Experts at the table, part 1: What parts need to be secure first, how that needs to happen, what’s already been done, and where the biggest risks are for the future.
Semiconductor Engineering sat down to discuss whether the will be secure enough, or whether it will create new security issues, with Sami Nassar, general manager of NXP Semiconductor; Oleg Logvinov, director for special assignments at STMicroelectronics; and Lawrence Loh, application engineering group director at Cadence. What follow are excerpt of that conversation, which was held in front of a live audience at the IEEE Standards Association IoT Workshop.
SE: Do we understand what’s really needed to make the IoT secure enough, or are we facing potential nightmares we can’t even fathom yet?
Nassar: We are still at the very early stage of this evolution, but we do see multiple trends converging. One of them is that we’re bringing new applications into the connected universe. With that, we’re facing threats that have existed on the Internet for the past 20 years, but which were never taken into consideration in regard to the reliability of an application. On top of that we’ve got new applications facing new threats. And we have a very fragmented approach for companies moving into that space, which are building new applications that are fairly sensitive. There is a risk of bringing high reliability into connected applications that have access to the Internet.
Loh: Security has been a hot topic for a while, but it’s a difficult problem. The way you access information, whether it’s from the Internet or from home devices that access wireless infrastructure, can increase the security risk. Plus, designs today are getting more complicated. We already have many areas where something can go wrong. But security isn’t just about what goes wrong. It’s about how people can find ways—clever and even legitimate ways—to access that information. It’s a constant learning experience involving how someone found a back way into information, how we patch it, and how we prevent the next problem. We, as a community, need to deal with it, starting from the system. We need to look at hardware and software and figure out how each person involved in that system is going to do his part. Every part can be a vulnerability. And hopefully we can share some of that knowledge, which is going to be difficult, because it’s not something people necessarily want to share, but that will be necessary to improve on things. The community really needs to come together to overcome this problem.
Logvinov: When we start talking about security in the IoT, the first thing we need to do is to define is what that means. What I hear in discussions on this topic is security applied to specific designs for specific verticals. How do we do a vulnerability assessment? How do we make sure that it’s protected adequately? But the promise of IoT is to leverage a unification of platforms to feed into a multitude of applications. It’s one-to-many and many-to-many connections. Take a smart phone, for example. You can see where you are with the GPS. You can measure ambient temperature. You can monitor your own heart rate. But how do you make sure the data is properly secured when it’s exposed to multiple domains? This new dimension of many-to-many or one-to-many brings in a new layer of security requirements. We need to start thinking about how to manage data based upon the identity of the consumer, not just the device itself.
SE: There are many levels to the IoT. Let’s start with the semiconductor. There are vulnerabilities at the chip level, where you can grind off the top and attach probes or do side-channel attacks. How do we secure the fundamental building block of electronics?
Nassar: This problem was addressed 15 to 20 years ago with the banking industry, where they wanted to do financial transactions with an end point that is not necessarily secure. We had to develop technologies to build in security features. Then we were faced with this again with ID chips in passports. There are a lot of critical applications being run on ICs today that we can leverage into new markets. Building security into semiconductors takes thousands of engineers tens of years. It’s not something that is a short cycle. At the same time, it’s a living technology. As sophistication grows, you need to build new defense mechanisms. You need to continually develop new features to defend against new attacks.
SE: You’re talking about chips that have more resiliency in terms of price, though, right? A lot of the IoT chips will be very simple—and maybe cost of a fraction of a penny.
Nassar: The banking industry is very sensitive to price, as well. But when you look at this, you have to look at the scale of new technology being developed specifically for a vertical application and IoT. You’re leveraging an existing technology that has been utilized, amortized, and continues to grow, and then you’re taking it into new verticals. At the end of the day, you want to protect a secret key and be able to reflect it with an algorithm. That’s the core of that technology. The core is the same, and it can be leveraged into different verticals and new applications.
