Security Risks Grow Worse

Experts at the table, part 3: What happens once smart cards are introduced; the fallout of multi-core chips in automotive; designing security end-to-end.

popularity

Semiconductor Engineering sat down to discuss security issues for connected devices with Marc Canel, vice president of security at Arm; Paul Kocher, president and chief scientist for the Cryptography Research division of Rambus; Michael Poitner, global segment marketing manager at NXP; Felix Baum, hypervisor product manager in the Embedded Software Division at Mentor Graphics; and Bernard Murphy, chief technology officer at Atrenta. What follows are excerpts of that conversation. To read part one, click here. For part two, click here.

SE: What happens if you put all your trust in a layer of security and it gets breached?

Baum: You don’t just build in one layer of security. You use three, four or five different layers or more. So maybe one or two will be breached, but there are others.

Canel: This is why for a company like ARM, which is designing cores, it’s so important to get involved very early on in the containment technologies, whether it’s Trust Zone or technologies for secure cores. What do we do in the architecture of the applications processor to integrate secure cores such as the CrytpoManager? All of those are the foundation of things. We need to define a minimum level of support for containment and encryption technologies.

Murphy: And those layers have to be in the IoT system. You can’t just design the device to be all of these layers.

Kocher: When you look at the chip, the hardware is obviously important to get that right. But there’s also the application on top, and there’s the services in the ecosystem. Those are all equally critical. Having a device that can hold a key well is great, but how does that key get there? How do you let people know that’s a trustworthy key, or to what degree they can trust it? What happens when somebody pulls one chip apart and takes the key out? How do you let the world know that key is no longer trustworthy? What happens if there’s a side-channel attack across a large number of devices? How do you risk manage that and make sure that people have a rational basis for the trust they’ve got? The worst thing in security is when you trust something that isn’t trustworthy. One of the things Germany got wrong in World War II was that they trusted the Enigma machine was unbreakable, and yet it wasn’t. If you’re the one relying on a security mechanism and your security designer has convinced you to trust it, but it’s not trustworthy, the consequences can be really, really severe.

Baum: But it’s more than just the IoT device itself. It doesn’t matter how secure your cell phone is. If you take a picture with your cell phone and upload it to the cloud, the cloud can be breached.

Poitner: We have systems and we the back end, but even companies with extensive security got hit. It requires a full system approach.

SE: The medical field traditionally has had pretty good security, but with the IoT you’re going to have consumer devices connecting to that data. So you have two markets with completely different levels of security coming together. How do we solve that?

Poitner: It’s not quite as secure as you would hope.

Canel: There is one area that is getting normalized, which is authentication. There is the FIDO alliance, which is driven initially by some sensor companies and credit card networks, but now it’s pulling in people from multiple places. They will carry authentication materials and authentication scores that can be created all the way from the end point to the back-end server. With that verification score, it can be a user or consumer, but it also can be a machine. That’s one area we think is promising, and it will solve a very important problem between systems, which is authentication.

Poitner: There are two different specifications out there from the FIDO alliance. It’s focusing on online user authentication, but this type of authentication also is getting traction in the IT space.

Murphy: There are also non-traditional forms of authentication, such as moving your hand in a way that only you can reproduce.

Canel: The FIDO alliance is defining the protocol to carry an authentication score all the way to the server. The way you define that authentication score is entirely up to the logic you put into the device. If you want some kind of biometric system based on your behavior—and that could be the behavior of the individual, the machine, or the behavior of the individual and the machine combined together—why not?

Baum: How would that help a smart device? Would it authenticate itself to the cloud?

Poitner: Yes. And the architecture is such that even if the system is hacked, there are no useful credentials on there.

Murphy: And some of that identification is something that the user consciously reproduces. It may be the way they type, the motion of the hands. It’s a step away from capture, which is what some companies are looking at today.

Kocher: Going back to the medical topic, one other part that needs to be considered is that the attackers are looking to monetize their objectives. Money is the primary driver of the credit card fraud. There also are some political objectives. But as we do things their response will occur. The rollout of smart cards in the United States will make the easiest route of attack go away, which is to steal vast numbers of credit card information from merchants. So those attackers are either going to go bankrupt and get legitimate jobs—or they’re going to pick new targets. What will their new targets be? Right now it’s very difficult to monetize breaking into someone’s phone. That will start changing and creating pressures on an industry that’s been running along doing business as usual because they weren’t rational to attack. We’ll see some of those shifts occur over the next 18 months. It will be interesting to watch, and ‘interesting’ is not in the good sense.

SE: With the IoT, we’re seeing a mash-up of different markets, each of which adopts standards at different rates. Consumer devices may be discarded every couple years, but cars typically are around for 10 or 20 years. How do you match the standards in a way that makes sense?

Kocher: There aren’t standards where you can look at a product and say, this product deserves my trust because it has this standard. There are standards that are effective for industry, but consumer devices don’t comply with them. This is an area that needs tremendous research.

Baum: If you open up the hood on your car today, chances are good it’s still running a lot of single-core processors. Unfortunately companies are pushing heterogeneous multicore in the automotive space, and this is where it’s going to hit us. The initial strategy was to put Android in cars, but they realized they would either have to validate every single app or they would have to create their own marketplace of authorized applications. They ended up walking away from it. Right now they are just starting with the 2018 designs, and they are trying to figure out how to deal with these standards.

Atrenta: One carmaker is looking at decoupling from the mainstream suppliers and going straight to the chip companies. They’re going to take on more responsibility for making sure that stuff is secure.

Poitner: Some of the car companies in Europe have been working on security for the past six years.

Baum: In Europe, the gas is expensive. The cars are expensive. With an economy like in Greece, they’re moving more toward a Zip Car approach. The center of the city is a big parking lot. You walk to the car with your cell phone and that car reads the parameters from your phone. You want your mirrors here, your seat there. And then you drive around, you park it, and all the payments go through your cell phone. It’s a completely different approach. It’s not like it’s your own car and you secure your car.

Kocher: And the car downloads whatever particular apps you want at the moment.

SE: What happens in the supply chain, particularly on the manufacturing side? We’re now dealing with a supply chain that crosses markets with the IoT.

Kocher: A lot of the product engineering we’re doing lately is around security blocks you drop into a chip. You have to pay for the area on a chip, but assuming you’re willing to do that you can add logic that acts as an isolated security component on a chip. Those blocks can then go into untrusted factories to manage the keys. So when you have your factory in the lowest cost area with perhaps untrusted employees and government in that region, you can still have your security there. That works at the chip level. At the device level, you come back to discrete chips.

Baum: It has to start with earlier with basics. You design your own SoC. You go out to some library and you pull out your secure encryption block. For true security you have to start from the beginning. Do you trust the blocks? Do you trust the logic you put into your device. Then you get to the point, how do you know when you build a device it’s the device you want? One of the things NASA did was when you had an SoC that would go into space, they literally had people walking next to it. It came with a bunch of paperwork. There were always people looking at that chip.

Murphy: But you still come back to the question, ‘Where’s the easy money?’ The easy money is still in counterfeiting. There are a variety of techniques to deal with that, such as layout camouflaging.

Poitner: We get questions about whether we can trust the code on a chip. We have checks until the part comes out of the factory to make sure it has the hardware and code it’s supposed to have.

Baum: And that’s just for the SoC. In industry there are many other cases of counterfeiting.