A new vector of cybersecurity threats is on the rise – this time in hardware security.
The essence of power analysis, which is a type of side-channel attack, is the study of power consumption or electromagnetic emission of a device to acquire cryptographic keys or other secrets processed by the device.
A side-channel attack is analogous to the process of cracking the code of a bank safe by listening with a stethoscope to the faint sounds the lock makes when the right numbers are selected on the dial.
Criminals collect traces of power consumption (reading them with an oscilloscope) while using the device in the ways it is supposed to be used. Small variations in power consumption during the normal operations can be captured and reveal the nature of computations performed by the device and even the Secret Key stored inside.
Side-channel attacks, such as Differential Power Analysis (DPA), Electromagnetic Emissions Analysis (EMEA), especially its Differential Electromagnetic Analysis or DEMA variety, Fault Injection Analysis (FIA), etc., are relatively easy and cheap to mount against cryptographically protected devices.
To launch a side-channel attack, all that the bad actor needs are physical access to the target device or facility, an oscilloscope, a computer with statistical analysis software and a couple of parts easily found online.
The process of trace collection can be performed by virtually anyone without a technical background, and it may take anywhere from a couple of hours to several days, depending on the device’s complexity and built-in protection.
So, What Exactly Are They After?
The objective of the trace collection and analysis is extracting the global cryptographic key, which gives bad actors control of the device and all other devices produced by the same manufacturer that share the same key. In some cases, identical keys are shared only by one product, in other cases by several products, and still in others, across the entire portfolio produced by the same manufacturer, which may mean millions of deployed devices.
Side-channel attacks aim at compromising Root of Trust (RoT), which is a source that can always be trusted within a cryptographic system. Known as HSM - a Hardware Security Module – it is a tamper-resistant special-purpose element that generates and protects Secure Keys and performs cryptographic functions inside the device.
Side-channel attack on the RoT such as HSM ultimately leads to gaining control and assuming or stealing identity of the device.
Instead of targeting a vulnerability in the software, attackers can exploit the hardware, injecting commands directly at the hardware level or installing malicious programs. The attackers can passively gather data, actively execute specific commands, or completely take control of a target’s endpoint and other targets that share the same security key via the network, internet connection, or in close physical proximity.
Loss of control over the hardware can be impossible to patch or remediate; when it happens, the device will need to be physically replaced by the next product version, hopefully protected to be side-channel attack-resistant.
Some major manufacturers have already been exposed recently to having an “unpatchable bug” or "not sufficient protection" in their secure element. If this vulnerability enables the break-in into the secure element, the SoC or microchip manufacturer might need to redesign power consumption and protection of its device. Sometimes, it could go as far as making a new silicon revision, run production, test again and recall and potentially replace all SoCs currently installed in OEM products around the world with the patched version.
One can only imagine the cost to everyone involved, the risk to the product makers, exposure of product users and the damage to reputation resulting from the incident.
Undetected and Dangerous
What makes an intrusion via side-channel particularly insidious is that the break-in cannot be detected.
Terrorists, thieves, or hackers involved in a physical attack or a cyber-attack leave signs of their intrusion and presence – visual, physical, digital. Their activities leave evidence allowing law enforcement to potentially track and catch the perpetrators.
After accessing the target device, the side-channel attacker can leave and there will be no evidence of any tampering with the device itself – all the perpetrator did was measure its power consumption.
Critical Infrastructure Is the Most Vulnerable Target for a DPA-Type Attack
Critical Infrastructure is especially vulnerable, because often the facilities and equipment are placed in remote or unmanned locations. If the premises or hardware can be physically accessed, they can be infiltrated by side-channel attackers, capable of compromising the entire infrastructure.
Electric grids, warning systems, nuclear plants, smart buildings, transportation networks, refineries, WANs, even cloud-computing providers with data centers outfitted with the stacks of the same equipment – all are juicy targets for malefactors – individuals or state-sponsored.
How Many Scientists Does It Take to Turn Off the Lightbulb?
