What’s Next For IoT Security?

By Ed Sperling & Jeff Dorsch
With security, the little things can cause as much of a problem as the big things. As shown in the recent distributed denial of service attack (DDoS) on Dyn, which created waves of attacks using Mirai malware, connected devices of all sizes can be amassed into an army of bots that can bring even giants like Amazon and Netflix to a dead stop.

This attack was predicted and warned against by numerous security experts since it was published as open source code several months earlier, but that did little to stop its progression. And therein lies one of the key problems in security today. There are not enough layers of security being built into electronics to stop these kinds of problems, and no standard way of creating them.

What’s interesting here is that the most recent attack went well beyond the usual software and network breaches. It targeted the firmware inside devices that were secured by weak passwords. And most security experts believe this is just the beginning.

“This is a story that’s going to repeat itself a lot of times before it becomes old and stale news,” said ARM CTO Mike Muller. “There is no sudden, rapid fix. It’s not as if all the devices out there have appalling security. You can buy modern IoT devices that are secure and do handle security well. Everything has flaws. But one of the things we think is important for devices going forward is the ability to make them securely upgradeable in the field. Once you’ve lost control of an IoT device, it’s really important to be able to get that control back. You can do everything you can to try to prevent losing control. But if there is a flaw, you need to be able to securely re-flash a device even if you’ve lost control of the application at the top level. Architecturally, that’s one of the important things to press on.”

It’s also one of the pieces of design that needs to be automated to make sure it gets done right.

“There are three areas where we see EDA can help—side channel attacks, reverse engineering, and supply chain attacks,” said Serge Leef, vice president of new ventures at Mentor Graphics. “The one that we are targeting is reverse engineering at the functional and physical design level. There have been techniques invented over the last few years that appear to be effective.”

Among them:

• Logic encryption and obfuscation. Additional logic is connected to key registers, and the design doesn’t work unless it has the correct key. Obfuscation uses the same techniques to confuse attackers by hiding the keys. Extra circuitry is minimal. A 128-bit key requires less than 500 additional gates.
• Built-in self-authentication. This fills in all of the white spaces with electronically connected cells, basically creating an impenetrable mesh network that emits a specific number. If the circuit is broken to add more cells, the number emitted will change.
• Camouflage. While similar in intent to obfuscation, the idea here is to actually replace some subsets of cells with different-looking but similar functioning cells. So “and” gates can be made to look like “XOR” gates to a tunneling electron microscope, making it almost impossible to correct when disturbed without the master blueprint.

“The real intent here is to dissuade the economic attackers,” said Leef. “You’re basically erecting a system of walls and moats. A nation state will be more persistent. But for other attacks, you need to determine what is an acceptable level of protection. Our goal is to give a toolbox so our customers can determine what satisfies their requirements.”

Software
What was different with the recent Mirai attack was that it focused on firmware, which basically is software that is embedded in devices to provide low-level control certain functions. In the past, most firmware attacks have focused on commandeering the BIOS of computers, either for ransomware or for espionage purposes. In contrast, the majority of the breaches that have made headlines involve networks or operating systems and/or middleware, as well as the apps that run on them.

Digging into firmware is more difficult because it requires access to software stored and, frequently, hidden within a chip. That’s why systems companies park their SSL keys there, along with a history of private keys that can work with those SSL keys.

“If the keys leak, your security is compromised,” said Asaf Ashkenazi, senior director of product management in Rambus‘ Security Division. “If you can crack into a key, you can replace the software and remotely control the device. Keys are the Holy Grail for hackers.”

Many of these attacks require a physical component, such as a grinder, physical probes, and a scanning electron microscope. “That’s an invasive attack,” Ashkenazi said. “There also are combination attacks, where you reconstruct keys from a string of bits, not from the software.”

There also are side channel attacks, which use a passive antenna to pick up electromagnetic activity and figure out the keys. There are a variety of products available on a licensing basis for side-channel attacks where you provide a core in hardware to provision keys securely. But to really prevent attacks, multiple approaches are required.

“No one solution protects against everything,” Ashkenazi said.

Setting standards vs. using them
Still, something has to be done, and given the recent spate of breaches, it needs to happen quickly and on a grand scale.

One of the big problems with security is a lack of consistent and current standards. Standards that do exist, such as Transport Layer Security, do little to secure a device such as a surveillance camera or a connected entertainment system, which the U.S. Department of Homeland Security identified as the culprits in the Dyn DDoS attack.

Homeland Security Secretary Jeh Johnson said in a statement last month that his department has been “working to develop a set of strategic principles for securing the Internet of Things, which we plan to release in the coming weeks.”

Still, even if everything works as planned, connected devices are not suddenly going to be secure overnight. For one thing, there are plenty of legacy devices in the market. For another, even where technology does exist it isn’t always used.

