The Oct 21st, 2016 denial of service attack on websites across the United States was powered by hacked Internet of Things (IoT) devices (IoT) devices.[1] It was one of the first IoT related attacks that broke into the popular media, drawing public attention to the vulnerability of these devices. We're all aware that computers and smart phones can be hacked, but who thinks about baby monitors, DVRs, or wifi enabled cameras? The answer to this question is - everyone who reads the headlines. And more importantly, anyone who designs SoCs, and especially IoT devices should be thinking about security.
Sadly, the state of security with any Internet-connected consumer devices is woefully inadequate. These devices are easily hacked, with the potential for widespread damage. But the solution is well within reach. Intrinsix has been implementing SoC security solutions for years, ranging from basic secure boot to full tamper protection. We work with clients to help them identify the security requirements of their SoC, and formulate a security architecture that will address the most critical vulnerabilities.
The level of security that should be built into SoC devices will depend on many things, including the potential for damage if the device security is compromised, and the ease with which a vulnerability can be exploited. If an exploit has minor consequences such as the compromise of one and only one device, then it may not be as critical as an attack that reveals secrets to exploiting not only one device but all the other similar devices. Also, if a vulnerability is nearly impossible to expose, or has an extremely small probability of being exploited, then it's probably less urgent to address it than a vulnerability hackers or malicious agents can quickly take advantage. Given the plethora of vulnerabilities that exist in IoT devices, attackers will invariably prefer to spend their time on the easier exploits.
SoC security can take many forms depending on the application.
The first and most necessary measure that designers should consider is the integrity of the boot process. Without a secure boot process, an attacker can substitute malicious code in place of the system boot code and achieve a complete takeover of the SoC - with potentially catastrophic consequences. The simplest way to address this vulnerability is to encrypt the boot software. This approach complicates the life of an attacker but is not foolproof. A higher level of security can be achieved by adopting a secure boot protocol such as the chain of trust mechanism (see figure below) in which a trusted component of the boot sequence, starting with the hardware, verifies the trustworthiness of the next component in the sequence, for example, the bootloader.
The verification is usually done with cryptographic checks, using public-key signature algorithms. Once verified, the next component in the sequence takes over, and the process continues until the system is up and running. If a component anywhere along the chain cannot be verified, then remedial action is taken, and the untrustworthy component is denied control.
Some applications will require a more comprehensive security architecture, which extends beyond the integrity of the boot process. IoT devices that process sensitive information, such as financial data, or personal biometric and health data should incorporate a security architecture that protects against data theft, illicit sniffing, or malicious use of the sensitive information. To achieve this, a full trust-zone implementation may be warranted. This essentially divides the hardware and software resources of the SoC into secure and non-secure worlds, with sophisticated policies that prevent access to secure world resources from the non-secure world. This approach builds a wall around secure world assets, protecting them from malicious agents.
In some cases, intrusion detection is warranted. Intrusion detection typically monitors the SoC for such things as fast/slow clock speed, under/over voltages, temperature thresholds, or other signs that the system was compromised or tampered with by a bad actor. If an intrusion is detected, some action is taken, consistent with the security breach requirements of the SoC. That action might include a quick erasure of memory, shutting the system down entirely, or shutting down specific resources that were particularly vulnerable (e.g. entering safe mode). Regardless of the action taken, it may be desirable to log the nature of the intrusion. Logging can be used to notify victims of possible attacks, allowing them to take appropriate remedial action.
The bottom line about secure SoCs
SoC security is becoming an increasingly important requirement for the safe and reliable operation of connected devices. As IoT devices play an ever-larger role in our lives, the need to secure them in a comprehensive way will only grow larger. Fortunately, Intrinsix has considerable expertise in this area. We've been implementing secure systems for years. The trick is to consider security requirements on an equal footing with other market-based requirements for the device and design them in from the start.
Do you think your next project could benefit from some of the security elements described in this article and you could use a helping hand, consider downloading the eBook titled“Five Criteria for Evaluation of Semiconductor Design Service Providers” as an aid in your process. Reach out to us to have an exploratory discussion about your design and let our experts add some value.
[1] New York Times, 22 Oct 2016, “Hackers Used New Weapons to Disrupt Websites Across The US."
[2] “The Chain of Trust, Keeping Computing Systems More Secure," Richard Wilkins, Toby Nixon, UEFI, June 2016
Leave a comment