Anti tamper real time clock (RTC) - make your embedded system secure

Erasing Critical Information:
Generally any critical data like Security keys, passwords are retained in battery backed up memory within a SoC or RTC registers since they are available all the time even in the event of main power failure. It is important that this should not go into the hands of a hacker. Hence during any tamper detection, RTC should erase all the secure keys stored in its registers and the contents of any associated secure memory.

Fail Safe Mechanism:
A hacker may remove the main power and then remove the RTC crystal so as to stall the time. When the main supply is connected back, a secure system should be able to detect missing clock for the RTC and should switch the system to alternate clock source, indicating crystal failure. Based on application, firmware may choose to indicate user about the failure so as to take necessary action.


Figure 6: Detecting Crystal Failure
(Click on image to enlarge)
RTC Clock Compensation:
The RTC crystal may be subjected to changes in pressure, voltage, temperature or may be subjected to certain chemicals so as to change crystal characteristics thus running the clock slower or faster. Hence RTC should be able to compensate for the inaccuracies in the clock and continue to generate accurate clock to the RTC counters thus maintaining accurate time. Compensation can be done by removing pulses so as to skip count if crystal is running faster or adding clock pulses if crystal is running slower. Firmware may choose to indicate a tamper or crystal failure if compensation that needs to be done is more than acceptable range.

3. Conclusion

Security is becoming increasingly important in embedded applications so as to protect company revenue and protection of critical data. This article has described several anti-tamper techniques that can be easily implemented in a RTC design.

It is important to note that techniques described may vary based on application requirements. For example, in a Point of Sale terminal, it would be good to invalidate a time so as to indicate that device has been tampered making the device un-usable while for while for an electricity meter, it is necessary to keep the clock running.

Implementing these features in RTC is cheaper and more secure as RTC operates on an independent power supply along with independent clock source thus assuring any tampers from the external sources get monitored and recorded even when the main system supply is not available.

About the authors:
Mohit Arora is a Systems Engineer in Freescale Semiconductors. His current focus is on Energy/Utility Metering Market. He has been involved in product definition and specification for ColdFire/PowerPC based products for Mid-high end Industrial Market space. He earned a Bachelor's degree in Electronics and Communication Engineering from Netaji Subhas Institute of Technology(NSIT), India. He can be reached at: mohit.arora@freescale.com.

Prashant Bhargava is a Design Lead in Freescale Semiconductors and has worked in Design & Architecture of microcontrollers for different applications like VoIP, Display Controllers and Utility Metering. He holds a Bachelor of Engineering degree in Electronics & Communication from Punjab Engineering College, Chandigarh, India. He can be reached at: prashantb@freescale.com.

Stephen Pickering is a Systems Engineer in Freescale Semiconductors. His work involves the architectural definition of micro-controllers for various application, in particular he has spent the last 2-3 years defining solutions for utility meters and has visited over 40 different meter manufactures world-wide during the definition of current and future micro-controllers. He can be reached at: stephen.pickering@freescale.com.