Keep Your Friends Close And Your Smart Cards Closer

Chip security is still mostly an afterthought. That has to change.

popularity

I recently had a conversation with Ramesh Karri, professor of electrical engineering and the chair of this year’s security track at DAC. I was discussing, with him, the current state of chip compromise techniques and how this segment is growing by leaps and bounds. Every day it seems there are more and more malcontents bent on finding ways to compromise every type of smart card out there. And, with the cards becoming smarter and finding their way into so many different applications, this one-two punch could be a knockout before we get a handle on it.glad

One of my primary charges here at Semiconductor Engineering is keeping my ear to the rail on what is happening with the Internet of Things/Everything…keeping my ear to the rail is kind of a misnomer because I live and breathe this stuff! To me the evolution to the internet of things is just about all I live for…well, not totally true…I do enjoy a few hours with an online MMO called world of tanks now and then. But I digress…

Anyway, I venture to say that smart cards will likely be in many, if not most of the objects of the IoT/E. When I was chatting with Karri about compromising these chips, and one of the things that stuck with me after our conversation had nothing to do with the various methodologies of chip hacking. It had to do with the mentality of chip hacking.

True, most smart card today are not really at the complex apex of things. Some are, but most are used for things like access, employee ID, parking passes, patient ID, credit cards, etc. There is a long list of what they are used for but most are used for simple, single applications; but that will change in the face of the IoT/E.

In reality, chip security is still mostly an afterthought, waxed Karri, especially with low-cost applications where many smart card chips are found. Karri made the point that both the supplier and the user need to get educated on the seriousness of securing chips…from the latest crypto processor to the SIM card in your phone or set-top box.

Some progress is being made. In the credit card segment, the U.S. card issuers are finally coming around to the idea of replacing the old magnetic strip card with what is EMV .(Europay, MasterCard and Visa) chip-based cards. You may have seen one, or may even have one – American Express is starting to roll these out.

EMV-based cards are a step in the right direction. While they have been around for a sometime already, strong security has, only lately, been at the center of the radar screen. A short laundry list of what security measures today’s chips have include:

  • Data authentication, PIN entry, and cryptographic technology.
  • Transaction-unique digital seal or signature in the chip. This proves its authenticity in an offline environment and prevents criminals from using fraudulent payment cards.
  • Secure online payment transactions and protect cardholders, merchants, and issuers against fraud through a transaction-unique online cryptogram.
  • Support for enhanced cardholder verification methods.

So that is a start. Extrapolate that to the IoT/E and there may be hope. But the bottom line is that the more data get digital and the more inclusive chip cards and such get, the more malcontents have to gain by hacking them. And with autonomous IoT/E objects, chip-like technologies are going to be pervasive. So let’s hope the chip camp gets to understanding the critical nature of securing chips. And the user gets to understanding that they have some culpability as well…do you know where your smart chips are?