A variety of approaches can be applied to inexpensive devices without significantly affecting the bottom line.
Security has been a priority in software for decades, but only recently has it begun catching up in chips — particularly those in inexpensive devices.
The disconnect is that while these devices are low-cost, they often are connected to the same networks as more sophisticated devices and repositories for valuable data. It’s not unusual for the entry point in ransomware or distributed denial of service attacks to be one, or even many inexpensive devices with limited or no security. But even though many such devices are still being used today, newer devices that either replace them or share the same networks are starting to include at least some security measures in their design.
Much of this is driven by the economics of security. What’s required from the hardware design standpoint is becoming more economical. In addition, there is growing momentum to rate devices based on how secure they are. UL Solutions, a subsidiary of Underwriter Laboratories, now verifies devices based on their security. In addition, NIST has developed a Cyber Risk Scoring (CRS) for managing security.
The challenge now is to get more vendors on board with building security into every connected device, and educating the market on why even simple security can be effective.
“With IoT you’ve got sprinkler systems that are very low-cost, and the value of the security system is very low,” observed Lee Harrison, director of Tessent automotive IC solutions at Siemens EDA. “To account for that, you have to have the security layer such that you don’t get impacted by the low cost IoT being the route to the core of your system.”
The challenge is that the selling price for many devices is so low that some are considered disposable. Nevertheless, they can provide a link to more sophisticated devices on a network, and much more valuable data.
“Low cost does not imply low value,” said Prakash Madhvapathy, product marketing director at Cadence. “If the cost or price barriers do not permit the requisite level of security, then that device should not be allowed to handle or store the asset that it cannot protect. Even low-cost devices must pay attention to security first to play in the market. Many devices in the market today don’t pay sufficient attention to this aspect and pay a significant price in the long run.”
Proper threat assessment is essential
Of course, not every device needs a high level of security. In many cases, the simplest solution is often the best. For attackers, there has to be value to a successful attack that outweighs the cost of carrying it out. It can be tempting to employ the most secure architecture possible, but the cost in terms of parts, knowledge, and manpower can far outweigh any of the actual benefits when there is little advantage to be gained from carrying out a hack.
“You can end up with security being five times the cost of the actual product,” said Siemens’ Harrison. “You have to scale your security solution to fit the application. For companies that offer security solutions, you have to make sure that you have a range of capabilities to cater to everybody’s needs. That’s the difference when building the technology in-house. You build it very specifically for your own application. If you’re providing a solution to the market, you need to make sure you’ve got a breadth and depth of technology that can cater to the majority of the customers’ applications.”
As with all hardware, security needs to be considered early in the design process. A proper threat assessment model must be devised that weighs the costs and benefits of different solutions. A design that has security as a consideration can’t be started unless the designer knows what they are working towards.
“The first consideration is to understand how much security is needed,” said Madhvapathy. “The level of security in any product needs to be commensurate with the value of the assets that it protects. While every security system is vulnerable to hacking, if the cost to break the security is higher than getting legitimate, paid access, then the motivation for hacking is eliminated.”
Even where cost is not an issue, nothing is 100% secure. That’s why a proper threat model is vital to concocting a strategy that fits the actual dangers. Simply making a hack more difficult, rather than nearly impossible, can be enough to dissuade a hacker.
“Perfect security doesn’t exist,” said Marc Witteman, director of the device security research lab at Keysight. “As a defender, you need to make the attack more expensive than the attacker is willing to spend. If the value that you unlock with your attack is, let’s say, $1,000, then the attack should cost more than $1,000. Then the attacker will lose interest.”
Risky connectivity
The fact that most low-cost devices are connected to the internet presents another possible avenue for reducing the costs associated with securing them. As Madhvapathy pointed out, the threat model for many of these devices indicates that remote hacking is the most likely avenue for attack.
“In that case, the need to protect secret keys from being observed on a physical connection may not be there, so many layers of security designed to protect private keys can be jettisoned with impunity,” Madhvapathy said. “The high cost of including on-chip structures such as OTPs that cite such secret keys can be avoided, and the design effort to avoid their exposure on an external bus can be reduced drastically. However, this requires traceability procedures to ensure that an employee with intimate knowledge of these secrets does not knowingly or inadvertently publish the keys. This can be tricky since most hacks are known to have been done by internal people.”
On the other hand, there are a variety of ways a device designer can protect hardware from in-person attacks, including making it difficult to open the device — even down to the types of screws used.
“Once you’ve opened it up, can you recognize all the components in there? Do the chips have printings on them, or are they just anonymous? These are all things that developers can do,” said Witteman. “We see products where the printed circuit boards are covered in glue. This is not a perfect measure, but it slows an attacker. From an electrical perspective, are the connections between the components easily accessible, or are they hidden inside in a layer in the PCB? Are there any test and debug ports available? Are they also internally switched on? Is there a password on it? I can go on and on about different measures that can be taken at the hardware security level to slow down an attacker, and nothing is perfect. But if all of those measures are taken, it will slow down an attacker so much that they might lose interest.”