“I’ve talked with many people that, even though they have all these different security components and they’re buying processors that have lots of cryptography and lots of nice features that they could use to make a product pretty secure, they’re not really using it,” said Oivind Loe, senior director of strategic marketing at Silicon Labs. “They don’t know where to start, and they really want to focus on their differentiation, the value of their product.”

He added, “It’s very hard to get that there’s no direct return on investment for a lot of these guys into implementing that next step of security. The potential downside they’re protecting themselves against is a pretty big downside – like, you don’t want to be on the front page of The New York Times with your product being hacked. People are becoming more aware of this, but definitely getting to the step where you recognize this and you build the capabilities to actually get the security into your product is a big challenge.”

The increasing complexity of devices such as microcontrollers is an issue, too. “MCUs are not that small anymore,” Loe said. “Some of them have multiple radio stacks, they’re dealing with complex protocols and complex applications. You’re seeing multiple megabytes of memory and you’re getting into the situation where you haven’t written all the code. You’re taking on board code that other companies have built for you. The separation and sandboxing allows you to then place that code and place all the different parts of your code in different containers and actually make the device more difficult to take over in the first place.”

At the same time, Loe said, “There’s always going to be bugs.”

Solving the problems
One possible solution involves what Chris Clark, principal security engineer in Synopsys‘ Software Integrity Group, calls “threat modeling” based on a security testing methodology.

“To do this it has to be future-proof, meaning it needs to be open to manufacturers so it doesn’t take a year to update,” Clark said. “It also requires tools that meet specific testing methodologies.”

The key, he said, is to utilize established tools that can be implemented at a reasonable cost, rather than adding a bunch of new tools that haven’t been market-tested and which no one currently owns. Those tools also must be applied early in the design cycle, when fixing problems is less expensive, in effect adding a “shift left” component to security.

In the automotive space, companies like Elektrobit are looking at the problem differently, trying to limit complexity basically by raising the level of abstraction on data from sensors. Complexity is one of the big challenges when it comes to security because it provides too many possible doorways to effectively secure.

“You can break this down into a set of behaviors, like drive in your own lane, automated lane change, automated emergency brake and safe stop,” said Walter Sullivan, head of the Innovation Lab at Elektrobit, speaking at the SAE & Synopsys Automotive Seminar last week. “The goal is to move to a model with major complexity rather than exponential complexity.”

Elektrobit is backing an open framework for automated driving systems called Robinos to provide some consistency and modularity in the automotive space.

Other solutions are fitting in around the edges, as the semiconductor industry begins grappling with these issues. In the supply chain, for example, Multibeam has figured out a way to insert a unique chip ID code during production, without significantly disrupting the manufacturing flow. Rather than a single code for a batch, each part would have a unique ID within a via hole based on directed electron writing.

But there’s another side of this, as well, as Loe indicated—training engineers to think about security issues. Nandan Nayampally, vice president of marketing and strategy for ARM’s CPU Group, moderated a panel session at TechCon last month about creating secure IoT systems. “We’ve always talked about most of the developers or even system designers are not security experts.”

On top of that, gaps need to be bridged across a lot of disciplines that have been allowed to co-exist with very interaction. As more pieces are required to be developed simultaneously to get devices out the door on time, they also need to start communicating across silos. This is certainly true for SoCs, but it also is true for small IoT devices, where the software, analog, and digital all need to be developed in sync with each other.

“On the digital side, a lot of the teams are small, and focused on logic and processor capability,” said Jeff Miller, product marketing manager at Mentor Graphics. “On the MEMS side, there is a focus on analog, digital and RF. What’s needed, though, is an integrated solution, and right now communication between these two groups is printouts from the bench. IoT provides opportunities to bring these two sides back together in a more productive way. Analog will continue to be art and black magic, and analog will continue to be more of a craftsman/artist approach. But there’s still a lot you can do to make the analog designer more productive with more simulation and verification.”

That has a direct bearing on security, as well, because security needs to span both worlds in a design, as well as others. In fact, IEEE’s plan to add general blueprints for vertical markets under the International Roadmap for Devices and Systems, describes security as a horizontal set of technologies that will serve many vertical markets.

Clearly, IoT device designers – whether new breed or old school – must be cognizant of multiple factors, including the concurrent development of software and hardware, architecture, subsystems and applications. In the eyes of hackers, they are all very tightly linked, even if chip engineers don’t always look at it that way. And in the midst of this, security needs to be a top priority at every step of the design process. If not, the little things that get overlooked will turn into very large problems that potentially could cause much more damage than a temporary denial of service attack.

Related Stories
Side-Channel Attacks Make Devices Vulnerable
The number and type of attack vectors are increasing as more of the world becomes connected and vulnerable to hackers.
Securing The IoT
Last week’s Internet outages highlighted the dangers of unsecured IoT devices and the need for a comprehensive set of standards.
Where Are The IoT Industry Standards?
While some Internet of Things groups are proceeding with setting standards, connectivity and other aspects are still up in the air.
IC Industry Waking Up To Security
More companies recognize cybersecurity needs to be built-in from the beginning.