Loh: We have done a lot in the past 15 years to add security. But what’s different is that it’s dealing with more information and more communication. Two things have changed. One is that a cell phone today is more powerful than a mainframe computer used to be. The design of an SoC is no longer a single component designed by one group of people. It’s a set of intellectual properties, some of which are hardware, some of which are firmware and some of which are software, and many of which come from different sources. Some of those sources are internal, some are external. How can we guarantee that when we hook everything up, it will still be secure? That’s the first challenge. The second challenge is that, looking at that same cell phone, more is being done in software today. The hardware provides a lot of freedom about what can be done in software. You can do early prototyping and hardware-software integration, which is an old problem, but the security adds a very big new twist on it.
Logvinov: Software and software security become much more important. We’ve gotten pretty good at making semiconductors secure. We know how to do anti-tamper, secure boot and many other technologies that help us to secure the silicon itself. But what if someone plants a virus inside of our execution environment running in a phone or pacemaker or any other device? That becomes really dangerous. What we need to figure out, perhaps, is how to create secure execution containers. Maybe it’s through virtualization or some other techniques, but the goal is to partition application-specific components that don’t allow someone who isn’t authorized from penetrating a data domain.
SE: We’re talking about a hardware stack, a software stack and an IP stack, and within those there are a lot of pieces that come from different vendors. So what is our top priority? Is it security or price or time to market?
Logvinov: It’s all of these, but there’s a pendulum. We see things going in one direction with the integration of new features and components at a very low cost, and it captures a customer base because people say, ‘This is cool.’ And then someone publishes something on a security breach that says, ‘This is bad,’ and all of a sudden your marketing changes. It costs a little more money, but it’s secure and nothing like that will happen again, and then it goes in another direction.
SE: But we have had breaches at big retail chains like Target and Home Depot and the problems continue.
Nassar: And it’s expensive. What we cut on cost, maybe through the design, will end up being a huge cost in terms of lost sales and revenue. In every one of these vertical applications you have different threat models, and within those models you need to isolate the cases where it’s sensitive. Because IoT companies’ main focus is on providing a service for a specific use, they cannot concentrate much on the security aspects. We need to create partitions and certification. Certification has been a great tool in the past, where you could rely on a third party that would go and check the latest innovation and give you a grade. With this certification, you’ll be able to know what you’re buying into without investing a lot of engineering.
SE: That’s part of it. But aren’t you really looking for end-to-end security, from certification and into the device and up to the cloud?
Nassar: The brand that will be put on this ecosystem of devices is very important in terms of reporting the level of quality of service for security, privacy, and other features they will provide.
Logvinov: That’s easy when you’re talking about something that’s confined to a vertical. But the whole idea of IoT is to break the vertical confines and to use the same platform across multiple verticals. Going back to a smart phone, we can monitor our heart rate and our location and do a lot of other things. Which vertical does it belong to?
Nassar: If you break it down, the new thing you’re bringing into the equation is connectivity. This is what needs to be secured first. What level of access, by whom, and the accessing equipment are what will be core. Other things will come on top of that, but the connectivity part is a common layer that everyone will need to address for security.
Logvinov: Is that really true? If you consider a link between, for example, my smart phone and the tower, that’s secure. But if I’m running between my smart phone, the tower and the cloud and the application I’m connecting to is compromised by hackers, regardless of how secure my phone and the tower there is a new risk.
Nassar: In some cases we’re not securing the content of the information. It’s about access or legitimacy. A SIM card is good enough to assure the user identity. Whether someone can eavesdrop on the phone is a different equation. Access is more important in that example.
Logvinov: With a connected car, you can say if we have something similar to a secure element inside the car, then it can be managed successfully. But what if we have a secure link from that car to the cloud, how do we prevent that car from being compromised?
Loh: Every segment is assumed to be secure. That’s not always the case. But even if every segment is secure, that doesn’t mean every thing is secure. It’s an open-ended problem. That’s why everyone needs to play a part in this chain. There are times when they will be involved with the weak link. It might be the encryption algorithm one time. Another time it might be the air waves. We’re just in the beginning. We need to define which data needs to be secure and what level of security is required. We also need to determine who should have access to it and what is the potential path. Even if data looks secure, it might not be secure. We need to understand how data will be shared and who has what capabilities. Access to your hardware may depend on how you define it.
Logvinov: It’s not just about identity of devices. It’s about the identity of the services that use these devices. Today that kind of information is non-existent.
Leave a Reply