Security Risks Grow Worse

Experts at the table, part 1: Who’s taking security seriously, who’s not, and who’s going to pay for it. Why edge devices pose such a high risk.

popularity

Semiconductor Engineering sat down to discuss security issues for connected devices with Marc Canel, vice president of security at ARM; Paul Kocher, president and chief scientist for the Cryptography Research division of Rambus; Michael Poitner, global segment marketing manager at NXP; Felix Baum, hypervisor product manager in the Embedded Software Division at Mentor Graphics; and Bernard Murphy, chief technology officer at Atrenta. What follows are excerpts of that conversation.

SE: Now that we’re moving deeper into the Internet of Things, what kinds of security issues are you seeing and what can be done about them?

Baum: From the software perspective, there are certain things we can do to address device security, particularly with the IoT. How you define IoT matters, of course, because devices are different, but from the software side you can only do so much. You can validate you boot process and encrypt your data, but it still has to start with the hardware and the root of trust. Some things were done in the past, but it was mostly ad hoc. The more things we can enable in the hardware that the software can take advantage of to enable device security, the better off we’re all going to be. I don’t believe we’re there yet.

Kocher: There are three trends here. One is that we’re putting more and more features in devices. This is what’s driving all the value in the electronics industry, but all of those features bring complexity, and with complexity comes bugs. Our brains aren’t capable of making enormously complex, perfectly bug-free anything, whether it’s software or books or anything. We also have an exponential growth in the number of devices in these tech ecosystems. And we have rapid growth in the value of the information that’s on the devices. These are great trends on one level, but each of them creates problems. More features means more bugs, more devices mean more targets, and more value for the good guys means more opportunity for the bad guys to monetize what’s in these systems. For as long as these three trends exist we’re going to see more breaches and worse breaches. This year is worse than last year. Next year will be worse than this year. There isn’t any immediate technological solution that will stop these trends. From a big-picture perspective, we’re seeing more rapid growth in the consequences of insecurity than the value of the new features. If we can’t make the Internet-connected toaster more useful, it’s not a better toaster than one that isn’t connected. It’s really a question of how we reduce the risk.

Canel: Security is a business value proposal. Nobody wants to pay for security. The people who are willing to pay for it are regulated businesses that have a government mandate to take care of the data of their customers, or it’s companies that have their reputation on the line. In the Western world, the parties that have shown the most interest in protecting their data are the Hollywood studios. They have driven architectures within the OEMs and chipset vendors and the ecosystem to make sure their content is protected. This is a remarkable example of service providers that want to protect their data. One of the reasons mobile payment didn’t pick up that quickly was that there wasn’t a strong drive. There are system, models and strategies that work very well, both in the United States and Europe. That’s not true in China, where you see a drive to promote mobile banking. The government and those involved in this segment in China are pushing for mobile payment. In vertical industries such as health care, we will see requirements that are very specific to that vertical. But security is first and foremost a business problem. It’s how much an industry values its reputation, the data of its customers, and regulatory mandates to protect that.

Poitner: Security is a business problem. But with mobile and the IoT, there are a lot of companies designing devices that are always on. They don’t think about security from the very beginning. We have been in the security business for a long time. If you think about banking with chip cards in Europe, or mobile phone cards with SIM cards, security has been addressed. In the IoT space, people need to secure hardware and to secure software.

Murphy: One of the things that’s different about IoT and security is the size of the attack service. We’ve gone from managing a controlled number of devices to a huge number of devices. The cost of implementing reasonable security on those devices and maintaining reasonable security on those devices is constrained by the cost of those devices. You don’t want to be doing antivirus uploads to your smart light bulb every day. You have to start thinking about security in different ways.

Baum: Right now, a lot of security we’re talking about involves mobile payment—even the movie studios with their content. They’re willing to put money on the table and invest in security. But the IoT toaster and the light bulb are end nodes and they can cause more trouble. The toaster can burn your house. If someone steals a movie, it’s $30 or $40. If someone breaks into your bank account, that can be resolved. But if you look at your smart appliance, that used to be an 8-bit microcontroller. Now you’re going to add communication so a dishwasher will only wash dishes when power rates are low. Those things are potentially more dangerous and affect more people’s lives more often, and unfortunately the people who build them don’t think about security.

Murphy: For the banks the risks are being increased, but it’s not a new risk. They’re already dealing with risk. Here we’re talking about brand new risks that people aren’t aware of. It’s different.

SE: The attacks in the past came through software. Will it still be that way in the future, or will there be more points of entry?

Canel: It’s going to come from a variety of places. It won’t strictly be software. It will be hardware, too, and the cost of that hardware is coming down. There’s going to be a combination of hardware and software.

Kocher: The hardware right now is providing really poor foundations for security. Chip architectures historically have been aimed at maximizing functionality. We provide ways of achieving certain functionality but have very poor ways of regulating it. There are exceptions like NXP’s security chip, for example. If you add a security chip you can get a separate compartment, as well. But in general we’re just one software bug away from total compromise, and in a few cases we’re two or three bugs away. We’ve pushed the complexity of the device far beyond where we can reasonable hope to secure them and we have to fix this. It will require fixes in the hardware so that the software developers can be human and make mistakes and it still doesn’t allow your toaster to burn down your house.

Baum: Nobody looks at a single core for most devices these days without a GPU and encryption and other things. So we’re looking at a multi-core, multi-processing device that is suddenly extremely complex. The software guys are like kids in a toy store. You can run Linux here and Android there and run all your apps with 3D graphics and shared screens. There is much more complexity. Tools are really behind. They’re not being used to analyze your hardware and software to see where the points of intersection that can fail. And Paul is right. It takes a single point of failure and the whole device is wide open.

Kocher: There’s no single structural part of a building that will cause it to fail. Most of the components in a building are there for safety. But if you look at a chip, no one wants to spend the same kind of overhead to make it safe. They just want to make it work. That approach at some point has to change, but the question is how bad does it have to get before people really care.

Canel: That’s one of the challenges. The toaster and the fridge are consumer devices. If you look at the IoT marketplace, who are the stakeholders? You have consumers, but you also have enterprises. If a device is going to regulate a power plant, the power company will care about that device. If it’s your toaster or your fridge, is the level of care the same from the manufacturer? Or is there a service provider who will care about the security? It will take some time to sort itself out and find out who will be the drivers of security in those markets, including the consumer markets. But consumers don’t pay for security.

Kocher: The security over the life of the device can be more than the cost of putting a radio into a device to begin with.

Baum: What might have changed, and why security could be accelerated, is that with social media you can really escalate attention.

Canel: The driving force for security will come from smart services, whether it’s industry or the home. The service provider will need to attach to the device. The device will have to be something that service provider can trust. Requests for service will have to be authenticated. In order to be able to deliver service, they have to know how the device is built, what the architecture looks like and where the trust comes from. I believe it will be the service providers that will drive the need for security.

Murphy: That will be true in a lot of cases, but if you’re selling $25 light bulbs, how much effort will you put into implementing that kind of authentication?

Canel: There will have to be some sort of normalization of both hardware and software to make this viable.

Poitner: The hardware is certainly highly scalable. There is even technology to make light bulbs secure at a cost that is bearable. But it does come down to a question of money. The service providers today switch everything to a cloud, but they need a complete sense of all the pieces.

Kocher: It also varies by market. A 20-year-old car might be a perfectly good car. But you wouldn’t want to run your connected critical infrastructure on Windows 95. Just keeping the teams together and keeping your compilers working is very difficult. A light bulb company might be willing to put a little bit of money into the light bulb when it’s sold, but they don’t get recurring revenue. How do we get services to work in a way they’re successful?