Recently, Semiconductor Engineering interviewed Paul Kocher, president and chief scientist of the Rambus Cryptography Research division, about various security risks associated with the rapidly evolving Internet of Things (IoT).
In part one of the interview, Kocher told the publication that the industry is still more concerned with making a chip work than securing it.
“[This] approach at some point has to change, but the question is how bad does it have to get before people really care,” he explained.
As Kocher notes in part two, numerous airline companies actively collaborated during the early days of aviation by asking the government to regulate critical safety issues.
“People were dying and it was keeping the public away from airplanes, so even if an airline was doing a good job these issues made everyone look bad,” he said. “There is a possibility that someday we’ll end up with connected devices being highly regulated. I dread that, but I don’t see any other long-term solution because [certain] marketing messages are completely uncorrelated to technical reality.”
More specifically, says Kocher, there are companies that will routinely “check a box” to expedite the process of launching a new product.
“They want the least intrusive, least comprehensive evaluation possible,” he continued. “And then there are companies that have been hacked that want to understand their risk and mitigate it. If you get check boxes without teeth behind the consequences, it doesn’t help. If you can get liability and skin in the game for companies that control the risk, it would be transformative.”
As Kocher points out, there are a number of secure (containment) solutions that are beginning to appear on the market, including NXP chips.
“What happens in your processor is going to be independent of another chip, so it’s going to be decoupled even if the processor fails,” he explained. “The Crypto Manager cores [built by the Rambus Cryptography Research division] function within a chip as a separate security perimeter.”
Kocher also emphasized that some of the most frightening security threats involve people with modest resources who hire someone like a college undergraduate to find a bug.
“If the attack unfolds very slowly you can deal with it. If it happens quickly, you have to respond with stronger defenses. [As such], we need to focus on defenses that are more reliable and durable,” he added.
“We already have mathematical defenses. Turning that into something that can stand up to a level of threat gets us part of the way there. Turning off an application that is behaving badly but doesn’t damage the hardware—that’s something you can handle through risk management later.”
Interested in learning more? You can check out previous Paul Kocher security interviews here.