The Next Level Of Chip Security

The demands on silicon going forward will change significantly.

popularity

As we move to that magic year, 2020, which is commonly being recognized as the year when the IoT is supposed to be in full bloom, the security issues just keep coming. The rate of cyber exploits continue to ramp up daily. Yet there seems to be just as much complacency about the Internet of Things as there is about the Internet of today. It seems we are becoming desensitized unless it happens to us.

With all the breaches reported by Home Depot, Target, Chase, and countless others, there seems to be little fallout from the billions of records that have been compromised. And there are stories all over the media warning about the hazards of cyber hacking for the upcoming holiday season. Yet, people are still providing private data online in record numbers, and there is no sign that that trend will abate any time soon. In reality, either we are doing a superb job of damage control, or most of these threats are being hyped way out of proportion by the media.

Still, the chance that we are going to see a pandemic data compromise that will have reeling effects on large numbers of individuals, either directly or trickle down from organizations is very real. But it’s not as if there aren’t security solutions available – there are. In fact, there is a plethora of solutions to choose from, both hardware and software. The challenge is to get vendors to take security as seriously as sales, and fund it. Today, vendors don’t want to make security too complex for the end user, just as most end users can’t, or won’t bother to secure their hardware, no matter how easy it is.

This is bad news for the IoT, where insulin pumps, EKG monitors, blood status monitor, and countless other sensors will be connected to just about everything that will be a recipe for disaster.

securityA

“The ecosystem of the products we are building, such as mobile phones, has gotten very complex,” says Benjamin Jun, CTO and vice president of the Cryptography Research Division at Rambus. “The number of parties involved, in the sense of continuing control or management of such devices, from the chip vendor to the carrier, IT departments, all the way to the user, are expecting different degrees of control within the network and on security. And, it ultimately rests on the silicon to provide it, so the ‘trust models’ are very complex.”

Extrapolating from there, it is only going to get worse as the IoT evolves. Because so many more objects will be stratified among so many more segments, there is going to have to be a meeting of the minds at some point or another, especially with the different interconnect platforms (wired and wireless).

“The vendors are not taking enough responsibility for this, and the consumers do not have the correct tools or knowledge to solve this problem,” notes David Jacoby, security analyst at Kaspersky Labs. “At the moment we are in a terrible situation because our homes [and other venues] are very vulnerable, and there is no real good solution for it.”

However, for the semiconductor industry, this represents a monumental opportunity – and they are starting to respond.

“We believe that semiconductor security will become a first class design parameter in the future, and will be architected from the beginning to prevent counterfeiting and security breaches,” notes Steven Woo, vice president of enterprise solutions technology at Rambus notes. Companies like Rambus are showing that progress with products like CryptoManager, a platform that provides security features in hardware that can provide anti-counterfeiting capabilities. It also has the ability to be enabled and disabled throughout the product lifecycle, from the manufacturing process through deployment in the field. Such solutions are dynamic enough to be transparent to both the vendor and the end user.

Short-range wireless
The IoT will make pervasive use of near-field and close-field technology. Platforms like NFC, RFID, Bluetooth, ZigBee, etc. that exist at current frequency assignments will see explosive growth. And new short range implementations of existing technologies such as Wi-Fi at 24 and 60 GHz, will add to the security wheelhouse.

security1

Some of these technologies haven’t been particularly attractive to hackers, and some won’t need a lot of additional security measures. For example NFC, which typically only works out to about 10 cm, is intrinsically more secure than Wi-Fi or Bluetooth. However, with the smart communicators, NFC is likely to become a primary if not the interactive device for many of the IoT objects (such as appliances, home automation, certain vehicular functions, kiosks, home entertainment, etc.). So far there has been little effort by the nefarious set to try and hack NFC communications. But given that it is likely to take a much more active role, and become much more pervasive as the IoT unfolds, that is likely to change.

security2

“Intrinsically, NFC communications tend to be secure for a couple of reasons; first, it is very difficult to intercept such short range communications, and second, because the NFC technology itself is pretty secure, because it is low-level,” said Ian Morris, principal applications engineer for RF connectivity solutions at NXP. “However, NFC security is only as good as the weakest link, which is usually the software at one end or the other, or perhaps an intermediate link that supports the technology.”

NFC just recently started to see a significant uptick in proliferation, and across multiple venues. It is not likely that NFC will have huge security issues but it certainly will be in that same bucket of endpoint security as will all other technologies.

Let’s talk RFID
RFID is becoming immensely popular for a number of segments including retail, supply chain, government, manufacturing access control and asset tracking and healthcare. Soon it will also be used for human implantation. Why? Because human implanted RFID will enable seamless interaction with the IoT. You will be able to unlock your car, home and business, make electronic payments, foolproof your identity and track your children.

Securing human implantable RFID in the IoT is a principal security concern. Implantable RFID chips can contain extremely sensitive information such as banking data, health records, and personal information. And, RFID transmissions, unlike most wireless transmission protocols, are generally unencrypted and can easily be intercepted, up to 30 feet, or more. There is also the matter of cloning.

In one case, a researcher was able to purchase an RFID passport reader from the manufacturer. They used that reader to sniff the data from an existing passport and embed it on a new, blank passport that functioned like the original in every way.

In another example of a security breach, a senior research fellow at the University of Reading, Berkshire, United Kingdom, Dr. Mark Gasson, was able to infect an implanted RFID chip with a standard virus that typically infects computers. He then used the infected RFID tag to gain access to a secure building. Once inside, he was able to transfer the virus to the building security system, which was interfaced with the main computer system of the company and passed the virus on to anyone who used an RFID card on the system.

And, this can be done without the user every knowing it happened. All it takes is to get near enough (say in an elevator) to the person with the implanted device and use a reader to capture the data.

Going forward, to secure these in the IoT requires three things; controlled data access, system access control, and trusted systems. These can be implemented with back- and front-end security.

Chip-to-cloud security
As the cloud becomes the main facility for data storage and transfer, cloud to chip transactions will be a huge vulnerability that hackers can use to compromise just about anything or anyone. To secure this next-generation of transactions, chip security will have to be at the top of the list and hardware will be where the best solutions can be implemented.

Up until now, most of the security around chips is securing keys and sensitive data. There is a lot of work done on keeping keys from leaking. “But there is a lot more to protecting a key than to make sure it doesn’t leak,” notes Jun.

Securing keys and data is only part of the equation, as well. For the cloud and the next-generation of devices that will interface with it, a lot more security will be required.

“What solutions do we have to offer, as silicon creators, for this platform,” asks Jun. “One of them is a concept we can call ‘self-proof.’ When you put together a complex box, say a network router, it is really a whole symphony of chips that have to work together, of which many are on add-on boards. One of the issues is that all of the components are genuine.”

That will be a real problem going forward. More and more countries are getting on board with component manufacturing, and the economies of scale will put pressure on OEMs to find the best product for the best price. So making sure components are genuine is a hot topic. The result is that the chip industry needs to start thinking about a world that is more widely outsourced.

The complement to securing all of this cloud and IoT hardware is the accompanying software. “It is important to have secure software, and secure computing environments,” says Jun. “This is very similar to how we might have looked at memory protection 10 or 15 years ago. The idea is that software can’t be trusted to maintain partitions, so we created our own in hardware. The easiest way to do this, at least, in theory, is to drop in another CPU, a small one, onto a part. But that isn’t always practical so we use other tricks such as a secure boot, and making sure keys and credentials are in the right place, and at the right time.”

All of this mandates cloud services providers to think about next-generation innovations, which are able to take advantage of next-generation advances in security, such as the Trusted Execution Technology (TXT) for cloud services from Intel Corp.. This platform is an example of security at the bare metal layer and an example of what leading edge chip companies such as Intel, NXP, Rambus, and others are developing for cloud security.

While these chip manufactures are standing at the bleeding edge of cloud and IoT security, this remains a tall order for a vendor branch that is still burying their heads in the sand when it comes to security.

Looking forward
It is not that difficult to imagine what cloud networks and the IoT will look like. It is a bit more difficult to see who and what will make up the components of these next-generation networks. The cloud is a simple, basic concept – take a bunch of servers together from all over the place and interconnect them to look like a simple storage model. It’s easy for the consumer and businesses to understand and a simple concept for the service providers to get behind. But the behind-the-scenes workings are orders of magnitude higher in complexity than the façade suggests.

Therein lies the challenge for the players of the cloud and IoT. Making it work together isn’t that big of a problem. Making it secure is a whole other matter.