Security Progress In Some Places, Not Others

Big companies are taking care of some problems that affect the IoT, but there’s a lot still exposed.


Security is big business, and it’s increasingly part of business done between big businesses in the semiconductor market.

The deal that was announced this week between NXP and Qualcomm, adding a secure NFC module to the Snapdragon chip, is certainly good business. But what’s really interesting about this arrangement is that it was done between two very prominent companies, which saw a potentially big threat to their revenue streams if action wasn’t taken. The takeaway is that chipmakers are now looking at security as an essential part of what they offer, and figuring out ways to avoid possible breaches.

The same concerns have been resonating across the commercial IP world. ARM’s TrustZone system-wide security is well known, but the company also purchased an IoT security company called Offspark in February to expand its secure footprint. Likewise, Synopsys bought Codenomicon last month, and Cadence bought Jasper last year. Mentor Graphics is pushing into the market with secure software and tools to avoid breaches in the first place. Rambus, which was well ahead of the curve, bought Cryptography Research in 2011. And Kilopass, eSilicon, Sonics, Arteris, Imagination Technologies all have very well defined programs to improve the security of their IP, internally and with partners.

That’s only part of the picture, though. The big companies are recognizing that to continue doing business they will have to be able to stand up to scrutiny on their security offerings. Intel, IBM and Texas Instruments have been offering secure processors for decades, but for the most part no one considered that a value-add. It was the same for low-power hooks in the chip, which were not considered considered essential prior to the massive explosion in multi-featured smartphones, where consumers could watch their battery life draining before their eyes.

What still isn’t clear, though, is how the supply chain is going to be secured. An SoC is a collection of parts. Not all of them come from large vendors, and when price is a critical issue or inventory is constrained, even the best plans get sloppy. IP has been treated as a black box, and hard IP has been viewed by chipmakers as something they don’t have to worry about because it can’t be tampered with. But as more devices are connected to other devices, and particularly as they make those connections autonomously, the need to understand every facet of the supply chain and understand every part becomes imperative. Where was that part designed? where was it made? And even more worrisome, can it do something that isn’t in the spec sheet?

There are tools available to track IP and a bill of materials, but they really only scratch the surface of understanding what’s going on in the supply chain. They can’t say whether a legitimate distributor picked up a batch of counterfeit parts in a shipment with legitimate parts, and they can’t tell whether hard IP has a sleeper back door.

Defense agencies around the globe have implemented tracking services, where IP is literally walked under guard from one stage of the manufacturing process to the next. In the commercial world, such regulations don’t exist. And counterfeiters have become so sophisticated that it’s impossible, short of grinding down the package and examining the circuitry inside—as well as extrapolating how software might utilize those circuits—to determine whether it’s legitimate or not.

The number of security breaches possible with the rollout of connected devices is enormous, but the hardest one to close will be the supply chain, and for good reason. It’s the one that most people take for granted.