sign in sign up
<<
Home , Encryption

Why Hardware-Based Design Security is Essential for Every Application

By Gregory Guez, Executive Director, Embedded Security, Maxim Integrated Table of Contents

Abstract...... 1 Introduction...... 2 Even the Financial Industry Isn’t Foolproof...... 4 Smarter Devices Are Even Less Secure...... 5 Why Hardware-Based Security Is More Effective...... 7 Summary...... 9 Learn More...... 10 Sources...... 10 Abstract

Design security is often an afterthought. But, with the regularity of security breaches impacting an array of industries, it’s now more of an imperative to build security into designs early on. This paper addresses why security can’t be neglected even in the most seemingly innocuous products, and examines why hardware-based security technologies can better protect against vulnerabilities than software-based approaches.

www.maximintegrated.com 1 of 10 Introduction is costly, but many companies still aren’t considering design security until it’s too late.

In the fall of 2016 a massive With increasing regularity, we hear outage brought down the likes of stories about everyday products being Amazon, Twitter, Netflix, and PayPal. attacked—products that we assume Even baby The culprit? CCTV video cameras would be safe. Think baby monitors, monitors and DVRs hacked by a based toys, security cameras (ironically), and have been on the Mirai strain. Earlier even medical devices. In some cases, the hacked this year, WikiLeaks made headlines attacks were conducted by “white hat” (or when it revealed that it had internal ethical) hackers, simply to determine if it CIA documents showing that it had is possible. In other cases, the breaches uncovered a way to access Apple stem from more nefarious sources. and Android smartphones, Samsung Hacking was even a major storyline in the SmartTVs, and internet-enabled cars. most recent U.S. presidential election.

314,246 303,809 289,813 288,012 262,813 269,422

2010 2011 2012 2013 2014 2015

MORE THAN 3.4 MILLION INTERNET CRIME COMPLAINTS LOGGED BY IC3 SINCE ITS INCEPTION SOURCE: FBI

Figure 1. The FBI’s 2015 Internet Crime Report captures public complaints submitted to the bureau’s Internet Crime Complaint Center over Internet-facilitated crimes.

2 of 10 www.maximintegrated.com A Juniper Research report estimates that suspected Internet-facilitated criminal data breaches of traditional computing activity. According to the bureau’s 2015 devices could grow the cost of cybercrime Internet Crime Report, IC3 has logged to $2.1 trillion by 2019. The report notes more than 3.4 million complaints since that most of these breaches come from it was formed in May 2000, averaging existing IT and network infrastructure.1 nearly 300,000 complaints per year Add to this the growing number of over the last five years. Figure 1 tracks Cybercrime smart, connected devices—particularly complaints received since 2010. The costs could same FBI report also notes the cost products that in sensitive, personal grow to data—and the propensity for havoc and associated with Internet-facilitated $2.1 trillion harm grows that much larger and more crimes. Figure 2 provides a breakdown dangerous. Forrester predicts that 2017 from 2015 (the most recent such report by 2019 will see a large-scale internet of things available at the time this white paper (IoT) security . was published). The analyst firm believes that the most vulnerable areas are those that have In the face of all of these threats and risks, quickly adopted IoT technologies: why is security such an afterthought in so many industries? The simple truth is • Fleet management in transportation that, for many companies, security takes • Security and a back seat because of the perceived applications in government cost and time it adds to the product • Inventory and warehouse development cycle. However, neglecting management applications in retail design security comes with even greater • Industrial asset management in costs in terms of lost revenue, brand primary manufacturing reputation damage, and even personal What’s more, Forrester also notes harm. What’s more, software-based that hackers will continue to exploit security approaches do not provide the IoT devices to carry out distributed strongest protection, as many are led denial of service (DDoS) attacks.2 The to believe. Hardware-based security FBI’s Internet Crime Complaint Center delivers a much more rock-solid (IC3) tracks public complaints about methodology.

www.maximintegrated.com 3 of 10 Tracked By the FBI Source: FBI

$1,070,711,522 Losses Reported $288,012 Complaints Received 300,000 internet- $127,145 Complaints Reporting a Loss facilitated crime $8,421 Average Dollar Loss for complaints Complaints Reporting a Loss tracked by the FBI Figure 2. Internet-facilitated crimes tracked by the each year FBI’s Internet Crime Complaint Center.

