firmware,” Rad said. “This isn’t just nation states doing this stuff anymore. We took a basic coffee maker and were able to turn it on and off using a laptop even though it wasn’t designed to be part of a network. And we did this for only $100.”
Always on, always connected
Adding to the threat is that more and more devices are always on and always connected. A car parked in a closed garage may download software in the middle of the night. Smart meters communicate with utilities at all hours. And an insulin pump patch can receive wireless signals to determine how much insulin to dispense based upon real-time monitoring.
In a widely quoted interview with CBS’ 60 Minutes, former Vice President Dick Cheney said he had the wireless feature on his pacemaker/defibrillator disabled because he feared that terrorists might try to kill him. The question isn’t what these devices are connected to. It’s what else are they connected to? Being always on and always connected was a great step forward for mobile devices. Even within the past couple of years cell phone coverage has improved to the point where there are far fewer dropped calls, and LTE has allowed a free flow of data across heterogeneous networks. But being able to stay connected also means that everything else can stay connected, as well, both for good and bad reasons, using a variety of means.
Security always has been focused on limiting the number of inroads into important data. It’s no different than using a single door to secure a building, or a single network access to secure a network. Heterogeneous connectivity, and particularly heterogeneous wireless connectivity, is like adding more doors and opening all the windows in a building.
“It’s absolutely true that the level of exposure goes up as things get networked,” said Chris Rowen, a Cadence fellow. “And wireless connections are the hardest to secure because there is no physical limit.”
The Internet of Things has raised the possibility of hacking systems to a new level, and that problem gets magnified by the economic model of what makes electronics so consumer-friendly—the cost. Being able to mass produce devices, and to assemble them from many mass-produced components, has been the driving force behind Moore’s Law, the increasing amount of electronics in everything from cars to medical devices, and the increasing affordability of staying connected. But common components carry a hidden cost, as well.
“If every object ran a different OS and had a different security you would not have a problem because no one device alone is worth hacking,” said Rowen. “This is why PCs have been hacked so much more frequently than Apple Macs. PCs have a monoculture. Macs historically were more rare, so most groups never bothered with them.”
Security also depends on hiding important data, often in parts of a chip that are restricted by permissions. “Who would think to attack a copy machine?” asked David Doughty, director of security engineering at Intel. “But it happens. As things are more and more connected, there are more points of entry.”
Doughty, like many others in this field, said he is constantly amazed by the creativity of cyber criminals, but it’s also getting harder to track. “If you have billions of devices generating data, that’s an incredible amount of data.”
The other side of complexity
Which leads to the next issue—complexity. Perhaps the greatest challenge comes in the form of an SoC that involves hundreds or even thousands of IP blocks and up to several billion gates. Just being able to get a chip of this complexity to function is hard enough. Having to track all the possible signal paths in and out of the hardware, firmware, and embedded software is a nearly impossible task.
“The bigger picture is that you’re integrating a multitude of parts and you don’t always know what you’re getting,” said Bernard Murphy, chief technology officer at Atrenta. “Trojan circuitry is still viewed as a theoretical problem on ASICs because at this point there is no smoking gun. But could we even find it today? Maybe.”
And even where all the IP is from legitimate vendors or even internally developed, keeping out the bad guys is much more difficult the more complex the design.
“Nothing is bulletproof,” said Hayden Povey, director of marketing for security at ARM. “We talk about the Stuxnet virus, and there’s not a problem with governments doing what they need to do to protect their national interests. What’s much scarier is that Stuxnet has been found and dissected, and a lot of information has been released on the Internet. So you can take the payload out of it and replace it with something else, and the virus carrier is still there. With the Internet of Things we will need much better security. We will need keys and key derivations so that each device is unique. That at least can limit the damage. The problem comes from when one size fits all. Server security is the weakest link in this chain. A lot of servers have strong periphery security, but what happens when someone is inside the system?”
—Jesse Allen, staff researcher, contributed to this report.