The Hidden Side Of Security

Chip companies are taking security very seriously. They just don’t talk about it.


Inside of large chip companies, security is being taken very seriously these days. They just don’t talk about it very much—and sometimes not at all, even to their own employees.

In fact, procedures have been instituted inside all of the major chipmakers to ensure that chips are secure on every level, including who gets to see what data within those companies, according to multiple Semiconductor Engineering sources. In some cases, customers are only allowed to run tests on site at the companies, in secure rooms, with no data ever to leave those secure facilities. And sometimes those rooms are on different floors or in secure wings within companies.

Most employees don’t have access to this data. While some of this secrecy had its origins in concern over IP theft, those approaches have been extended far deeper into the security world. Hacking into encrypted embedded code is difficult. In most cases, it isn’t worth the time and effort it takes to decrypt that code, unless state secrets are involved. And without a key, for most criminal enterprises it’s an economic dead end.

This isn’t optional. Systems companies are keenly aware of just how serious a problem is ahead of them with an increasingly connected world. Devices are no longer isolated, and as long as they’re on—even in sleep mode—they’re not impervious to attack, by air, by wire, or by physically grinding down the outside package and inserting probes.

What’s becoming obvious is the need not just for one set of security features, but a full stack of features at every step of a design. Just as there is a power budget, there now is a security plan. And just as power budgets vary by market, so will security plans. But what these chipmakers are taking very seriously is that they have to deal with the least secure entry point in a complex mesh network, which means everything from secure embedded code to handshake communication within the chip. It also means hiding the crown jewels of the design in a very secure place, restricting access on every level, including motion detection for data, and in some cases self-destruct mechanisms if a chip is compromised.

This isn’t science fiction anymore, and companies that fail the security test can be sure they’ll be vilified in the market by their competitors or by their customers’ lawyers if they don’t take adequate precautions. It can ruin a business.

Connectivity has done more than make consumer’s lives better. It has created a constant threat for chipmakers that changes the fundamental formula for risk, including where to trim costs and how much those cost-cutting decisions ultimately could cost a company if something goes wrong. What remains to be seen is just what kind of chilling effect that has upstream for the IP and tools suppliers, and downstream for the companies that manufacture and test these secure devices. While devices are connected, so is the supply chain, and security is only as good as the weakest link in the chain.