Embedded Hardware Authentication

As per IFF (Incognito Forensic Foundation), there are top 5 latest cybersecurity technologies or trends out there, that I think would make great sense if I go with one of those for this blog, so I decided to go with Embedded Hardware Authentication (A. 2019, November 8).

What is Embedded Hardware Authentication? As the term states, it’s a hardware-based authentication that’s embedded into the hardware itself to add an extra layer of security. Normally, users log in to a machine using their PIN and/or Password, which can easily be compromised, but in embedded authentication, it verifies the user’s identity before it’ll let them access the device. Most of us are aware of two-factor authentication but in this latest trend, an organization can implement two, three, or even four different methods of authentication in a row to enhance security. Under Embedded Hardware Authentication, things are slightly different than we’re used to.  For example, users don’t necessarily receive a PIN sent to their phone to log in (Common method of two-factor authentication). Instead, Intel Authenticate might require users to download an app to their phone. It then looks for the phone’s Bluetooth signal to verify user identity to assure that you are actually at your desk. It’s similar to “keyless cars” that use key’s signal to assure the owner is nearby before it’ll let you unlock including let you start/stop the car without physically using your keys (Hachman, M. 2016, January 20).

So why do we need embedded security? Embedded devices are very different from standard PCs which is why they are called Embedded. They are designed to perform the pre-configured task and most of them use a specialized operating system such as VxWorks, MQX, or Integrity, or a stripped-down version of Linux. Installing new software or patch on the system requires a specialized upgrade process so it’s not as simple as it seems because we can imagine how many embedded devices we will find in a smart car such as Tesla, so upgrading the OS on every embedded hardware will be nearly impossible. As these devices are vulnerable, there have been several well-documented attacks on embedded devices ranging from hacked vehicle anti-theft and control systems to hijacked printers that sent copies of documents to the hacker’s computer. Many embedded devices include password-protected logins including encrypted protocols such as SSH or SSL, but these are not sufficient, otherwise, we won’t see security breaches in the media every day which is why embedded hardware authentication is needed. There are several security challenges in embedded hardware as well, here are some of the challenges (Security Requirements for Embedded Devices What is Really Needed? | Icon Labs. (n.d.):

• Critical functionality: Embedded devices control transportation infrastructure, utility grids, communication systems, and many other capabilities modern society relies upon. Interruption of these capabilities by a cyber-attack could have catastrophic consequences.
• Replication: Once designed and built, embedded devices are mass-produced. There may be thousands to millions of identical devices. If a hacker can build a successful attack against one of these devices, the attack can be replicated across all devices.
• Security assumptions: Many embedded engineers have long assumed that embedded devices are not targets for hackers. These assumptions are based on outdated assumptions including the belief in security by obscurity. As a result, security is often not considered a critical priority for embedded designs. Today’s embedded design projects are often including security for the first time and do not have experience and previous security projects to build upon.
• Not easily patched: Most embedded devices are not easily upgraded. Once they are deployed, they will run the software that was installed at the factory. Any remote software update capability needs to be designed into the device to allow security updates. The specialized operating systems used to build embedded devices may not have automated capabilities that allow easy updates to the device firmware to ensure security capabilities are frequently updated.
• Long life cycle: The life cycle for embedded devices is typically much longer than for PCs or consumer devices. Devices may be in the field for 15 or even 20 years. Building a device today that will stand up to the security requirements of the next two decades is a tremendous challenge.

As computer hardware technologies are getting popular, Intel went ahead and launched their chips to include this technology, called “Intel vPro” which includes VT-x, VT-d, Trusted Execution Technology (TXT), and Intel Active Management Technology (AMT). It was first released back in 2007 where Intel started printing vPro on their chips as well as shown below:

Intel has released several chips since 2007 that includes vPro but their latest 8th Gen Intel Core series processors were launched in April 2019 where things are secure even more such as it requires a Trusted Platform Module (TPM) cryptoprocessor chip and internet connection (wired or wireless) before some of the security features can be enabled (Casey, H. T. 2019, April 16).

Embedded Hardware Authentication is getting popular every day because of all the attacks on desktops, servers, and PCs that are increasing, so most organizations are moving forward to enhance their security as soon as possible too. Embedded devices are now interconnected in our everyday life as it’s Internet-of-Things (IoT) age. Now we use embedded devices in our cars, our offices, our houses with home automation, our skin with the influx of wearables, and sometimes even our bodies (e.g. pacemaker, insulin pump). To give some idea of this growing trend, about 6.4 billion devices were connected in 2016, an increase of 30% from 2015. Soon, the number of embedded devices connected to the Internet will be greater than the number of PCs. Therefore, it is becoming important to consider potential risks (i.e. information security, privacy, or safety). As more and more consumers are relying on hardware-based authentication including organizations, industrial-based organizations started the embedded hardware platform as well. In industrial plants, any asset connected to the industrial internet of things (IIoT) without proper security is at risk of cyber-attack as well (N. 2019, June 21).

Resources:-

(2019, November 8). The 5 Latest Cyber Security Technologies for Your Business. IFF Lab. https://ifflab.org/the-5-latest-cyber-security-technologies-for-your-business/

Research, A. (2020, June 24). Embedded Hardware Security Shipments to Hit 5 Billion by 2024, Driven by Increasing IoT Cyber Protection Demands. CISION. https://www.prnewswire.com/news-releases/embedded-hardware-security-shipments-to-hit-5-billion-by-2024-driven-by-increasing-iot-cyber-protection-demands-301082288.html

Hachman, M. (2016, January 20). Intel’s Authenticate tech brings simple-but-powerful security to Skylake chips. PCWorld. https://www.pcworld.com/article/3024314/intels-authenticate-tech-brings-simple-but-powerful-security-to-skylake-chips.html

N. (2019, June 21). Industrial Cybersecurity Starts at the Embedded Hardware Platform. Tech Monitor. https://techmonitor.ai/techonology/cybersecurity/industrial-cybersecurity-embedded-hardware

Security Requirements for Embedded Devices What is Really Needed? | Icon Labs. (n.d.). ICON Labs. Retrieved May 22, 2021, from https://www.iconlabs.com/security-requirements-embedded-devices-%E2%80%93-what-really-needed