An influx of connected devices, more compute options, and the rapid growth of generative AI are making it much harder to prevent attacks.
A combination of increasingly complex designs, more connected devices, and a mix of different generations of security technology are creating a whole new set of concerns about the safety of data nearly everywhere.
While security experts have been warning of a growing threat in electronics for decades, there have been several recent fundamental changes that elevate the risk. Among them:
Taken together, these present a huge and growing challenge for chip and system designers, software developers, and regulators.
“Securing the world’s data will be one of the greatest technology challenges over the next decade of compute,” said David Maidment, senior director of market development at Arm. “The proliferation of AI-accelerated use cases is driving the need for more security in connected devices, and we predict that businesses and consumers will only get more concerned about protecting their data and valuable models. At the same time, in the last five years we’ve seen regulation requirements from governments rapidly change and grow, and the onus is on manufacturers to meet a growing list of criteria.”
Unlike in the past, when security typically involved a specific device, protecting data will involve a multitude of devices. And while it helps that in some applications, security is a given, that isn’t enough anymore.
“For banking, for ID passports and access control, there are three or four decades of security chips now,” said Peter Laackmann, senior vice president of security at Infineon. “This means there are specific embedded security chips, like smart cards and trusted platform modules (TPM), and so on. This is quite well known and used, but there are not so many manufacturers.”
The situation is similar in the automotive market. “The automotive industry was relatively quick to recognize the importance of implementing security measures into their chips,” said Mike Borza, principal security technologist at Synopsys. “But one of the places that’s been the slowest to adopt is consumer electronics. There’s been a lot of resistance to adoption, mostly based on notions about cost — how much it costs to embed security in these products and make them really secure.”
The real problem is that all of these devices — some secure, some not — are now communicating across one or more networks, and interacting with each other and with unknown devices.
“You no longer have a network of several secured or protected systems,” Laackman said. “You have a network where you have secured systems, and systems which have not been secured. For example, you have a wireless LAN network at home, and a PC, notebook, or TV. But you also have devices that are very low-cost, such as a smart lightbulb. You want to integrate these low-end products into your home system, which means that the smart lightbulb also knows your wireless LAN password. That means you also have to protect your personal data, which would suddenly go into the low-end range of consumer products. Therefore, you need specialized security. All these IoT devices that send us regulators — smart thermostats and cameras, for example, or a home cleaning robot — all need specific means for securing what private data is inside.”
These kinds of inconsistencies present a major challenge to security. “You still see at this point that home internet gateways, i.e., routers and Wi-Fi, are understanding they need to take security seriously,” Borza said. “Some of them still ship with default passwords. We’ve seen even as late as this week there were some warnings about people that take them out of the box, put them on the internet, and they’ve still got the default password set. Those things get taken over and become homes to bots. When you’ve got gigabit per second and faster internet connections to people’s homes, that’s a huge concern, because if you have a botnet of 100,000 or 1 million devices connected to gigabit internet connections, that’s a huge amount of network capability that you can focus on anybody you choose.”
While some of the responsibility for cybersecurity falls on the end user, setting up a secure network or VPN, or repeatedly updating passwords, can be challenging for even tech-savvy users. “You have to assume a lowest common denominator that’s very low,” said Borza. “If they’re not secure out of the box, that’s going to be a problem.”
The good news is that more people are recognizing the need for security, even for IoT systems. “Generic IoT devices are generally coming with a level of built-in hardware security,” said Lee Harrison, director of automotive test solutions at Siemens EDA. “If you think of some of the applications they get used in, home automation and those type of things, all of a sudden security becomes important for those applications. So even if you have a generic IoT device, and you want people to use that, across the board, you have to have a level of security built in. Otherwise, you’re restricted in the field of use.”
Hidden costs
But adding in security does have a price tag, and it’s not just monetary. It can impact every aspect of the PPA/C equation and every step of the design flow.
“The IoT devices are going to struggle a bit because they tend to be quite small,” said Harrison. “They tend to be quite power-focused, so adding in security adds to the area as well as to the power. But certainly, we’re seeing a massive influx of security into those of devices because they are a generic device that covers a whole range of different applications.”
The bigger and more complex the systems, the more difficult they are to secure, and the higher the stakes if there is a breach. The key is to protect the data, no matter what a device connects to, directly or indirectly, and that typically comes down to two things — root of trust vulnerabilities, and vulnerabilities in high-performance, large-scale application processors, according to Jason Oberg, chief technology officer at Cycuity.
“There are fundamental issues in a lot of the application processors and architectures that we’ve done over the last couple of decades, and they are coming back to bite us,” said Oberg. “We have a lot of projects and activities going on in that domain to ensure that all of those different things are behaving securely, because you can’t just turn it all off. That’s a non-starter.”
Oberg noted that while companies have begun implementing strong precautionary measures into their hardware roots of trust, pointing to Apple’s Secure Enclave as one example, many of Cycuity’s users have expressed concerns that mistakes in that area can lead to data leakage. Additionally, high performance features in application processes can have similar issues. For example, researchers found that some chips developed by Apple have vulnerabilities in their data memory-dependent prefetchers (through the Augury and recent GoFetch vulnerabilities) that can leak secret information.
