Lattice Semiconductor Guards Against Firmware and Supply Chain AttacksAugust 15, 2020 by Jake Hertz
Hardware attacks most commonly occur at the firmware level or during manufacturing. Now, Lattice Semiconductor is releasing two products to protect hardware.
With the emergence of major technologies such as the Internet of Things and edge computing, security in hardware systems has become of the utmost importance. That said, it’s no surprise that companies are constantly seeking new ways to increase security for their devices.
This week, Lattice Semiconductor released two new products—Lattice Sentry and Lattice SupplyGuard—designed to guard against firmware attacks and supply-chain breaches. To understand the place of these two platforms in terms of hardware security, it's first important to discuss the different ways security can be compromised.
Hardware Security Considerations
Breaches in hardware security come in many different flavors and can occur at different stages in a product’s life cycle. The most common hardware attack methods, according to Concordia University, include:
- Physical attacks: when an attacker physically probes the device to uncover information or manipulate the functionality
- Firmware attacks: when an attacker manipulates or uploads malicious firmware to a device
- Supply chain attacks: when a device is maliciously tampered with or IP is stolen during the manufacturing and/or distribution of a device
Example of a supply chain attack. Image used courtesy of Microsoft
The Particular Danger of Firmware Attacks
Recently, firmware has become an increasingly popular attack vector. According to the National Vulnerability Database, between 2016 and 2019, the number of firmware vulnerabilities grew over 700 percent.
Firmware attacks are particularly dangerous for a variety of reasons. For starters, firmware vulnerabilities allow attackers to compromise a device before it has even booted up. It does this by pushing malicious software into the code on the lower levels, which regulates the hardware prior to and after system initialization.
Secondly, a hacker does not need to come into physical contact with a device to deliver a firmware attack. These attacks can be done remotely via Wi-Fi, Bluetooth, or any other kind of network connectivity. Now, with devices becoming increasingly connected (like the IoT- or 5G-connected device), this possibility poses an even greater threat.
Lattice Aims to Guard Firmware and Supply Chains
Jumping on the trend toward hardware security, Lattice Semiconductor has announced two new security solutions: Lattice Sentry and Lattice SupplyGuard.
According to Lattice Semiconductor, Sentry is a robust combination of customizable embedded software, reference designs, IP, and development tools to accelerate the implementation of secure systems compliant with NIST Platform Firmware Resiliency (PFR) Guidelines. The main idea behind Sentry is that it enforces strict, real-time access controls to all system firmware during and after system boot.
If corrupt firmware is detected, Sentry works to automatically rollback to a previously known good state version of the firmware so secure system operation continues without interruption.
The Lattice Sentry stack. Image (modified) used courtesy of Lattice Semiconductor
SupplyGuard, on the other hand, focuses system protection on the supply chain. The solution works to deliver factory-locked devices, protecting them from attacks like cloning and malware insertion and enabling secure device ownership transfer.
According to Lattice Semiconductor, SupplyGuard works to protect OEMs by ensuring only authorized manufacturers can build an OEM’s design, regardless of their location. The service provides OEMs with a secure key infrastructure to prevent the activation of their IP on unauthorized components in order to stop product cloning and overbuilding.
Upping Security as IoT Booms
These two solutions by Lattice Semiconductor show the industry’s focus on relieving security issues as technologies such as the IoT and edge computing emerge. It seems Lattice hit the nail on the head by providing companies with ways to protect devices from firmware and supply chain-related attacks—two of the most prominent attack vectors today.
As device connectivity increases, solutions like these will become exponentially more valuable.