Harnessing Secure Microcontroller Know-How to Protect Connected DevicesJanuary 31, 2017 by Paul Golata, Mouser
As modern life increasingly moves online, more powerful secure microcontrollers and other secure ICs are emerging.
Secure microcontrollers have established a successful record in protecting card transactions against fraud. As modern life moves online—increasingly managed by numerous connected devices such as smartphones, wearables, and the IoT—more powerful secure microcontrollers and other secure ICs are emerging.
The Success of Smart Security
The introduction of smart cards for credit and debit transactions has significantly reduced instances of fraud. Figures from the UK Cards Association (PDF) reveal that counterfeit card fraud losses on UK-issued cards fell from £129.7 million (($159.5 million USD) in 2004—at the introduction of so-called chip-and-PIN cards—to £47.8 million ($58.7 million USD) in 2014.
The US has been slower to introduce such cards, but the transition is happening now. According to figures from the US Federal Reserve Bank, quoted by Samsung (PDF), credit card fraud increased about 70% from 2004 to 2010, before the introduction of smart cards began. It is suggested that this illustrates a shift in credit card fraud to the US, away from other territories (such as the UK) where the use of smart cards has made life much tougher for credit-card fraudsters.
The reduction in fraud can be attributed to the fact that the chip-and-pin card is significantly harder to counterfeit than primitive magnetic-stripe cards. The chip in a card such as an EMV (Eurocard-Mastercard Visa, the consortium that drove development of financial smart-card standards) payment card is a secure microcontroller that is capable of verifying the credentials of a system trying to retrieve information, and of resisting attacks aimed at revealing information about the chip or the data it contains.
Attacks on smart card microcontrollers fall broadly into three categories. These comprise fault attacks, which try to cause errors in device operation, side-channel attacks that aim to gain sensitive information by studying the system’s behavior, and invasive attacks that seek to physically probe the device or reverse-engineer its features. Manufacturers of secure microcontrollers can be reticent about the countermeasures implemented. The less that is revealed, the less information attackers have with which conceive new attacks.
Some known countermeasures, which differentiate secure microcontrollers from standard microcontrollers, include randomization of behavioral motivation to reduce uncertainty (MRU) aspects such as wait states or bus noise, integrated sensors such as frequency or voltage sensors to detect external manipulation, and active shielding that detects attempts at physical access.
Figure 1. A generic smart card with the contacts that access the internal electronics and an NFC option.
The secure microcontroller system embedded in the smart card communicates with the reader via an electrical contact interface compliant with ISO/IEC 7816 specifications, or via an RF interface using protocols defined in ISO/IEC 14443.
In a contact card, the reader supplies power to the microcontroller system via a power connection specified in ISO/IEC 7816, whereas other connections are for the clock signal and data to/from the secure microcontroller (Figure 1). In a contactless card (Figure 2), the power to operate the card electronics is harvested from the energy of the RF field setup by the contactless reader.
As far as the secure microcontroller is concerned, both types of cards benefit from the same security features. Dual contact/contactless cards implement both interfaces and are designed so that neither mode can compromise the other’s security. The effective operating range of contactless communication, combined with security measures such as secure authentication and cryptography effectively protect the RF interface against attacks such as eavesdropping, unwanted activation, and man-in-the-middle attacks that seek to intercept transmitted data to be used by a fake card to communicate with other genuine readers.
Figure 2. The secure microcontroller subsystem is connected to a loop antenna in the contactless card.
An effective security strategy must incorporate a variety of techniques implemented in the hardware, software and system levels, and cryptography (a key part of any strategy). This can encompass encryption of data stored in ROM, RAM, or non-volatile memory, as well as encryption of internal buses, peripherals, and internal registers, and may use a combination of symmetric crypto algorithms such as DES, triple DES or AES, or asymmetric algorithms like RSA or DSA Elliptic Curve Cryptography (ECC). Keys are critical to cryptography and are vulnerable to reverse engineering if applied in software running on an open platform such as a PC.
The secure microcontroller provides a secure environment for cryptographic keys by storing the keys in protected memory that is resistant to attacks. These well-guarded keys can be used in cryptographic algorithms deployed directly on the secure microcontroller if small amounts of data such, as transaction data, are involved. This type of approach is suitable for use in a POS terminal.
On the other hand, equipment such as pay-tv conditional access modules may require larger amounts of data to be processed securely. In cases like this, the highly protected keys may be used to generate temporary keys to run on the open host-processing system. In this model, the root keys stored in the secure microcontroller provide the anchor for a chain of trust that allows the system to exploit the increased processing performance of the host system.
