Hardware hacking and its consequences
As we observe the growth in global data traffic, driven by entertainment content and corporate data, a notable (and previously almost non-existent) part of the new “datasphere” is emerging.
With proliferation of connected devices, we have small packets of sensor and communications data being transmitted with high frequency, many of which contain critical data points for the function of medical devices, vehicles and industrial equipment.
Risks in the cyberspace are usually associated with exploits of operating system weaknesses or malware attacks, less often with design flaws in chips and sensors. However, with growing data volumes to and from Internet of Things (IoT) devices, infiltrating and exploiting them due to hardware oversights is becoming an appealing area for cybercriminals. In this article we discuss both the data volume growth (i.e. the “market size” for cybercriminals) and the security concerns on hardware level.
The future of cybersecurity is in the hands of hardware engineers
Scott Borg, director of the U.S. Cyber Consequences Unit1
A zettabyte of data
By nature, data is something imperceptible. We really do not notice or think much about the amount that is generated each time an app shows a notification or when we ask our digital assistant the way to the nearest cafe. Other than on that last holiday with an expensive roaming service, but I digress. First let us address the data volume that is generated by IoT in the perspective of global data traffic.
While gigabytes and even terabytes are familiar measures from various consumer devices, globally we are more in the territory of exabytes and zettabytes. A handy chart is provided below, but essentially each measure is 1000 times the previous one. Though it is impossible to tell exactly how much data is in the “datasphere” (generally defined as all data created and replicated, but not necessarily stored), estimates for a year range from around 300 to 400 zettabytes (ZB) according to independent white papers from IDC2 and Cisco3. This volume would be the equivalent of each single person in the world streaming about six 1080p full HD films every day throughout a year.
Logarithmic growth curve
Although the absolute data volume is impressive, the growth numbers are more staggering – from 220 ZB in 2016 to estimated 850 ZB in 2021 – a fourfold in five years. And the film example from previously gives a good insight in this growth. It used to be that the data is burned once on a Blu-ray disc or some other physical data storage device. No data transfer here, unless we count lending that disc to the neighbors. Nowadays, we stream the same content, which means it is usually not locally stored on a device. As we re-watch the films we purchased, the data is transferred anew. Same logic applies to anything cloud-stored or accessing various online services.
Entertainment and productivity/corporate data is a major part of the data explosion story, but another, more silent and perhaps more interesting contributor is so-called embedded data, created by connected devices for data aggregation, monitoring, machine-to-machine communication and similar purposes. Broadly speaking, the data created by IoT.
This includes transfer of all kinds of sensor readings – temperature, elevation, acceleration, pressure – as well as positioning information and communications commands to control those connected devices. Though individually these data packets are very small, the aggregate volume is noteworthy. And more relevant than the size is the value of the information, as these short readings are often mission-critical. That brings us to the second part of the discussion - how secure are these data transfers, and what role hardware plays in making these transfers secure.
Hardware hacking the IoT
When we talk about digital threats and security, we normally think of software – viruses and phishing attacks. Conversely, hardware part has been considered relatively safe and clean. However, the discussion has been picking up as increasingly more connected devices not only prompt the user with a notification, but also act on their own in an automated way, based on a sensor reading. Say, a smart thermostat which turns the local heating on if the temperature drops below a preset level.
Hardware hacking implies making the device act in a way it is not intended to (a definition of hacking, essentially), but through exploiting design weaknesses in hardware – the integrated circuits and various components themselves. The security flaws can range from deliberately compromised chips (a case of a Chinese manufacturer phone coming with preloaded Trojan on one of the components) to production errors which prohibit a device to function4. Reportedly, this was the case for microchips intended for a U.S. Navy helicopter, where faulty transistors would have prohibited it from launching missiles. The chips, however, were discovered in time, but given the long and complex manufacturing chain it was not straightforward to trace the source of faulty parts either.