Even the Financial Industry do not adopt these standards can face significant fines when breaches occur. Isn’t Foolproof Despite these regulations, a 2016 The heavily regulated financial industry Financial Industry Cybersecurity Report is subject to various standards, including from SecurityScorecard3 analyzed more ISO 27000 series, which recommends than 7000 financial institutions on its best practices for security platform and identified some alarming management within the context of an findings: overall management system; Standard Information Gathering • 75% of the top 20 U.S. commercial Questionnaire (SIG), managed by the banks were infected by malware Shared Assessments Program, a third- • Almost one out of five financial party risk assessment organization; institutions use an email service and the Payment Card Industry provider with severe security Standard (PCI DSS), vulnerabilities a proprietary information security • 95% of the top U.S. commercial standard designed to reduce credit banks received a card fraud. Financial institutions that grade of C or below

4 of 10 www.maximintegrated.com One noteworthy point is that PCI DSS to follow, so then it becomes incumbent relies on software-based security. upon designers themselves to consider For point-of-sales (POS) financial security. transactions, hardware-based security Smarter Devices Are Even is a much more robust approach. The Payment Card Industry (PCI) Security Less Secure Heavily Standards Council maintains, evolves, There are a variety of other industries regulated and promotes security standards where security should be a design for the industry worldwide. The consideration. financial council, founded by major payment industry still products companies, is behind the PIN • Industrial is transitioning from vulnerable previously isolated systems to Transaction Security (PTS) standard, to attack PCI-PTS, which provides for robust, fully networked systems that could hardware-based security controls for expose equipment to remote attack payment systems. These guidelines can • Healthcare comes with , data help develop an approach to protect integrity, and patient safety issues against tampering and other physical should medical records or equipment and data breaches. and devices fall under attack • Online banking is at risk because it’s Even though the industry has hard to guarantee identity visually some deficiencies in this area, the • Retailers with mobile sales channels cybersecurity report still ranks financial must ensure safe transactions and services as well as the information communications services, technology, and construction • Communications requires end-to- industries as top performers based end security to protect against a on cybersecurity ratings. Bottom variety of attacks that could intercept performers include the transportation, data or bring down systems energy, non-profit, and food sectors.4 • With connected cars, the automotive Indeed, it’s disturbing that the financial industry needs to guard against industry—although highly regulated threats such as remote hacking and inherently sensitive about its data— (Remember when white-hat hackers is still so vulnerable to attack. Even remotely disabled a Jeep on a St. more worrisome is the fact that most Louis highway in 2015?) industries do not have such standards

www.maximintegrated.com 5 of 10 • Infrastructure such as the smart and communications capabilities are grid or other utilities need to be anticipated to number 20.8 billion by safeguarded against attacks that 2020, according to Gartner5. Often could disrupt cities or harm people valuable data travels from these devices to the cloud and back—and can be Obviously, in an industry like finance, intercepted at multiple points along the there are clear rewards for perpetrators Smart devices way. aren’t always who are able to, say, break into a credit smart about card system. The risks are great, too, Unfortunately, many decisions around but the potential rewards for someone security come down to budget, often security who’s able to get away with this crime in a misguided manner. The cost of a could outweigh the risks. Today, we’re security breach can be high in terms surrounded by a growing amount of dollars as well as reputation and of smart, connected devices, each customer confidence. Figure 3 uses with many more potential points of consumables as an example to illustrate vulnerability than our “dumb” devices how much counterfeiting can impact the have ever had. In some cases, the bottom line. But many companies are risk has become smaller because still playing their own balancing game, of accessibility. From doorbells and weighing the time, effort, and cost of home security systems to medical building in security against the pressure devices, factory/building control to get to market quickly while keeping systems, autonomous vehicles, and city development costs down. Plus, for infrastructure functions, the array of many, security adds zero functionality to things that have sensing, connectivity a product, so it becomes an unfortunate

Without Security IC With Secure Authenticator @$0.50 10 Mu Sales @ $10 $100M 10 Mu Sales @ 10$ $100M Less 15% counterfeit -$15M Less 0% counterfeit $0M Net Sales $85M Net Sales $100M Product Cost: 10Mu @ $3 -$30M Product Cost: 10Mu @ $3.50 -$35M Profit $55M Profit $65M

Figure 3. Security does come with a cost, but so does a loss of revenue, profits, and brand reputation due to counterfeiting.

