At the Linley IoT conference a few weeks ago, one of the presentations was by NXP's Donnie Garcia. As in all such presentations, there was some bias towards the best solution being an NXP microprocessor, but most of the presentation was at a higher level, and showed the thought that needs to go into designing a secure MCU for IoT applications. In turn, this is a guide to the questions to ask the supplier of any potential silicon that you are considering using. The rise of the connected world also creates new vectors for attack. IoT devices are not generally kept in secure facilities so they are open to physical attack. The costs can be high, since there are harmful repercussions for missing data, or data used beyond how it was intended. The cost is increasing all the time since the general public is no longer forgiving of security breaches. Since security is an arm's race, one feature of any solution is to be able to update the firmware (and to do so securely so that firmware updates don't become their own attack vector). There are obviously attacks possible in the datacenter and the network, but the focus of Donnie's talk was protecting the edge-nodes, the "things" in the IoT. A good first step to security is to consider the different types of attacks: Insider attacks: For financial gain, for fraud, revenge, or blackmail Midnight attacks: Take place during a small window of time Focused attacks: Where time, money, and resources are not a factor There is also a wide range of possible attackers: Outsiders (curious hackers): Intelligent but with limited knowledge of the system, attempting to use existing security weaknesses Insiders (professionals and academics): Have deep technical experience and access to tools Organizations (crime syndicates, governments): Specialists with significant funding, with access to advanced analysis tools and attacks The first step to creating a secure IoT solution is trust, ensuring operation only from reliable resources. This means protection of the code through internal and external memory protection, protection of the debug port, authentication of software updates, authentication of the device identity, and a secure boot process. For protecting data at rest and data in transit, encryption is the solution. There is a wide range of public algorithms and it is foolish to ignore them and roll your own. However, many algorithms require random numbers, and deterministic ways of generating pseudo-random numbers are a weakness subject to attack (for example, the code inserted in Juniper's routers attacked at this point). So having true random number generation is important (usually implemented by amplifying electronic noise on the chip). There is a balance between encryption strength and power in a chip, since encryption algorithms are computationally intensive, and the longer the key the more computation is required. This makes having hardware assist important since the power will be a lot less than with a pure software implementation. Or a full encryption slave chip can be used, with dedicated hardware for each algorithm. This will have the lowest power and can be as much as 40 times faster than software, but obviously has limited flexibility. There are many ways to attack chips, such as decapping the chips, probing, monitoring the power supply and more. Alternatively the chip can be pushed out of spec for voltage, temperature, or frequency. I wrote about the demonstrations of some of these types of attack recently in my post EDPS Cyber Security Workshop: "Anything Beats Attacking the Crypto Directly" . NXP has a security module DryIce that detects tampering and sets the DryIce Tamper Flag (DTF) to 1. For example, if the temperature is below -100ºC or above 150ºC, the DryIce Temperature Tamper Flag is set. Other flags detect attempts to put the chip into test mode, to breach security on the flash memory, to run the clock out of frequency, to run the chip out of voltage spec, and so on. Detecting tampering immediately results in erasing the security key (so it cannot be stolen) and can optionally interrupt or reset the chip. In summary, for edge-node security of an IoT "thing," there are really three big steps: During development Plan for security Know the potential attacks and attackers Choose the right MCU During use Enable IP protections with chip security and debug port protection Utilize cryptography Enable protection from physical and environmental effects with anti-tamper Updates Plan for firmware updates to address security needs Previous: DAC News, Wednesday![]()
![]()
↧