Hardware Can Be Hacked Too

By Carolyn Mathas

Contributed By Digi-Key's North American Editors

According to a recent Forbes article, attacks on IoT devices are up 300% and there’s virtually no chance that number will improve in the near future. The number of IoT-enabled products shipping today is quite staggering, so that’s a lot of devices to keep secure, especially when the attackers and methods of attack are gaining in sophistication.

Increase in hardware attacks

Most users are familiar with the ubiquitous software attacks, and are getting better at keeping their security software up to date. Today however, hackers are migrating to hardware attacks. Microprocessors and microcontrollers are ubiquitous, in our homes and in sophisticated critical systems, and hackers are getting better at infiltrating them.

According to IC Insights, semiconductor unit shipments exceeded 1 trillion devices in 2018, representing vulnerabilities and an even greater opportunity for overt and covert hardware hacking. The challenges hardware presents are in many ways more extensive, more dangerous, and more difficult than those faced protecting software.

There are myriad examples, including:

  • The use of a kill switch, whereby a hacker selectively turns off chips. If one block in a chip is corrupted, preventing access to the system bus, data won’t reach other blocks which disables the system.
  • A kill code command can be delivered by radio signal to a micro-antenna on a chip. A time bomb, programmed when the chip was created, can trigger a complete shutdown at a certain time and date.
  • When chips are compromised, they may appear to operate normally while they collect and transmit data or launch malware.
  • Seagate hard drives were found to have two separate Trojans built into them in 2007, and malware directed the hard drive to upload its data to websites in Beijing.
  • The Galaxy S4 smartphone shipped preloaded with a Trojan masquerading as the Google Play Store. Attackers accessed phone calls, read emails, intercepted financial information, and remotely watched and listened in via the phone’s camera and microphone.
  • Lenovo PCs were banned in the US, UK and Australia due to backdoor vulnerabilities.
  • Recently, researcher Jonathan Brossard discussed a new strain of malware that’s nearly impossible to remove. Dubbed Rakshasa, it’s a permanent backdoor that’s hard to find and harder to eliminate.
  • Glitching attacks cause a hardware fault by manipulating a system’s environmental variables so that power, high temperature sensors, or clock signals are interrupted. Attackers slip malicious instructions into the processing gaps the glitching causes.
  • The presence of hardware backdoors in particular represents a nightmare for the security community, as does malicious hardware modifications from insiders.

Hardware attacks target authentication tokens, communication infrastructure components, surveillance, network appliances, and increasingly, industrial control systems.

Prevention is necessary at several phases, including creating trusted circuits at the design level that use all hardware resources; at the fabrication level with specifications and security-based properties; and post-fabrication with logic devices that minimize attack possibilities. The reality is, however, that from design all the way to delivery and use, there are opportunities for hardware to be attacked.

An industry responds

One of the major issues for hardware security implementation is the lack of up-to-date standards. To provide greater protection against security gaps, the U.S. National Institute of Standards and Technology (NIST) SP 800-193 delivers platform firmware resiliency (PFR) guidelines that establish security mechanisms to protect and detect unauthorized changes.

They ensure that a Root of Trust (RoT) is established on all system firmware that provides for protection, detection, and recovery in cases of corruption. To be compliant, the RoT device must perform operations on its own firmware before booting, using no external components.

Incorporating greater security

The embedded industry is clearly responding to these hardware threats. For example, the NXP QorIQ LS1046A and LS1026A processors target networking, storage, security, and industrial applications that require a high-end CPU with exceptional packet processing performance and high-speed interfaces. Features include Arm TrustZone and NXP QorIQtrust architecture, secure boot, secure debug, tamper detection, and secure key storage.

Image of NXP LS1046A block diagramFigure 1: The LS1046A block diagram shows a high-end device that ups the ante on security. (Image source NXP)

ARM TrustZone represents a system-wide approach to embedded security for ARM Cortex-based cores which range from MCUs to high-performance microprocessors. The technology creates two environments that run simultaneously on a single core: a secure world and a not-as-secure (non-secure) world. It enables developers to secure systems from the lowest levels including the boot up process. By creating a security subsystem, assets can be protected from software attacks as well as common hardware attacks.

The NXP LPC55S6x MCU supports up to four revocable or Certificate Authority keys. The Root of Trust is established by storing the SHA-256 hash digest (of four RoT public keys) in a protected flash region (PFR). This task is simplified thanks to the NXP LPCXpresso55S69 Development Board that’s designed specifically for evaluation and development with the LPC55S6x MCU, which is based on the Arm Cortex-M33 architecture (Figure 2). This high-efficiency processor family leverages the latest Armv8-M architecture, introducing new levels of performance and advanced security capabilities including Arm TrustZone and coprocessor extensions.

Image of NXP LPC55S6x ARM Cortex-M33-based microcontrollerFigure 2: The c for embedded applications is featured on the NXP LPCXpresso55S69 Development Board. (Image source: NXP)

Academia jumps in

There are real threats to the processor supply chain before devices are even employed by the customer. From design inception through transit and upgrades, attacks are rampant. The challenges continue, and given the price of hardware verses software security, companies are still balking at adoption. Improvements will be consistent and will include greater analysis capabilities, memory protection to ward off database injection, cross-site scripting and buffer overflows, tamper-proof enclosures, improved securing and integrating of cryptographic accelerators, and security/performance tradeoffs.

In the meantime, important advances are being made and the industry is ready and willing to quickly adopt them. For example, researchers at the University of Cincinnati and the University of Wyoming recently created an algorithm that safeguards hardware from attacks where hackers are detecting variations of power and electromagnetic radiation in a device's hardware. At that point, the hacker can use the variation to steal encrypted information.

The premise of the effort, according to assistant professor Mike Borowczak, Ph.D. at the University of Wyoming, was that no matter how secure you make software, when hardware leaks information, all of the security mechanisms are bypassed. Given the vast number of devices that are vulnerable to hardware attacks, the small, lightweight items use minimal power and are built by engineers to work within low power constraints. Unfortunately, optimizing for speed, power, area, and cost means taking a hit on security.

The university team developed an algorithm that improves hardware security so that the algorithm draws the same amount of power in each cycle, across all cycles. When attackers have power measurements that they used to be able to use to their advantage, they can no longer do anything with that information. The power use is increased a mere 5% for the advantage.

A moving target

Security challenges and attack sophistication represents a proverbial game of cat and mouse. Is it possible to build a fully secure system? No. At the very least, companies and the management teams that run them must take the reality of hardware attacks seriously. Companies that ignore their hardware security efforts stand to lose a lot more than the money saved.

Disclaimer: The opinions, beliefs, and viewpoints expressed by the various authors and/or forum participants on this website do not necessarily reflect the opinions, beliefs, and viewpoints of Digi-Key Electronics or official policies of Digi-Key Electronics.

About this author

Carolyn Mathas

Carolyn Mathas has worn editor/writer hats at such publications as EDN, EE Times Designlines, Light Reading, Lightwave and Electronic Products for more than 20 years. She also delivers custom content and marketing services to a variety of companies.

About this publisher

Digi-Key's North American Editors