Whilst such connectivity has certainly introduced a wealth of benefits, it has also exposed us all to significant cyber risk. The malicious computer worm, Stuxnet, that was initially created to sabotage Iran’s uranium enrichment facilities in 2009 is among the most notorious examples of an IoT attack at work. Over a decade later, we witnessed a hack on video surveillance service, Verkada, which exposed live feeds from over 150,000 cameras across schools, prisons and other sites. What’s more, the FBI issued a warning in September this year about unpatched medical devices running on outdated software and devices, which could bring hospitals to a standstill, stall life-saving treatments and put patient confidentiality at risk. Alarmingly, these examples only just scratch the surface of the far-reaching and catastrophic consequences of IoT insecurity.
On that basis, there is no denying the urgency among organisations to invest in building robust security strategies, and many programmes are already underway. Unfortunately, much of these efforts have been directed towards software, whilst hardware security appears to have slipped off the list of priorities. The fact of the matter is, bolstering one’s cybersecurity requires a two-pronged approach where both software and hardware are addressed. Software may be responsible for telling hardware what to do, but if the hardware fails to do as it’s instructed or is easily manipulated, then we have a serious issue, especially when it comes to national critical infrastructure.
Digital Security by Design (DSbD) is well-aware of this predicament, and it is why it has, along with Digital Catapult, hosted a panel discussion delving into this very subject at the Hardware Pioneers Max 2022 conference in London. Chaired by Lead Engineer of IoT at Digital Catapult, Dr. Ramona Marfievici, the discussion brings together representatives from academia, the manufacturing industry and a start-up focused on building IoT solutions, to explore the current state of hardware security, the pressing threats that organisations face from a hardware perspective and the approaches to secure it. Richard Gonzalez, Director at Sensor IT, Dr. Anna Maria Mandalari, Assistant Professor at University College London, and Ian Pearson, Principle Embedded Solutions Engineer at Microchip Technology Inc. share their thoughts at the annual gathering for product innovators in IoT and electronics. What follows is a brief overview of their conversation.
The Hardware Security Threat
There are certainly a whole host of cyber threats introduced due to the lack of privacy controls, and the continued presence of software vulnerabilities, but what about ensuring that a remote device boots correctly or that the cryptography key’s lifecycle is properly managed? Some of the most concerning threats are those that are embedded into a device’s design. Unlike software vulnerabilities which can be patched remotely, hardware flaws are much harder and more costly to rectify as they physically need to be replaced. Dr. Mandalari shares that this problem is especially acute in the consumer space, where the vast majority of devices on the market have been produced by the same manufacturer and are riddled with vulnerabilities. Following an analysis of over 250 devices, she discovered that “different brands use the same white labelled hardware” that often fail to incorporate security measures. She cites the example of smart cameras which send videos over the internet unencrypted, as well as devices that would activate upon motion, even though consumers had opted out of this function via the app.
Pearson adds that there is also a wealth of low-cost tools available now to malicious actors, “to peel back hardware layers, peel back hardware security and get to the secrets of the device”; plus, these actors have an “infinite amount of time to do so, because you don’t know they’ve opened your box”. Organisations need to be aware of this and recognise that it is no longer appropriate to create devices at the lowest cost possible; rather, robustness and fitness for purpose must be top of mind.
In short, when a piece of hardware is deployed, we need it to be future resilient. So, what should be done?
Towards Future Resilient Hardware
One method is to adopt what Gonzalez calls the “doorless house approach”, where a device only engages in one-way communication, the hardware itself is completely opaque and difficult to physically access. As Gonzalez explains, “the only way of ensuring that your house is not robbed is by not having any doors”. Yet, this tactic is limited in its use-cases. While it may work well for devices with uplink communication only, it simply is not feasible for devices which require user interaction; thus, most IoT devices.
Instead, there are two key areas the industry must develop: regulation and embedding security into hardware design.
Gonzalez compares the state of today’s hardware security to the car industry forty years ago, where each company had a different means of tackling the safety and security of cars. There was no framework to ensure all companies met certain standards, nor certifications to prove their compliance. IoT is still in this state of lawlessness, though we are slowly seeing change on this front, with the introduction of NIST, EU Cyber Direct and Europe’s imminent Cyber Security Act. Nevertheless, we still have some ways to go in its maturity. Indeed, we continue to face a myriad of unanswered questions. Dr. Mandalari asks: How do we verify that an organisation’s devices are complying with the standards as claimed by a certificate? What metrics do we use to measure this? Who determines this? To complicate things further, Pearson highlights that the level of testing and certification may also differ depending on the device. A temperature sensor at home, for example, may have lower standards compared to an industrial control system. All of these areas remain unclear and must be ironed out in legislation moving forwards.
Next, is ensuring that we are more secure from the get-go. The way most people understand this today is by ‘shifting left’, or incorporating security into software development from the beginning and throughout its lifecycle. This is important but it is also subject to numerous challenges; whether that is ensuring resources are provided to building strong development and security teams, establishing clear lines of communication between them or that testing methods work as they should. There are many factors from cost and lack of expertise to human error that could jeopardise the security process. So, what if we took it a step further and turned hardware itself into a safety net?
Turning Hardware Itself into our Security Net
In view of the significant shortcomings of today’s approach to IoT cybersecurity, it became clear to the panel that government leadership is required to correct its current trajectory. The UKRI Digital Security by Design initiative is offered as this vital intervention. The product of a collaboration between the UK government, the University of Cambridge, Arm and other industry leaders, the initiative has given rise to prototype CHERI extensions in an Arm processor. This new hardware technology is being made available for evaluation through the Arm Morello Board to see how it combats the most prominent software security issue: memory safety vulnerabilities. It does so by limiting the capabilities of pointers which indicate where data is stored in memory; including which functionalities can be used to access that data, and what range of data it can retrieve. In other words, CHERI and the Morello Board provides hardware support capabilities that can be used for fine-grained memory protection and scalable software compartmentalisation. Equally important, the processor cannot be manipulated by software once fixed into silicon. Though this technology continues to be refined, if there’s anything we know for sure, it’s that the role of hardware security, under the wider cybersecurity umbrella, should not be neglected. Indeed, by tackling software at the hardware level, we may even find ourselves with a powerful tool that keeps us from pursuing a wild goose chase to implement security patches.
Organisations interested in testing out this new technology can do so by applying to Digital Security by Design through the Technology Access Programme (TAP). The Programme has already welcomed 30 UK-based companies, each of whom have been given the opportunity to experiment with the Morello Board and for those with less than 250 employees, receive £15,000 in funding. The next opportunity to apply is on the 11th of January 2023; successful companies will then be onboarded in Spring 2023.
Videos from the panel session are available on the DSbD YouTube channel: