Yet again, a massive attack puts the focus on cybersecurity. The late October widespread denial-of-service hacking was top of mind at a panel of experts gathered at the ARM TechCon conference in Santa Clara, Calif. this week. The experts concluded that the whole product chain has to be secure, down to the chip itself. Devices are only as secure as the weakest link in their supply chain.
According to panel members, the lesson of the October attack was that seemingly benign household products pose a cyber danger. “Even harmless devices can be used to take down all kinds of services, said Chowdary Yanamadala, SVP of ChaoLogix, referring to the massive denial-of-service attack. “This will turn into terrorist attacks if we’re not careful. It will move beyond the annoying denial-of-service attacks.”
The solution to the vulnerability is not easy. It will involve a range of changes in how connected devices are secured. “You need to have multiple layers of security. Ease of attack and scale of attack put the whole system at risk,” said Yanamadala. He noted that protecting the perimeter is not sufficient. “If you protect yourself against side channels, you’re not done.”
Even with all the vulnerabilities, Yanamadala believes some ground has been taken in the security wars. “A lot of the components of the security puzzle have been solved. In some markets, much of the security problem has been solved,” he said. “IoT is not as secure as the financial market because the IoT market is still developing. So we should think about how this can be handled in the future.”
The focus on what needs to be secured is a moving target. The October attacks revealed that all parts of the connected chain needed to be secure. “There was a time when good software was good enough. Now each part has to be secured -- the network, the software, and the hardware,” said Yanamadala. “The attackers will look for the weakest link in the chain. If there are weak links, it doesn’t matter how secure the rest of the system is.”
The Insides of the Chip Needs to Be Secure
Moderator Ed Sperling, editor-in-chief of Semiconductor Engineering , suggested that the product’s security chain has to include the contract manufacturer. “Even Apple is using third parties for assembly. How do you secure what’s inside the product if you’re not manufacturing it?” he asked.
The answer may be that contract manufacturers have to take some responsibility for making sure the products are secure. “Signing off on the code and the functionality of the chip is critical. You have to create a route of trust,” said Eric Sivertson, CEO of QuantumTrace. “We need to know the code that is running on the devices. Right now, very few foundries have to sign on their work.”
One of the problems is that the IoT world is creating tons of