Four. In 2016, a group of Israeli and Canadian researchers (Dr. Eyal Ronen, Dr. Colin O’Flynn, Dr. Adi Shamir, and Achi-Or Weingarten) found a vulnerability in cryptographically protected Philips smart lightbulbs using only readily available equipment costing a few hundred dollars and mounted an attack against them. They injected a simple instruction code that would turn it off and instruct other bulbs in proximity to turn off, resulting in a blackout wave.
The research group made the following disturbing observation about the attack they created: “The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDoS attack.”
Using the example of Philips break-in, they demonstrated that the problem is dangerous and widespread, showing how future real attacks on this type of infrastructure could be potentially devastating as compared to the benign experimental Philips attack.
Getting to the Critical Infrastructure Through the Side Door
In addition to protecting obvious targets that present the highest security risk, it’s critical to apply the same care of protection to all devices located in proximity or physically connected to the most secure & protected assets.
While these auxiliary benign devices like TVs, room conditioners, cellphones, etc., are not the primary targets of interest, they can be used as an entry point into an otherwise secure infrastructure.
Imagine if one conditioner is broken into and all your data center’s AC units are now turned off. A few hours later, servers start shutting down, and some burn out. All ACs will need to be replaced –an expensive and time-consuming proposition. Can you afford not to have your data center up for several days? Or, take a TV. Nowadays, all TVs have microphones. What if all your conference rooms’ TVs start recording your meetings and transmitting the recordings to a bad actor?
With this real and present danger, how are manufacturers dealing with the risk of side-channel attacks on hardware Root of Trust?
Hardware Security Paradox: Manufacture Then Secure. Then Manufacture Again
Normally, security hacks are more expensive for bad actors to mount than it costs manufacturers to protect their products. It’s the opposite for power consumption-related vulnerabilities.
It’s extremely expensive to protect a chip against side-channel attacks like DPA, SPA, FI and EME, which is why many chips carry this “unpatchable bug” and set device manufacturers up for a break-in.
We call it The Hardware Security Paradox: you must produce the chip to analyze its power consumption traces and then test it, patch the vulnerabilities, and then manufacture it again, and again, until the last power-related weakness is removed.
It may cost millions of dollars in production runs and opportunity cost to go through multiple silicon modifications. In addition to the high cost, this tedious process may lead to delays in time-to-market. Late entry carries the risk that a competitor will get there first, if it has the ability to produce an unflawed device.
Traditional Methods of Protection Against Side-Channel Attacks
Since 1998, when side-channel attacks were first described by Paul Kocher, an American cryptographer, and his colleagues in a technical report titled “Differential Power Analysis”, scientists and manufacturers have been searching for reliable ways to mitigate the risk of side-channel break-in. Some methods they came up with, included:
Post-silicone tools, services and security best practices. With the right level of investment into highly specialized and qualified security engineering team and multiple production runs to be discarded, this method has a major downside – the cost of operations, eventually transferred into the price of the products.
Outsourced IP Cores resistant to side-channel attacks. These implementations are sold either as certified by a recognized body or covered by a guarantee for an upper limit of traces below which the security is assured (e.g. one million traces, which would take hackers only several days to generate). There is a downside in blindly trusting another party’s evaluation. They all carry a risk that an existing problem was not discovered – and the manufacturers have no way of validating that proper protection was indeed applied.
The most advanced global manufacturers hire cryptography and security engineers, build testing labs and develop proprietary methods of protection against side-channel attacks.
For the majority of brands, however, these are cost-prohibitive measures that are impossible to implement (talent scarcity) and impractical to invest in (will significantly increase product costs making them non-competitive).
Next-Generation Methods - Secure Then Manufacture
In order to minimize the costs of device security against side-channel attacks, a new method of fighting this vulnerability is being introduced – pre-silicon simulation that precisely simulate power consumption, at the design stage.
Hardware Security Paradox can therefore be solved by breaking the circle of design-produce-test-fix-produce. It’s more economical to work out vulnerabilities at the design stage, pre-silicon without the need to manufacture the product first. Makers that purchase secure IPCores, can acquire a simulator and verify that claims of security made by a third party are solid. With this approach, manufacturers can significantly reduce costs of protecting their products against side-channel attacks.