From Smart Cards to Smart Everything
Electronic security is far more prevalent in everyday life since the 2004 timeframe when EMV cards began entering circulation in the UK and other advanced markets. Smartphones have arrived and quickly become deeply ingrained in everyday life. They're now used for activities ranging from social interactions to online purchases to contactless payments using Near Field Communication (NFC) technology that leverages the ISO/IEC 14443 RF specification.
Figure 3. Wearables that store personal data and passwords need robust protection against online attacks.
Moreover, new classes of smart devices are emerging, such as personal wellness or fitness monitors and smart watches (Figure 3), which are often connected to a smartphone or another device such as a home hub. Not to mention the Internet of Things (IoT), which will ultimately comprise an untold number and diversity of connected devices such as smart home appliances, retail technology, industrial process monitors, or traffic sensors and cameras used by authorities to manage cities and highways.
Developers and users of equipment such as smart consumer devices are quickly becoming aware of the imperative to secure these “always-connected” devices that can be seen on the Internet or across a wireless network connection and potentially accessed by hackers. If any of these devices can be compromised then the devices themselves or connected systems may be vulnerable to sabotage, fraudulent activity, or theft of data such as passwords, financial records or medical details.
Stealing passwords from weakly secured devices, for example, is an exploit that hackers are known to use to access more sensitive information held in other accounts, understanding that it is common for users to set the same password for multiple accounts.
The potential vulnerabilities of a broad range of IoT devices are also becoming apparent. A report by Kaspersky Labs staff, published by TheNewsPaper.com, highlights weaknesses discovered in various systems deployed in smart cities, such as bicycle rental terminals, road signage, and speed cameras. The researchers were able to gain command-line access to the PC hosting a cycle-rental terminal by using well-known techniques to bypass the customized user interface and to find the IP addresses of speeding cameras and gain access simply by entering common manufacturer default passwords that should have been changed when the equipment was commissioned.
These exercises certainly highlight the imperative to make better use of available security measures and to follow established security procedures rigorously. They also illustrate the power hackers can acquire by taking over devices connected to the IoT.
In many ways, this is a more serious threat than financial fraud. The ability to take control over assets such as transport signals, medical devices, or controllers in chemical plants or nuclear power stations can pose serious threats to the lives of individuals or entire communities.
Appropriate security, up to the highest possible levels in some cases, is needed to prevent hackers gaining access to networks by targeting nodes with weak security or taking control of the nodes themselves by loading malicious code. Since these nodes are typically autonomous and unsupervised, they must be capable of deciding for themselves whether to execute instructions received from another device via the network. This requires an efficient means for connected devices in the IoT to authenticate themselves to each other and so guard against unauthorized access, tampering, or sabotage.
A suitable solution must be cost-effective, small in size and with minimal impact on system power consumption or memory demands. They must also be easy to use as far as the end user is concerned.
Drawing on the existing body of knowledge surrounding the secure microcontrollers used in smart cards such as EMV payment cards, tiny devices such as secure elements dedicated to cryptographic key storage have been introduced. A secure element can be used as a companion IC to a standard microcontroller and store important authentication credentials programmed at the time of manufacture in unalterable hardware. This can give applications a high level of protection against software-based attacks launched over a network. For example, a secure element can be used to prevent malware from taking over an application to gain access to other assets on the same network.
As concern regarding the security of connected personal electronics and IoT devices continues to rise, a new generation of ICs is emerging in surface-mount packages that provide the protection of a secure microcontroller in a form factor suitable for use in embedded systems.
Various types are available, such as crypto-companion ICs that operate alongside the standard host microcontroller or fully-certified devices that perform as a secure element featuring a secure operating system and capable of managing authentication, secure communication, and key provisioning. These types of devices can provide extremely high assurance levels, such as EAL5+ of the Common Criteria (CC) security-industry framework. On the other hand, their small size, low power consumption, and convenient supporting ecosystem help simplify design-in to resource-constrained embedded systems.
As electronic devices become increasingly central to the way people work, make daily purchases, engage socially, manage finances, and control infrastructures and resources, electronic security provides all-important stability and protection. The advances made in the card-payments industry have proved effective and are now incorporated in ICs at the heart of the connected wearables and IoT devices powering the next generation of electronically-enhanced living.
Industry Articles are a form of content that allows industry partners to share useful news, messages, and technology with All About Circuits readers in a way editorial content is not well suited to. All Industry Articles are subject to strict editorial guidelines with the intention of offering readers useful news, technical expertise, or stories. The viewpoints and opinions expressed in Industry Articles are those of the partner and not necessarily those of All About Circuits or its writers.