Mil/aero can learn a lot from the consumer market about security risks like side-channel attacks, glitching, and security key management.
There was a time, during the height of the Cold War, that the best, most advanced technology was reserved for the military. Spy satellites imaged objects the size of a quarter from orbit; meanwhile, we all thought our self-developing Polaroid Land cameras were pretty neat. Fast-forward to the present. Military technology is still highly advanced, but in a number ways the sector finds itself outpaced by the nimbleness of commercial electronics. Consumer design teams work within constraints of price, size, and power consumption, but they can go from design to production in a matter of months. They design products for life cycles of years rather than decades, and with easier operating conditions, they can push the technology to the limit.
Commercial designers do face challenges of their own, however. Their products may not have to survive hundred-degree temperature swings or hundreds of g’s of acceleration, but they do have to ward off sophisticated and merciless attacks by counterfeiters trying to access their designs or by pirate organizations looking to circumvent the security constraints of a product such as a pay-TV box, for example. As the technology worlds of military and consumer electronics increasingly overlap, embedded designers working on military applications should expect to find themselves facing some of the same attack modes. In other words, this is an area where there's a lot to learn from the commercial market, as I discovered recently when I spoke with Ben Jun, VP and CTO of security specialist Cryptography Research Inc. (San Francisco, CA).
“There are a lot of attacks that take place commercially that the military guys need to be worried about,” he said. Indeed, developers need to consider some of the ways commercial systems have tackled and solved, or failed to solve, these same problems. “In many cases, the commercial world has much better feedback [than the mil/aero community] on what attacks actually occur because it has a shorter product cycle. So we can use the commercial environment as a learning bed, if you will, for what should go into military and aerospace systems.”
The mil/aero community excels not just at technology but at specialized capabilities like product definition, lifecycle management, supply continuity, and ultrahigh reliability. In some ways, the unique requirements of the market put this group at the forefront of security design, but it can also separates them from benefitting from general security techniques known in the commercial space.
Take side-channel attacks, which we’ve touched on lately in a couple of articles. As we learned in freshman E&M, current flowing in a wire creates a magnetic field, and magnetic field variations create an electric field. That means that when an embedded system is booting up and loading a security key, an eavesdropper using an antenna or coil to monitor the signal generated can extract the key and break into the system.
“It’s a scary vulnerability because it’s non-invasive, it does not involve making modifications to the device, and the expertise to perform the attack is actually very, very well-known worldwide,” says Jun. “And that is not often known in the United States.”
Fault induction, or glitching, is another technique. Basically, it involves deliberately perturbing the system to see how it responds. By running the power or clock or ground of a chip outside of spec, for example, an adversary can to push the system into a different operating regime in which it begins to introduce errors -- repeatable errors that they can mine to provide a launch point for attacks.
Management of security keys present a different sort of weakness. These keys are essentially the core of the security architecture. As a result, they're the subject of ongoing attacks by adversaries seeking vulnerabilities in the way those keys are managed and stored in the silicon. In addition to the methods we've discussed, determined attackers can actually decap the silicon and use diagnostic equipment like ion beams to reverse engineer a chip and extract the keys and data. And they're doing it quite successfully. “As small as these things get, the diagnostic tools do a pretty good job of tracking the technology nodes,” says Jun. “And the challenge is basically how do we build silicon that can keep its secrets even though it undergoes this kind of scrutiny?”
In the commercial world, a pirate organization might be willing to spend multiple millions of dollars to strike the keys that would let them build and sell their own cable TV boxes, for example. When it comes to defense, of course, an adversary may have access to all the same technologies, but decoupled from the economic equation that governs commercial attackers, be willing to spend far more to accomplish their goals.
There are established security and counterattack techniques in place and more under development. To learn more, keep an eye out for a CRI feature on the attack methodologies and defenses.
Is security a factor in your designs? Do you take these vulnerabilities into account? Are there others that belong in the discussion?