This is the final article in a four-part series based on the whitepaper by Intrinsic ID that presents an in-depth study of low-cost IoT network attacks and the practical security approaches against them. The first of these articles explores the categories of IoT attacks and their origins. The second goes into the detail of attack surfaces and the mechanisms used to secure the system. The third describes the importance of IoT platform integrity, the components that makeup IoT platforms and highlights the functions of security subsystems at different levels to ensure platform integrity.
Security is vital in the modern industrial and consumer landscape. Not only is it necessary to protect companies from loss of revenue and reputation, but it is crucial if public confidence is to be retained in the future of technology such as IoT.
But while security can be deployed to protect systems once they are up and running, the nature of the technology now being used in the IoT landscape means that even the smallest and most trivial component can be weaponized by a malicious actor before it has even been integrated into a system.
From stealing data to planting malicious code, an attacker can use an integrated circuit (IC) as a Trojan horse, gaining access and putting everything in place while it is still being put together. This is the reason the IC manufacturing lifecycle has become such a crucial battleground between the security gatekeepers and the attackers.
The lifecycle explained
The IC lifecycle consists of four distinct phases; production, manufacturing, in-field, and beyond in-field.
Life cycle stages
The first phase of the lifecycle is IC production, at which point it undergoes testing and is embedded into its package. Depending on what it will eventually be used for, this is the stage at which a decision is made about whether to load sensitive or non-sensitive data onto the IC.
System manufacturing is phase two. Known as open or virgin mode, it is at this point that additional programming, debugging and configuration are carried out. Data such as keys and firmware may be supplied by the IC manufacturer which the system manufacturer can now load.
Phase three sees the IC leave the manufacturing plant and it is at this point where the lifecycle moves from ‘open’ to ‘in-field’. The IC is now being used for its intended purpose in industry and any data which was previously provided can now be used. This is an important juncture from a security standpoint because it is where the credentials and keys which have now been loaded on the IC are put into use.
During this phase of the lifecycle, there are various instances where this sensitive data may be used. These are:
- Updates: Updates are critical to device security in-field and ensuring they can be installed successfully is vital. To that end, cryptographic keys are used to enable authentication and encryption for updates. This prevents bad actors from intercepting transmitted updates or installing malicious updates.
- Setup & Pairing: This is where keypairs are used to obtain device certificates. These certificates enable devices to be authenticated to the cloud or on other devices.
- Operation: This is where data that has been generated can be encrypted before it is then transmitted to the cloud or other devices. Sensitive data on a device can also be encrypted at this stage.
Phase four is where the IC moves beyond in field. In certain circumstances, the device can leave the in-field phase of the lifecycle and return to the open lifecycle or enter a failure analysis phase. These circumstances depend on the product and manufacturer. At this point, firmware data, configuration, and security assets will need to have been erased.
If the IC is entering a failure analysis stage because it is malfunctioning, there are a number of options. It may be rendered useless due to its functionality being disabled. This helps inhibit the ability of an attacker to reconfigure the device. After the sensitive data has been stripped away, the IC can be reloaded with new data which refurbishes it for future use.
Once the hardware is at the end of its working life, all the important data has to be removed. This is once again to prevent an attacker from reconfiguring it.
Life cycle threats
Each of the IC lifecycle’s four phases provides opportunities for attackers to strike at ICs and IoT devices.
During the first phase, sensitive data may be loaded onto the IC which can be accessed, stolen, or repurposed by an attacker before it is even shipped off to a manufacturer.
Once it arrives at the system manufacturer for phase two and is in open mode, this also presents an opportunity for an attacker, because it is at this stage that the IC accepts requests for programming, debugging, and configuration.
The in-field third phase presents a myriad of opportunities for security threats. IoT devices are extremely vulnerable when they are in the field because malicious actors can more easily gain access to them. IoT devices can be anywhere, so by their very nature, it becomes much simpler for them to fall into the hands of attackers or be accessed by them. It is therefore vital that security is of the highest standard before IoT devices are used in-field.
In phase four, some IC may not function correctly and will be refurbished or decommissioned. But at this point, it may still hold sensitive data which can be exploited by an attacker. Just because it is broken does not mean it no longer has any value to an attacker.
Protecting from attacks during the IC lifecycle
There are multiple effective ways of protecting sensitive data such as keys, firmware, and configuration. This includes providing a security subsystem at the initial IC manufacturing phase of the lifecycle.
Deploying hardened security subsystems is also an effective countermeasure against certain hardware attacks. Filling the gap to enable system-level protection that is beyond the confines of software or external components.
Central to effective IoT going forward, hardened security subsystems are embedded in general-purpose microcontrollers and processors. And as part of a wider suite of security precautions, they can protect and manage cryptographic assets, while also providing secure boot and security policy enforcement.
Providing security assurance
Confidence is key if smart technology is to be adopted by industry and society. One survey found that almost a third of consumers were deterred from buying a smart device due to security concerns. Almost two-thirds also said connected devices were ‘creepy’ in the way they collected data.
If confidence is to be established, central to that task is security assurance. This provides a mark of quality that says the organization has adhered to specific security protocols which enables the end-user to have confidence.
This security assurance is usually provided through external, independent third-party certification. Common Criteria (CC) have traditionally been used to provide security assurances but can be complex and expensive. But newer schemes such as PSA or SESIP are regarded as easier to adopt. They also provide the possibility of composite certification.
Put simply, this means a customer can build on the certification on the components which have already been achieved by the relative suppliers. A mark of quality on top of another mark of quality.
These new ways of doing things not only maximize confidence but reduce time and cost compared to previous methods of providing security assurance.
IoT and smart technology are transforming society but security concerns - both real and imagined – could provide a real barrier to continued growth.
Central to establishing confidence in the industry and among consumers is the adoption of good security practices during each stage of the IC lifecycle. Measures must be put in place to ensure attackers can not gain control of data or repurpose devices before they have even left the factory for their intended industry.
One method of protecting against these types of attacks is by putting hardened security subsystems in place. Over the last decade, these types of integrated security subsystems have become more widely adopted and are seen as an effective countermeasure to low-cost hardware as well as software attacks. But it is not enough to simply put these measures in place. There must be third-party verification that these security measures reach the required standards if that trust is to be retained and maintained.
Learn more about how to protect your IoT devices from low-cost attacks.
This article is based on the whitepaper titled, Preventing a $500 Attack Destroying Your IoT Devices. Download the paper here and learn more about the risks of low-cost attacks and how to ensure your devices are safe, secure, and protected.
About the sponsor: Intrinsic ID
Intrinsic ID is among the world’s leading providers of security IP for embedded systems based on physical unclonable function or PUF technology. The technology provides an additional level of hardware security utilizing the inherent uniqueness in each and every silicon chip. The IP can be delivered in hardware or software and can be applied easily to almost any chip – from tiny microcontrollers to high-performance FPGAs – and at any stage of a product’s lifecycle. It is used as a hardware root of trust to validate payment systems, secure connectivity, authenticate sensors, and protect sensitive government and military data and systems. Intrinsic ID security has been deployed and proven in millions of devices certified by EMVCo, Visa, CC EAL6+, PSA, ioXt, and governments across the globe.
1.The Trust Opportunity: Exploring Consumer Attitudes to the Internet of Things: