Skip to Main Content

Strategic Business Insights (SBI) logo

Internet of Things August 2020 Viewpoints

Technology Analyst: David Strachan-Olson

Improving Hardware Security

Why is this topic significant?

Many cybersecurity vulnerabilities arise at the hardware level. DARPA's SSITH program hopes to improve the security of electronics devices by addressing hardware vulnerabilities.

Description

The Defense Advanced Research Projects Agency's (DARPA) System Security Integrated Through Hardware and Firmware (SSITH) program aims to improve the security of electronic devices by addressing vulnerabilities at the hardware level. Rather than "fixing" hardware vulnerabilities at the operating-system (OS) or software levels with patches, SSITH hopes to identify and correct security vulnerabilities in hardware and firmware designs. DARPA is challenging six teams to develop 15 secure microprocessors of three different types: 32 bit, 64 bit, and 64 bit with out-of-order execution. The teams will take open RISC-V microprocessor designs implemented on field-programmable gate arrays and attempt to improve their security by applying a number of novel approaches in hardware and firmware—including metadata tagging, secure enclaves, novel cryptography, and machine learning.

After the teams complete initial processor designs, DARPA will coordinate a crowdsourced red-team approach (offensive cybersecurity professionals that find weaknesses in systems) to test and analyze the SSITH technology. DARPA will offer a bug-bounty program—Finding Exploits to Thwart Tampering—run in partnership with the Department of Defense's Defense Digital Service and Synack (a crowdsourced security company). DARPA will also take the designs to a variety of cybersecurity conferences and academic institutions to encourage experts to attempt to attack SSITH designs. In 2019, DARPA took a 32-bit-microprocessor design packaged in a voting ballot box to the DEF CON hacking conference to raise awareness about the program and to encourage the hacker community to find vulnerabilities.

Implications

The SSITH program aims to help alleviate the software "patch and pray" model of cybersecurity. A single hardware or low-level firmware issue can create a vulnerability that hackers can exploit through numerous ways at the OS and software levels. Patching one vulnerability at the software level might prevent a single exploit, but another software vulnerability could take advantage of the same underlying hardware vulnerability. Improving security at the hardware level will not eliminate vulnerabilities at the OS and software levels but could eliminate a large number of potential attacks. According to Linton Salmon, program manager for the SSITH program, seven classes of hardware vulnerabilities were responsible for 43% of the common vulnerabilities and exposures identified in 2015.

Impacts/Disruptions

The Meltdown and Spectre vulnerabilities disclosed in 2018 raised awareness about the fundamental security issues at the hardware and firmware levels of modern microprocessors. The goal of the SSITH program is not to design processors for a single defense application but instead to develop ideas and design tools that will enable system-on-chip designers to safeguard hardware against hardware vulnerabilities. Such tools could help improve the security of all electronic devices, ranging from smartphones and IoT devices to high-performance processors in supercomputers. The SSITH program is also a strong sign of legitimacy for the open RISC-V instruction set architecture. "RISC-V: An Arm Alternative?" in the November 2018 Viewpoints highlights the emergence of RISC-V and its potential applications in IoT devices.

Scale of Impact

  • Low
  • Medium
  • High
The scale of impact for this topic is: High

Time of Impact

  • Now
  • 5 Years
  • 10 Years
  • 15 Years
The time of impact for this topic is: 5 Years to 10 Years

Opportunities in the following industry areas:

IoT device supply, portable electronics manufacturing, high-performance computing, embedded device manufacturing, SoC design software development

Relevant to the following Explorer Technology Areas:

Big Picture: Cybersecurity of IoT Devices

Why is this topic significant?

IoT devices present a number of cybersecurity challenges and issues for stakeholders to consider.

Cybersecurity is an ever-changing challenge for IoT-system designers and operators. In consumer applications, companies want to protect users' private data and to prevent attackers from tampering with or disabling user devices. In enterprise applications, attackers can use IoT devices as entry points for advanced attacks on private networks that could compromise other devices and data. Networked cyberphysical systems require extensive security measures because attacks against such systems could cause major damage (for example, in the case of factories and smart grids). In addition, companies may want to protect data within even mundane sensor networks because the data themselves could have significant value.

The IoT presents novel challenges for all device makers but particularly for manufacturers that are developing connected systems for the first time. Such manufacturers often lack expertise in cybersecurity but nevertheless seek to create high-value products that have connectivity and remote capabilities. Software vulnerabilities in IoT devices can leave them open to attacks, and the most effective means of protecting devices is for companies to provide software updates that patch vulnerabilities as they come to light. However, the economics of providing ongoing software support for a device's entire lifetime are greater than the costs of simply manufacturing an IoT device. Many manufacturers choose not to prioritize cybersecurity and offer either minimal or no ongoing cybersecurity updates.

Huge numbers of connected devices with poor cybersecurity practices have led to and will continue to lead to the proliferation and weaponization of botnets. Weak cybersecurity practices on IoT devices can make it easy for hackers to access and take control of devices, cultivating huge clandestine networks for use in distributed-denial-of-service attacks, malicious-software distribution, and other cyberattacks against individuals, companies, and governments. A notable example is the Mirai botnet that attacked domain-name-system provider Dyn in October 2016. The automated malware recruited consumer devices, such as internet-protocol cameras and routers, into the botnet by exploiting default usernames and passwords. The ease of creating botnets and the availability of botnets for hire will likely increase the frequency and potency of distributed cyberattacks in the future.

Some governments are beginning to develop laws to hold IoT-device makers more accountable for the security of their devices. For example, California has a law that requires manufacturers that sell devices that connect directly or indirectly to the internet to equip devices with "reasonable" security features to prevent unauthorized access. One of the only concrete aspects of this law is a requirement to eliminate default credentials and passwords for devices. Although some cybersecurity researchers and experts have criticized California's cybersecurity law for being too vague and not far-reaching enough, other cybersecurity researchers see its enactment as a good first step toward addressing a difficult and ever-changing issue.

Although cybersecurity presents many challenges for companies, it also provides a number of opportunities for companies to offer software and services to help device manufacturers develop and maintain device security. Cybersecurity companies can develop software programs, tools, and plug-ins that enable companies to implement their own cybersecurity practices and to discover vulnerabilities. Service opportunities include security consulting, penetration testing, and cybersecurity forensics.

Scale of Impact

  • Low
  • Medium
  • High
The scale of impact for this topic is: Medium to High

Time of Impact

  • Now
  • 5 Years
  • 10 Years
  • 15 Years
The time of impact for this topic is: Now to 10 Years

Opportunities in the following industry areas:

IoT device supply, cybersecurity, network security, IT, enterprise IoT, smart cities, connected infrastructures, connected homes, compliance and verification services

Relevant to the following Explorer Technology Areas: