Embedded Security-as-a-Service to Prevent the Next Big Botnet Attack – Technologist
By: Yoni Kahana, VP Customers, NanoLock Security
In recent years, dramatic attacks from the Mirai botnet attack of 2016 to Intel Spoiler in 2019 exposed the vulnerability of processors for electronic systems that undermined assumptions commonly held around the security of the processor and leveraging the root of trust in the system.
In embedded endpoint devices, today’s software security solutions are limited in scope. They can either disrupt the main functionally, demanding processing power and requiring integration of security features conflicting with the functional requirements, or not provide adequate levels of security, causing software to be potentially undermined by lower level software that breaks through the security measures.
The question is, as the IoT continues to expand and permeate new industries, where should we put our trust when it comes to security in electronic systems and what is the tradeoff? And what are the opportunities for new solutions that better address the needs of edge and embedded devices?
The role of the processor
Electronic systems control our world and surround us – from today’s modern automotive that features dozens of Electronic Control Units (ECU), to industrial Programmable Logic Controllers (PLC) responsible for manufacturing most of the products we consume, to the electronic modules in our home (e.g. routers) – electronics are the backbone that make up our increasingly connected lives.
All modern electronic systems include two main building blocks: the processor responsible for executing the state machine and the system software that eventually brings the functionality that users expect. This software, stored on the persistent memory (Non-Volatile Memory – NVRAM, or flash), survives when the power is off and is loaded to the processor and the RAM during boot time.
Because of the nature of interconnectivity and reliance on software installed in CPUs and online in electronic systems, the opportunity for hackers and cyber-criminals to cause disruption is increased. To prevent these types of attacks, security solutions have been integrated directly into electronic systems.
From car hacking, to camera attacks like the Mirai botnet attack in 2016, to attacks via the router like VPNFilter, this trend and subsequent risk will continue to increase as more devices join the network.
Once adversaries can modify the state machine or the system software, they can change the functionality of the system. These changes can create critical or safety issues depending on the system, expose sensitive data that should be protected, allow access to an unauthorized party and much more. And in order to get access, the adversary requires a way to manipulate the software that resides in the NVRAM.
Modern processors have security features that are meant to provide security layers which include secure boot, memory protection, different privileges to software processes, encryption, trusted execution environment and more. Generally speaking, these features are used to prevent adversaries from gaining access to and taking control of the system – these features are intended to prevent the modification of the original state machine, which controls the functionality of the system.
Therefore, the security of the processor is key to ensuring larger network and device security.
The limitations of the security that processor can provide
The aforementioned processor security features rely on the creation of different levels of trust. However, since the processor needs to support many different software designs and functionalities, the processor and the security features controlled by the software must also be protected by the processor.
This is a paradox – different software layers give different control privileges to the processor and attacks like denial of service (DoS) reveal that opportunities for attack lie within those layers. DoS attacks can be easy to execute by simply modifying one bit of the “secured software” which causes the wrong signature validation and halts the secure boot process. These types of attacks can even “brick” the device or allow for the move to recovery mode which can then be attacked in the same manner.
With recent attacks like Meltdown/Spectre, it was also demonstrated that due to the tradeoff between functionality and security, sometimes processor security features can be comprised at the processor level.
Nowadays, the management of end devices is critical for commercial systems and it is often assumed that software updates will be required for feature updates and security patches. But once the software on the processor is no longer trusted, the management of the electronic system cannot be trusted, and the software update mechanism can no longer be secured due to the now lack of trust in the compromised end point. This creates a major problem for the deployment of commercial IoT systems.
Additionally, these processor-based security features require additional resources in the form of additional silicon or additional firmware code, creating a cost increase for companies to purchase or upgrade processors that can adequately support the security features. It may be insignificant in some high-end applications that are less sensitive to cost, but it has an effect on low cost applications that can’t afford bill of material (BoM) increases.
So, how can companies ensure that their IoT devices on the network remain secure?
New solutions for a more secure IoT devices
An innovative approach to IoT security is to protect the device’s flash, even from the processor and the software that is running on it. Creating a root of trust in the secure flash that blocks write operations to the protected memory facilitates a secure channel all the way from cloud to the flash, making it impossible for attackers to alter the firmware with any malicious code. This approach is agnostic to the processor and any software that is running on the device and avoids any latency in boot time or run time.
And since the solution has moved from the processor side to the flash side, this approach, agnostic of the processor and the OS, means that there is no need for additional cost resources on the processor side. Therefore, ironclad security can be achieved with low-power, low-cost processors, creating a more palatable cybersecurity solution for IoT manufacturers and IT management.
One may assume that this cost burden would then shift to the flash side, however, because preventing writing to memory area is much simpler in the flash itself, it is an insignificant increase compared to the cost (in performance and price) in the processor.
When implemented into the flash side properly, there will be no performance impact on preventing unauthorized modification of the software, which eliminates the trade-off between security and functionality. This enables embracing security solutions in end devices that that until today couldn’t support that balance — such as ECUs in cars, PLCs in industrial solutions, routers, cameras and other IoT devices.
Of course, today’s IoT devices require updates. By protecting the flash, we create a secure channel between the device’s flash all the way to the cloud that neither the network nor the software and processor within the device can breach, thereby extending the trust beyond cloud-to-processor to cloud-to-flash.
What’s next?
The cloud-to-flash approach goes beyond purely hardware/software security and protection; This shift enables new opportunities and revenue engines for various vertical markets embracing IoT.
The value of this new approach reaches beyond a technology paradigm change. It also changes the commercial view of security and management and opens the door to deriving revenue from security in IoT.
About Author:
Yoni Kahana is VP, Customers, for Israel-based IoT cybersecurity management startup NanoLock Security and a 20+ year cybersecurity industry veteran for Fortune 500 companies like General Motors and Qualcomm. NanoLock’s edge device management and protection platform uses a cloud-to-flash protection approach that configures the mechanism for secure updates and trustworthy management – essential for deployments of IoT devices in crucial applications in emerging tech such as smart cities, autonomous vehicles, industrial, telecoms and others.