Is The IoT Safe To Use?

By Ernest Worthman & Ed Sperling
Data security has been a problem since well before the invention the computer, and it has been getting progressively more difficult to contain every year for the past eight decades. It was made much worse when computing was decentralized with the introduction of the IBM PC in 1981, made worse again when networking was introduced into corporations by Novell’s NetWare and Lotus Notes in the early 1990s, and made worse yet again as smart phones and USB drives became ubiquitous over the past decade.

The rollout of the /Internet of Everything is the next big dislocation, and it is forcing everyone to rethink the basic concept of security—particularly when devices are connected to other devices that aren’t known to chip or device manufacturers. Pervasive, always-on connectivity, raises many issues that now require a complete rethinking of how to secure data because it no longer is even tied to one device.

“One of the big paradigms around security is that the attacker gets to choose where and when they want to attack,” said Asaf Shen, vice president of products at Sansa Security. “The defender, on the other hand, has the task of trying to defend everything, everywhere, constantly. That is an old world doctrine that, interestingly, applies to new-world cyber security, as well. The attackers know that so they are always searching for the weakest link.”

There certainly are plenty of weak links, from supply chain counterfeiting to chip and software security holes to user gullibility. Even devices that are secure frequently are connected to ones that are not.”

“Special-purpose IoT devices are often controlling mission-critical operations and they are also an entry point into larger intranets,” said Bernd Stamme, vice president of applications engineering at Kilopass Technology. “They have to meet low-cost targets and are often a much easier target for hackers or malicious attacks. Industry studies have found that 70% of the IoT devices on the market today have security vulnerabilities. Hardware security features can be utilized to protect the IoT’s device ID and configuration against alterations or manipulations. Secure boot operations are required as well.”

But at at the same time there is widespread recognition, in the wake of massive and very public data breaches at retailers and banks, that something needs to be done.

“Security has gone past the point of, ‘I don’t know if something will happen,” said Jeff Miles, vice president of business development for global payment solutions at NXP. “There is more attention focused on providing secure platforms. Even on mobile devices there is fingerprint security for accessing a device and more support for putting that onto devices.”

The economics of security
That support will be essential, too, because there are a number of costs associated with preventing data breaches. The most obvious is money. Consumers won’t pay for additional security, but the devices cost more to architect, design, verify and build.

But there are other costs, as well. Active security is a drain on both power and performance. A fully secure mobile device has to be plugged in far more often than one that is less secure, requires more silicon, and can slow everything from core operations to I/O, although the proliferation of multi-core devices and better performance has helped to overcome the performance limitations.

“From my perspective, on the research side, we have generally solved the first, most elementary problem, which is how to make things that are acceptably fast and acceptably cheap to manufacture, for most products,” said Paul Kocher, president and chief scientist for Rambus’ Cryptography Research Division. “Now we have to start looking at the next set of issues, sacrificing some of the gains we have made in terms of making things faster and cheaper in the name of security. This involves a totally new set of engineering and cultural challenges. On the engineering side, it means the architectures that we have become very good at building—that work fast and generally function reasonably well, but where the failure modes are uncertain or complicated, especially when it involves design errors—will have to be architected differently.”

That view is echoed across the industry, from chipmakers to device makers to those offering IP.

Jason Parker, security and operating systems architect at ARM, explained during the recently held ARM Tech Day in London that as part of the general story of how to build trustworthy devices, namely to provide a level of trust that service providers can rely on for payments or DRM for services, the devices those services run on must be trustworthy against physical attacks or software attacks. It’s very easy to have security on a device that doesn’t talk to anything or do anything, but when it expands out from there, that’s when there have to be compromises, one of the biggest of which is the price. “One of the other big issues is quite often the people demanding the security are not the people that are going to pay for it.”

As such, he said, there’s a balance of wanting a really secure system, but not being willing to pay for it. There’s a question of how you build in security features at a reasonable cost. Within the A-class space of processor cores, TrustZone is how security is implemented, which is a combination of isolated hardware execution and trusted software.

Architectures that are optimized for security often run slower and use more power, though, in part because there is more computing to be done, and in part because not all of the pieces in a disaggregated development model progress at the same pace.

“Chip vendors strive to create more powerful chips, with more functionality, but the same effort isn’t put into securing these chips,” said Sansa’s Shen. “The result is that software stacks on top of these chips moves much faster than the underlying security of them. If you compare IC’s of today to ICs of yesterday, and this is true across the board regardless of industry, the main difference is in the software stack that they run. Little has changed in security. So they run significantly larger amounts of code, yet they are only incrementally more secure. This translates into a very wide ‘system,’ meaning a software-included attack surface that is much wider that just the chip.”

New approaches, broader approaches
Not all of this has to be done alone, though, and there is evidence that companies are beginning to collaborate on solutions and architect solutions that will work with other technologies.

The most recent example involves a collaboration between NXP and Qualcomm, which uses a system-in-package secure element developed by NXP to connect to Qualcomm’s Snapdragon chip, which powers some of the top smart phones on the market from makers such as Samsung, LG, and even the iPhone 5S. What makes this arrangement significant is this is a bolt-on solution, rather than trying to build everything into the same chip, with each party taking responsibility for its own part.

“What we’re doing is enabling integration at the reference design level,” said Neeraj Bhatia, director of product management at Qualcomm. “Frameworks building on a platform allow for multiple levels of authentication. With biometrics you can store that information in the cloud or on a device, so having different levels of security on platforms gives you broader protection.”

A second challenge involves securing other devices that may be networked, either directly or indirectly, to other devices. This can involve everything from a motion detector to a smart appliance.

“One universal thing we are seeing is use cases and requirements for embedding hardware-based roots of trust in all of these devices, including the smallest and simplest ones such as light bulbs,” said Shen. “This is becoming truer, especially as these things start to get more connected with, for example, IPv6 and become part of the cloud and the IoE. When you take all of this into account, the importance of these hardware roots of trust as the portal for identity registration and validating the authenticity of the chip and the software stacks, one sees the critical nature of embedded security at the hardware level.”

There seems to be consensus building on that point. “The need for hardware root of trust (HROT) for connected devices is recognized by the industry,” said Kilopass’ Stamme. “On-chip non-volatile memory (NVM) IP based on anti-fuse bit cell technology represents the most secure medium for storing sensitive device data (ID, configuration, trim, encryption keys, boot code, etc.). It is available for the cost-effective, low-power process technologies being used for IOT devices.”

Serge Leef, vice president of new ventures at Mentor Graphics, points to three general approaches being taken to secure chips at the moment, none of which he believes to be sufficient—formal verification, software, and hardened IP.

“There has been some effort around formal, but the constraint for formal verification is that you have to know what the problem is, and in most cases the problem is unknown,” Leef said. “So its usefulness is limited for Trojan detection, which is the big problem. There also are some solutions around securing hypervisors, but if the underlying hardware is compromised it’s not that effective. It’s the same for partitions in hardware. If an attack occurs at the hardware level, it’s undetectable.”

Trojans are undetectable in the design phase of an SoC or a larger system. They show up at run time, providing the tools are available to detect them, and at this point it may require a stroke of luck to catch them.

Hardened IP, in contrast to synthesizable IP or soft IP, is the third area. This kind of IP may be more resistant to side channel attacks, but it does nothing to limit the threat of extra circuitry—and at this point there is no way to determine if there even is extra circuitry short of X-raying a complex design filled with third-party IP blocks.

“IoT startups are being funded at a good rate, and the way to pitch to VCs is with a vertical solution, whether it’s a smart door lock or a smart refrigerator,” said Leef. “So the visible part of a working system is the app. The underlying system gets limited attention, and it’s often built using publicly available IP blocks. We don’t always know what’s in those blocks. You could have a trigger sitting there for 10 years.”

Conclusion
A number of EDA vendors are busy developing tools that can identify security holes and problems—companies such as Mentor, Cadence, Synopsys and Atrenta—and IP vendors and system vendors are figuring out their own weaknesses and approaches to plugging potential security holes. But all of this takes time.

The problem is that the IoT is rolling out in pieces, often in vertical markets such as automobiles that are now connected to systems that were never considered part of any automotive design five years ago. What happens when you wire up a motion detector in home to an advanced security system, or when a smart meter or thermostat is connected to a network where not all of the nodes are fully secure?

It will take years to close up these holes, and more and much more innovative types of attacks will be developed along the way. But the key, at least for the short term, is what damage can be done later by devices being sold today or several years ago? The answer: No one really knows.

—Ann Steffora Mutschler contributed to this report.