Embedded systems are often thought of as hidden within an industrial, communications or networking system, which is well below the radar of most hackers. Unfortunately, this complacency has left embedded systems open to a new wave of attacks by hackers looking to copy your designs, steal your proprietary design knowledge (Intellectual Property, or IP), or even to use your embedded system as an access point to capture confidential information from your company or your customers.
Cyberattacks are clearly on the rise. Recent attacks against U.S. companies and government agencies have prompted the creation of new agencies to combat growing cyberthreats. The growing number of attacks executed on industrial installations, such as energy grid, has also prompted government warnings. If an unprotected (or easily compromised) embedded system can allow attackers to access the wider network, you can only imagine the potential damage that might result.
Fortunately, there are some countermeasures you can include on your embedded system that can dramatically improve the ability of your system to withstand even the most aggressive attempts to compromise your design. All of these techniques require at least some of the hardware in your design must be trustworthy and protected from modification by unauthorized accesses. This trusted platform module (TPM) can be used to extend the zone of trust to other portions of the design to insure they are not compromised. The TPM does this by authenticating and authorizing transmissions to and from the system using known standards for encryption, decryption and authentication.
The TPM must also be secure from attacks against the hardware itself. Often, hackers will simply purchase a system (or steal one) and then use known reverse engineering techniques to find flaws and weaknesses in your design. These can be exploited to create attacks against other system installed in the field. With network that can access a pervasive feature of most embedded systems, it can be very easy to access a system remotely and gain access via reverse engineered weaknesses. Often, embedded systems also use the network to load bug fixes and remote updates. Hackers can also use this capability to install their own code onto an embedded system allowing them to watch all the traffic in and out of the system. Code installed at the root of the system (a root ‘kit’ in hacker terms) is almost impossible to detect and remove since it can control (and modify the results of) any update or detection commands.
During the reverse engineering process, the hacker will typically gain enough information to duplicate or clone your system. They can sell this information to unscrupulous contract manufacturers who can build low cost competitive products (after all, you did the expensive development work—they only need to cover their manufacturing costs). They can also determine how your key algorithms are implemented and sell that information to a competitor, eliminating a technology lead at a bargain price.
How to Protect Your Embedded System from Hacking
There are several techniques you can employ to protect your embedded system. The first technique involves protecting your hardware from tampering and attempts to reverse engineer your design. Tamper protection can involve complex systems for covering your design with a tamper resistant enclosure, but these approaches are perhaps too expensive and require too much space for the majority of your designs. An alternative is to add some tamper detection circuitry to your board so that the hardware can determine when external probing and board modifications are being made.
The most common hardware attacks (a specific attack method is typically called an attack ‘vector’ in hacking jargon) require cutting traces on the printed circuit board (PCB) to gain access to critical system resources. Being able to control a device’s clock and reset signal while controlling the system bus (injecting data and capturing the response), for example, can make it easy to control the device during start-up and to ‘watch’ what happens during critical phases. By forcing ‘jumps’, periodically code can even be copied as it is read out of memory and eventually a complete memory map is determined. If a hacker can separate critical components from the rest of the system, they can learn everything they need to know to reverse engineer its operation.
One easy trick to detect attacks on your PCB is to add extra signals from one MCU output port to an input port. These signals can snake around the board and can be placed over and under critical signals a hacker might attempt to gain access to. Any attempt to cut the board to access these signals will break a tamper detection signal and will alert the hardware that an attack is underway. The hardware can respond with a variety of countermeasures from resetting the system to erasing critical information such as code or passwords.
Creating a TPM is the next step in protecting your design. A TPM must be able to securely store cryptographic passwords used in common security algorithms (such as the Advanced Encryption Standard or AES, the Data Encryption Standard or DES and triple DES or TDES), implement common cryptographic functions and have tamper protection for both on-chip and off-chip resources. (Some good background information on cryptographic standards and functions is available from the National Institute of Standards and Technology or NIST). The TPM should usually be a single chip to make sure secret information does not ‘leak’ between multiple chip implementations.
One good example of a device that can implement robust TPM’s is the Microsemi SmartFusion2 SoC (System on Chip) FPGA (Field programmable Gate Array). Other types of devices (such as MCUs and ASSPs) can implement TPMs, but a SoC FPGA offers a unique combination of fixed function hardware and programmable logic to make customization much simpler. The Microsemi SmartFusion2 SoC FPGA uses Flash memory for configuration so it can implement a single device TPM. On-chip Flash also makes it convenient to store code and cryptographic passwords on chip. SmartFusion2 devices are password-protected even during the initial programming stage to make them secure from attempts to acquire programming information from which to make device copies.
Figure on the right shows simplified model of the SmartFusion2 security model. Notice the wide variety of cryptographic functions supported next to the security controller. The device is also a Physically Unclonable Function (PUF) that creates a password, based on device-to-device microscopic manufacturing differences at the transistor level. This is one of the most robust approaches to password generation for cryptographic functions and is one of the best options for protecting your design from hacking attacks. Passwords (or ‘Keys’ in cryptographic speak) must be protected while stored on the TPM and SmartFusion2 SoC FPGAs provide several advanced approaches for key storage and management both for ‘factory’ keys used to initialize devices securely and ‘user’ keys that can be used to further secure the embedded application. For more information on the SmartFusion2 security system this white paper contains a wealth of details.
The features available on the SmartFusion2 SoC FPGA provide good examples of the capabilities you should look for on other possible TPM implementations—perhaps a different SoC FPGA, MCU, or an ASSP. Whatever device you implement your secure TPM with, remember that you want to start with a solid, tamper resistant PCB and tamper detection capabilities. Once you have a solid hardware starting point, you can add advanced cryptographic functions, password/key protection and management, on-chip non-volatile storage and cryptographically secure programming of any on-chip code and data to the TPM to prevent simple cloning of your design. Using these capabilities will help you resist even the most aggressive attacks.
Your embedded system will be under assault by a variety of hacking techniques if it is a successful product. Perhaps attackers will just want to duplicate your design, or maybe they will also want to reverse engineer and steal your design and the underlying algorithms you use to create a competitive advantage. They may even attack your system remotely to steal confidential information from your company or your customers. You should be prepared by using a suite of anti-hacking techniques appropriate for your design to thwart these types of attacks. Otherwise, your company will be opened to a potential disaster.