Manufacturers are paying more attention to security, but it’s not clear whether that’s enough.
Adding security into chip design is becoming more prevalent as more devices are connected to the Internet, but it’s not clear whether that is enough to offset an explosion in connected “things.”
Security concerns have been growing for the past half-decade, starting with a rash of high-profile attacks on retail establishments, hotel membership clubs, and Equifax, one of the three top credit-checking agencies in the United States. There also was the 2016 Mirai botnet attack on Dyn, and breaches of the U.S. election system. And more recently, hardware vulnerabilities were made public starting last year by Google Project Zero with Meltdown, Spectre and Foreshadow.
Given the headlines, this might appear to be a disastrous turn for electronics. Behind the scenes, though, there does appear to be real progress. More devices are shipping with some security built-in, and device makers appear to be coming to grips with a strategy that not all connected devices will be secure. In effect, it’s every device for itself, and that may be the best strategy going forward.
“It all starts with awareness and the grim headlines,” said Helena Handschuh, fellow in Rambus‘ Cryptography Research Division. “Understanding what’s happening helps with awareness. Now the question is how we evolve that so that we can build systems that are connected but secure, because there are more and more connected systems.”
That represents a big strategy shift, because the moment a secure device is connected to the Internet there is a direct connection to that device through non-secure devices.
“We need more end-point security,” said Handschuh. “If you look at the PC industry and networking, there are ways to detect security issues and then try to mitigate them after that. No matter how good your security, eventually something will go wrong.”
So rather than putting security around everything, each device needs to respond appropriately and individually.
“If I say I have unique IP to all these connected services and want to connect to multiple services, I am just increasing the attack surface,” said Philippe Dubois, senior director and general manager of IoT security solutions at NXP. “Each entry point should have some connectivity and some level of security.”
Dubois said that some of NXP’s customers use tablet computers on the factory floor to configure robots. “The biggest robot was worth several million dollars,” he said. “You don’t want anyone to take control of it, so we made sure we had a secure communication and control between the robot and the tablet because they both have assets to protect.”
Shifting attitudes
One of the big changes is the recognition that something has to be done, and that change has been particularly noticeable over the past year. While most consumers don’t want to pay extra for security, the risk to manufacturers is a growing concern. And liability laws, particularly in Europe, are becoming a serious threat to companies failing to implement best practices in security.
“A year ago there were companies out there that didn’t want to be educated on this,” said Andy Frame, director of business development at Arm. “They questioned why security needs to be good and why they should take it seriously because there is a performance hit. With connected cameras and cars that have been recalled, people are beginning to understand that these products are being recalled and they will have to replace them. Over the past year that’s started to change.”
That appears to be the general consensus among security experts. “We’re starting to see more devices that have security built into them,” said Haydn Povey, CEO of Secure Thingz. “Before, this was relatively limited. It was very high-end devices. Now we’re starting to see security come into the mainstream. We’re seeing some low-end devices come to market with security. This is happening sporadically today, but there’s a lot more behind that. There’s also legislation ahead that will help this along.”
Within the United States, California enacted a law that requires manufacturers to equip connected devices with reasonable security features to prevent it from unauthorized remote access or use. In Europe, data breaches must be reported within 72 hours of a company or organization becoming aware of that breach or risk steep financial penalties. And in public companies, corporate officers also may be held personally responsible for decisions that can cause financial harm to a corporation.
“As a public listed company, there is significant pressure on the boards of directors regarding things that affect safety,” said Anthony Ambrose, president and CEO of Data I/O. “But the bigger risk is to a company’s brand name and reputation.”
Despite that risk, Ambrose said many companies still think of security as a tax. “You need to add 5% to the R&D budget to keep data from being stolen. You also have to deal with security in the supply chain and downstream. But if you do invest in security, you can protect both the brand and the data.”
Still, this hasn’t dented the cybercrime growth statistics. According to a security threat report from Symantec, the number of ransomware attacks in 2017 increased 46% versus 2016, and the number of mobile malware variants increased by 54% compared to the previous year. The company reported that as malicious coin mining evolves, “IoT devices also will be ripe targets for exploitation.”
Top among the most vulnerable home and office devices are routers, computers, and printers, according to Bitdefender.
Shifting priorities
Just adding security into a system when it is manufactured doesn’t necessarily solve the problem, particularly if those systems will be in use over the next decade or two. What is considered secure today is not likely to be secure in 5 to 10 years, and for automotive, medical and industrial applications where electronics are supposed to last for 15 to 20 years, that presents a problem.
What is necessary there is a series of updates throughout the software stack, and that creates its own set of issues.
“Quite a few things make this hard,” said Eystein Stenber, CTO of Mender, said during a recent presentation. “For example, if something bad happens during that update, you don’t have physical access, or it is very expensive to get physical access in general to repair that problem. You need ways of managing failures during the update process. If you have unreliable power, if you are in the middle of the update process and power goes away, what is going to happen the next time you boot that device? Is it going to come back up or will it be in some inconsistent state? You have the network side, as well, so you can lose connectivity at any point in time. And then security of the network is one big aspect, as well. You can have someone listening to your conversation or your connection with the update server.”
Stenber said this is happening frequently when companies develop their own update technology. “They will not think too much about security,” he said. “If you are nearby one of these devices, there are examples where you can just inject whatever software update that you want and take over the device.”
The goal is to have enough layers of security that it becomes too difficult to warrant the effort by hackers. While that is probably never true for nation states attacking the security of other nation states, there are limits to the value of a commercial hack. What makes an attack surface attractive is the value of the data, and that can be a particular device or it can be an entry point for multiple devices all using the same password, for example.
“You need to build this from the hardware root of trust upward into the software,” said Rambus’ Handschuh. “The goal is horizontal isolation and vertical isolation. That allows you to load one application and then another without risk. We are starting to see solutions emerge along those lines.”
The general consensus is that no one approach provides sufficient security to ward off attacks where there is sufficient value in the data or in controlling a device.
“Even if we solve the main security issue about an installation or device, it won’t cover the inexpensive or discrete devices, and hardware-based security depends on the chips surrounding the secure one, not just the secure one,” said Michael Chen, design for security director at Mentor, a Siemens Business.
On the hardware side, solutions include everything from encryption of software, to crypto processors and physically unclonable functions (PUFs).
“There are lots of tricks you can apply, depending on what you’re trying to secure,” Chen said. “You can add a secure element into a device, such as installing an independent chip used for security. They require separate keys and allow you to attach your own questions to the device you want to secure. The other way is to sell IP into the silicon substrate and put it in as RTL code.”
AI issues
The electronics industry is just beginning to look at how all of this affects artificial intelligence, machine learning and deep learning. “Poison code” in algorithms, if not detected early enough on the training side, can result in unwanted behavior across a large number of devices. That includes not only devices that are trained by those algorithms, but devices that are trained by other devices using those algorithms.
“You need to define a framework that AI and machine learning can operate in,” said Secure Thingz’ Povey. “That requires a failure-mode analysis. There will be attacks and there will be poison code in machine learning. And you will need canaries in there because it’s difficult to fix algorithms. You need to be very careful with this.”
Conclusion
Security always has been an ongoing issue in electronics, and progress is relative to shifts in value. But as more breaches come to light, and more devices are connected to the Internet and to each other, the real potential is just starting to be understood.
In his keynote speech at Arm TechCon, Arm CEO Simon Segars noted that 70% of people polled see security as fundamental, 25% say it is good if it doesn’t cost too much, and 60% say it could be a product differentiator.
At the very least, it has caught everyone’s attention, and that’s a significant step forward over the past year.
—Susan Rambo contributed to this report.
Related Stories
It is encouraging that more vendors are shipping product with security measures.
Helena Handschuh correctly states that “You need to build this from the hardware root of trust upward into the software”. Defense in depth is the only way to address the problems that security breaches deliver, particularly hardware security.
However the suggestion that hardware-based security depends on the chips surrounding the secure one, not just the secure one, implies that having a secure chip on board enhances security. On the contrary, having a separate secure chip – i.e. a secure element – only increases the attack surface.
This is why hardware root to trust, where secrets (keys) never leave the chip and cross a potentially insecure bus, are vitally important as a foundation of the defense in depth that some of the contributors describe.
That’s good to see more attentions about security features of chip design.
Business value comes from data- or software-based service and hardware device (chip) is the vehicle or carrier for the service (value).
It looks like that only when data/software security are binding with hardware root of trust, then business is protected.