Other chipmakers experienced similar problems in 2018 with Meltdown and Spectre in 2018, which took advantage of pre-fetch and speculative execution, two techniques that helped boost performance as the benefits of process technologies diminish at each new node. The problem is they also are vulnerable to side-channel attacks. That, in turn, is magnified by the fact that some of that data is moving between systems from different technology generations, as well as different security protocols.
But replacing insecure systems with new versions deemed more secure is both logistically and financially unfeasible. The practical solution is mitigating the weakness, not eliminating all risk, said Oberg.
Some steps already have been taken to do just that. Borza pointed out that devices like Amazon’s Alexa line of home assistants, which have “an identity that’s baked into the silicon on the device, so that it’s able to verify where software updates are coming from and that they’re authorized, for example.”
This approach seems to have been effective so far. There are few, if any, reports of Amazon devices getting hacked. In fact, the biggest violations of security on Amazon devices have come from the tech giant itself. In 2023, the FTC ordered Amazon to pay $30 million over privacy violations connected to its Alexa and Ring doorbell devices. On the flipside, Borza pointed to an influx of new devices in that same ecosphere that do not have similar protections built in.
“A lot of devices still use flash memory that is not intrinsically part of the integrated circuit that’s running the software on the chip,” Borza said. “And that detachment allows for the possibility that people can get rogue software running on the device. What you really want is a strong identity that’s baked into the device that can be used as the basis for all of the software authentication that follows.”
Win one, lose two
No data is ever completely secure. Hackers are always improving, and there have been some giant steps forward by some very tiny, non-human actors. The recent pandemic led to a reshaping of both the digital and analog worlds, placing considerable stress on the pre-existing security mechanisms that had been in place for uncountable companies and their employees, observed Jim Montgomery, principal solution architect at TXOne. As millions of people began working from home and became reluctant to ever return to offices full time, the impact wasn’t just felt in commercial real estate prices, but also in the influx of remote workers.
“While OT environments were designed for zero access, it’s like they were designed in a bubble,” said Montgomery. “Because they didn’t need internet access, they didn’t need the ability to push logs out. They weren’t moving logs to the cloud. They weren’t allowing remote access. Over the last few years, they’ve had to adjust to accommodate for situations, COVID being one of the biggest situations, where they weren’t allowing anybody into the environments whatsoever, so they had to make accommodations for that. And that accommodation, typically, was adding some sort of remote access capability either directly into the system, the machine that they want to work on, or into the environment, in general.”
The problems that created never went away. “They basically created their own monster when it comes to remote access,” he said. “You can combat those things with segmentation, with decent types of intrusion protection system (IPS) types of solutions. But once you create that access into the environment, you’re creating an avenue for attack.”
TXOne’s approach relies on devices that are Debian-based, with locked BIOS and operating systems to be as compromise-proof as possible. But those are powerful tools, which may be overkill for the average user trying to secure their network and devices.
Other solutions could also be like bringing a gun to a knife fight. “You could go for a fully bloated security solution that could almost in some cases, double the size of your IoT device,” said Siemens’ Harrison, noting that more realistic solutions are out there and increasingly being brought to market. He estimated that the market for security has grown by as much as 45% in a fairly short period of time.
Solutions can range in complexity. On the simple side, Harrison said some devices could include a fuse that’s blown during the manufacturing process to restrict access to pins or other parts of a chip. At the other extreme, he pointed to “a fully integrated Root of Trust solution where any kind of user would have to authenticate themselves with a device with a crypto key before they can access the device and do anything with it.”
Among the biggest players to go for the Root of Trust solution is Microsoft, which in 2021 said it would require all devices running Windows 11 to include a TPM. That may not be the right solution for all devices, Borza said. He believes the right model is something that’s very similar to it — an embedded hardware security module (HSM) that’s part of the chip. “This is starting to be used in a lot more places. You’re starting to see chips of lower and lower cost that have these hardware Roots of Trust built into them.”
Conclusion
While many parts of the tech world have taken security seriously for decades, it’s surprising to many experts how weak security is in many places. In the past, that was a personal decision. But increasingly, the weakest points can have much broader implications.
The need for security is growing, and so is the awareness. Security options have become smaller, cheaper, and less of a hindrance on performance. Still, there is much work that needs to be done, and even those who work in this area, who have seen the advances firsthand, can be pessimistic on the odds of security concerns truly proliferating until outside events force the industry’s hand.
“Very few consumers make decisions about what products are going to put into their home based on how secure they think they are,” Borza concluded. “Until that starts to be a real market driver, where you can cut yourself out of the market because you don’t provide adequate security, I don’t think we’ll see a whole lot of movement unless there’s real regulation that says in order to sell these consumer products, you need to meet certain minimum requirements. If you don’t meet them and we find out — and the way they find out is because there’s some massive breach – then we’re going to come after you with big fines and suspensions.”
Related Reading
Data Center Security Issues Widen
The number and breadth of hardware targets is increasing, but older attack vectors are not going away. Hackers are becoming more sophisticated, and they have a big advantage.
Leave a Reply