Defective hardware aside, connected devices with sensors present another interesting exploit - tampering directly with the sensor readings or the communication of those readings, i.e. making the device to think or communicate it is sensing something that is not there. Here too are several approaches:
- Manipulating the fundamental physics that the sensors rely on
- Manipulating the signal received from devices, for instance:
- Replay attacks – capture and repeat packet over and over
- Denial of service – jamming the legitimate signals with fake ones
- Injection – insert a fake message with the correct transmission ID
For instance, researchers at Computer Science and Engineering department at University of Michigan have showed how capacitive microelectromechanical (MEMS) accelerometers, such as used in smartphones and wearables, can be tricked by acoustic waves into thinking that the user with the device is moving5. It is fine if a pedometer miscounts steps, but it is of another gravity if sensors in adaptive cruise control or later on in a full self-driving vehicle get tampered with. Similarly, the fundamental inputs for industrial application Supervisory Control and Data Acquisition (SCADA) systems could be at risk.
A partial solution may lie in an updated software layer, which recognizes that there is something wrong with the input. Researchers from Virginia Tech in collaboration with University of Electronic Science and Technology of China and Microsoft Research successfully carried out GPS spoofing attacks sending “ghost maps” to Google Maps application on various phones6. But not all chips are created equal, and when they tackled a navigation system in Tesla, powered by Swiss company’s u-blox chip, they failed due to embedded protection in the hardware.
A difficult problem to solve
However, hardware opens new angles for exploits that software is not always able to fix. As sensors are placed in the field, many might be in places that are relatively costly to reach and upgrade, for instance in oil and gas pipelines. Other sensors by design have to operate on very low power, which inherently means that the chips used in these packages cannot afford to waste energy encrypting their signals. A popular fingerprint sensor enabled smart lock was easily hacked as it was sending verification data over unencrypted HTTP lines7. As it turns out, it was not this product’s only fallacy, as it could also have been compromised because of its Bluetooth low energy media access control (MAC) address, which the device uses as its unique identifier to communicate to a network interface. As with the previous example, someone stealing a gym bag from a locker is not the end of the world, but similar design fallacies can happen in the medical space, too. Constant glucose monitoring (CGM) devices and insulin pumps have been proved on several occasions to have weak signal encryption and subpar security features, enabling hackers to alter the reading or, more seriously, copy the signal from remotes of insulin pumps. Such findings prompted Johnson & Jonson to issue a cyber risk warning on its pumps in 20168.
Adding to the problem, the manufacturing chain for the commercial and industrial IoT devices is a long one. On the same circuit board we would find many different components from different manufacturers, and when the manufacturers design a chip they do not always know in what device it will end up, and paired with which other components. Still, the fundamental solution would be to think about the various potential exploits already in the design phase of the sensors and communications chips that they are attached to.
With the growing, but, more importantly, critical part of the “datasphere” – sensor and IoT communication data - the threat of hardware hacking presents a new set of challenges. Unlike with software, one cannot add security after the fact, it has to be designed and built into the product. A short excerpt from an interview with Scott Borg, director of the U.S. Cyber Consequences Unit sums it up well9:
“Decisions that are made in engineering at really fine-grained levels affect the costs of carrying out a cyberattack. Even a small sensor will have consequences for cybersecurity, not always in the immediate device, but as it develops into a product line.”
Of course, it is not only the hardware engineers who have to drive the adoption of more security-conscious hardware, but also the management of these companies and ultimately the customers. The cybersecurity market is currently north of $120 billion with strong outlook10, but with likely just a fraction of that spent on hardware currently. With growing awareness, however, we will see more attention to design, testing and validation on product level to address particularly the security risks.
As long-term investors in areas of both security and automation, we are closely following not only the development in capabilities and applications, but also the security aspect of connected devices. The reality is that without reliability and safe operation, the IoT cannot deliver on its promises. Therefore we invest in companies that enable security on one hand, and companies that proactively embrace it in their automated and smart products on the other. Credit Suisse Asset Management have designed two strategies to provide clients with “pure-play” exposure to these compelling and complementary long-term secular growth themes: robotics & automation and security & safety.