6 of 10 www.maximintegrated.com afterthought. However, as evident in someone trying to gain control of the Figure 3, foregoing security can actually board or the main microcontroller. In its be more costly in the end. article, “Hardware-based security more effective against new threat,” ZDNet Why Hardware-Based argues that products would be better Security is More Effective protected if hardware-based security is utilized because cybercriminals find When you’re ready to think seriously it hard to alter the physical layer. The about security (and we hope the data article, citing an RSA spokesperson, points presented in this paper have further notes that the physical layer convinced you), there are hardware- and eliminates the possibility of malware software-based security approaches to infiltrating the operating system and consider. While software is penetrating the virtualization layer7. deemed to be cost effective and easy to implement and update, it really is Hardware-based security is, indeed, “as strong as the level of security of the more robust than its software-based operating system of the device. A security counterpart. Establishing a “root of flaw in the OS can easily compromise trust” starts with trusted software the security provided by the encryption that stems from a hardware-based ,” notes infosecurity magazine6. approach. The only way to guard Indeed, operating systems (and their against attacks that attempt to breach patches) are typically so complicated an electronic device’s hardware is to use that it’s hard to exhaustively determine a secure microcontroller that executes all of the potential interactions that software from an internal, immutable could lead to a breach, which leaves the memory. Stored in the microcontroller’s system with potentially many points of ROM, this software is considered to vulnerability. be inherently trusted because it can’t be modified (and is, therefore, the root Since hackers are constantly targeting of trust). This “non-modifiable” and software security tools and network trusted software can now be used to vulnerabilities, a software-based verify and authenticate the application approach can leave designs open to software’s signature.8

www.maximintegrated.com 7 of 10 Requirements

Device Trust Usage Control/Features Enablement

Secure Boot/Download “Root of trust” with Anti-Cloning IP Protection a hardware- Firmware Encryption based Certificate Distribution and Verification approach Packet Encryption provides the Secure Communications strongest Full TLS Support security Encryption

Figure 4. Mandatory IoT security needs for three key pillars.

Indeed, it makes sense to start at the Embedded security ICs, such as security very base level, where the design is managers, secure microcontrollers, and architected, so you can integrate security secure authenticators, can ease the into that level plus all of the layers that process of safeguarding entire systems, are added on top. With a hardware- from each sensor node to the cloud. based “root of trust” approach that Such ICs can provide a turnkey security starts from the bottom, you can close solution, delivering capabilities and off more potential entry points into features such as layers of advanced your design. Plus, some designs—like physical security, cryptographic small sensors that are part of a larger, , secure boot, encryption, distributed sensor network—don’t lend secure key storage, and themselves to hosting complicated generation and verification. software. Figure 4 highlights the three pillars of IoT security.

8 of 10 www.maximintegrated.com • Security managers that include Summary advanced physical security with The regular stream of hacking headlines on-chip, non-imprinting memory should be evidence enough that can protect secret/private keys design security can’t be overlooked. and confidential data from even And when weighing software- versus minor attempts at physical or hardware-based approaches, it’s clear environmental tampering that implementing system safeguards • Secure microcontrollers with built- via hardware provides a more robust in cryptographic engines and secure option. Today’s embedded security ICs boot loader can guard against can provide an easier, lower cost way threats such as to integrate your designs early on with intrusions, physical tampering, and layers of advanced security, support for cryptographic algorithms, tampering • Secure authenticators can be a detection, and many other protections. cost-effective means to protect IP, prevent cloning, and authenticate peripherals, IoT devices, and endpoints

For fast design prototyping, there are also a number of highly integrated, vetted reference designs available. Good reference designs include more than just the basics, offering resources such as Gerber files, evaluation and development tools, test data, drivers, and bill of materials (BOM). Using a reference design provides an opportunity to thoroughly evaluate the authentication and other security capabilities of the embedded security ICs integrated onto these boards.

www.maximintegrated.com 9 of 10 Learn More Read more about embedded security solutions that can safeguard your next design in our DeepCover® Embedded Security Solutions Selector Guide:

Download Now ›

Sources

1https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion 2http://www.forbes.com/sites/gilpress/2016/11/01/internet-of-things-iot-2017-predictions-from- forrester/#7d8c5a7a6bb6

5http://www.gartner.com/newsroom/id/3165317

6https://www.infosecurity-magazine.com/magazine-features/tales-crypt-hardware-software/

7http://www.zdnet.com/article/hardware-based-security-more-effective-against-new-threats/

8http://www.embedded.com/design/safety-and-security/4438300/Securing-the-IoT--

Part-2---Secure-boot-as-root-of-trust-

For more information, visit: www.maximintegrated.com

© 2017 Maxim Integrated Products, Inc. All rights reserved. Maxim Integrated and the Maxim Integrated logo are trademarks of Maxim Integrated Products, Inc., in the United States and other jurisdictions throughout the world. All other company names may be trade names or trademarks of their respective owners.

10 of 10