Solutions need not be expensive
The argument that security is too expensive is misleading. Many of the available solutions don’t need to add substantially to a device’s price tag.
“Including security in devices does not need to be expensive,” said Cadence’s Madhvapathy. “Modern technology has democratized the availability of security IPs for encryption, decryption, and storage of secrets, thereby lowering the cost of implementation. Embedded devices can benefit from the proven Rich Execution Environment/Trusted Execution Environment implementations on various processor architectures.”
One factor that complicates security in low-cost devices is that the devices themselves rarely are the actual target. Even cheap devices can be used to wreak havoc by a malicious actor, whose goal is chaos, rather than profit. One example used by several experts is the smart sprinkler system. They may seem benign, but they could be used by an attacker looking to worsen drought conditions in a state like California.
The solution may be more about “ensuring the integrity and the authenticity of the firmware and software,” noted Dana Neustadter, senior director of product management for security solutions at Synopsys. “You cannot afford to put a lot of hardware level protection, but you can still use cryptography and the software approach, where you need to test at a minimum the integrity and the authenticity of the firmware and software that runs on them.”
Consider smart light bulbs, for example, which can sell for as little as $10.99 on Amazon. “You can’t not put in any security,” said Neustadter. “Even for a light bulb, if you don’t have the appropriate firewalls and you don’t have this minimum level of security to authenticate and to check the software control hasn’t been tampered with, it can be used to get into the network of controlling all the light bulbs in a city, or an important building, for example. They can be controlled or turned off in a way that can have repercussions with people’s lives, such as in a hospital.”
Focusing on software may be the most cost-effective solution, as “Protecting software against remote attacks is more of a design and implementation choice issue that doesn’t add to product cost the way adding hardware does,” Cadence’s Madhvapathy said. “Good design practices that parry buffer overflow attacks, randomizing response timing to defeat timing-related attacks, using Rust programming language for sensitive code, etc., go a long way in providing an effective shield that even cost-sensitive devices can employ.”
Hardware solutions are limited, but do exist
The actual costs of chip security may not lie in additional hardware components, but rather in the time, effort, and labor needed to implement a solution. But as hardware security continues to grow as a priority, the barrier of entry likely will decrease because more designers will learn how to implement the solutions.
“From a hardware and software cost perspective, it’s really limited,” said Witteman. “It’s not like you need a lot more hardware or a lot more software. It’s more about education. Your developers need to understand these concepts better, and there are open-source solutions they can use. It’s not rocket science for somebody who has an understanding about security. It’s mostly lack of awareness that limits the way developers use these concepts.”
In some cases, depending on the device’s use, even a root of trust may not be essential, as the design can be simplified to its absolute bare bones to prevent attacks. If the point of security is to protect access to data, restricting how that data flows could be the most elegant, cost-effective solution.
“The simple way to add security in the case of a really simple device doing a really simple thing, is to design it in such a way that it doesn’t have the capability to access the data,” Siemens’ Harrison said. “If I keep using the sprinkler system as an example, if all you’ve got is the ability to turn it on and off, you don’t have to have that two-way data flow. You don’t even have to have the connection there to do a two-way data transfer. Instead of being able to read complete sets of data, you just want one bit, so you can physically design things so that the best level of security is no connection at all.”
Because there are so many low-cost devices on the market, with so many different uses, it’s impossible to recommend any one solution. While restricting data flow, or implementing a solid root of trust, or randomizing response times may work for some systems, they might not be right for others. The only constants are the usual tradeoffs, and a big focus on reducing costs.
Michael Daniel, president and CEO of the Cyber Threat Alliance, said the profit margins on these types of devices often can be very thin, and many manufacturers may be tempted to cut corners, with security likely to be one of the first areas to see reductions in the name of profits. Because of that, he believes there is an argument for “really developing some clear design principles that could easily be replicated across a lot of different kinds of hardware, so that it’s not as hard to design in the security and further develop the state of the art in that area,” he said.
Conclusion
The rise of low-cost IoT devices has led to an interesting conundrum for designers, where the security solutions that can be implemented may be many times more expensive than the devices themselves. This points to the growing importance of devising comprehensive threat models at the very beginning of the design stage in order to calculate the risks of attacks against the benefits of securing the device.
Even the cheapest of devices can be secured to a certain degree, using cryptographic techniques, authenticating firmware, and hardware and Rich Execution Environment/Trusted Execution Environment implementations within the architecture. But the biggest impediment to securing cheap devices may not lie in the hardware, but in the people designing the chips and systems. Greater education and awareness of security concerns is a must, and as that grows, the cost of securing devices with a small price tag will shrink.
Related Reading
Chip Security Now Depends On Widening Supply Chain
How tighter HW-SW integration and increasing government involvement are changing the security landscape for chips and systems.
Edge Devices Require New Security Approaches
More attack points and more valuable data are driving new approaches and regulations.
Leave a Reply