Technology has a nearly unlimited capacity to enrich our lives and change the world. But that technology must be built on a strong foundation of security and trust. To offer best-in-class product security assurance, technology providers are investing in secure development practices, emerging threat research, tool and methodology pathfinding, security incident handling, continuous education for employees, and much more.
Securing technology products is one of the industry’s most pressing and challenging goals. In this two-part article, I would like to first examine five key factors that make product security assurance – particularly with hardware – a challenge. In part two, I will discuss how these challenges can be addressed with the help of strong, strategic collaborations between the industry and academia. After all, product security assurance is a team sport.
Why is it so challenging to secure hardware technologies?
Disruptive nature of new research
Continuous research and innovation help bring new products and technologies to consumers every day. Just look at smartphone battery life or fuel efficiency in cars. But when it comes to product security, the market follows a different paradigm.
Security research brings knowledge about new attack vectors and exploitation mechanisms that were previously unknown. They could render best-in-class protections completely inadequate. Products that have employed state-of-the-art defenses designed to address today’s known security concerns can still be vulnerable to tomorrow’s new attacks.
Ever-expanding risk exposure
It is no secret that the threat landscape is changing rapidly. The market saw a record number of reported vulnerabilities in 2020. Rather than being slowed down by the pandemic, threat actors are actually speeding up. From conception to retirement, technologies are exposed to many software and hardware vulnerabilities throughout their lifetime.
Specifically, technologies that have longer intrinsic product lives – such as the microprocessors found in vehicles and critical infrastructures – have a longer window of risk exposure. Increased product refresh cycles and backward compatibility support extend those lifecycles, further adding to this challenge. As technology products continue to get more complex in support of additional use cases, the attack surface is expanding. All of these factors present more exposure avenues that today’s hardware technology providers must overcome.
Disproportionate expectations between product security and functionality
Consumers and end-users tend to maintain a much higher expectation on product security than they do on functionality. Here is an example to illustrate what I mean.
Even though cellular network providers have upgraded their networks to the latest 5G standard, many users today are still using their older 4G smartphones. With 4G phones on 5G networks, users typically would not expect their phones to magically support any 5G features, such as a generous increase in data download speed. They understand their phones are purposely built to support up to the 4G standard and the associated protocols.
Yet, it is rather common to find users expecting the same phones to offer robust security over both 4G and 5G networks. Moreover, for as long as they keep their phones, users expect these devices would continue to work flawlessly against any of the yet-to-be-found security exploits that researchers may find in the future.
While users do not expect a technology product to be future-proof with its features, they do expect the same product to be future-proof in its security. These incongruent expectations put added pressure on vendors around security.
Dynamic nature of product security requirements
The security requirements for technology products are anything but static. They often continue to evolve after a product launches and create new security challenges. For instance, new government regulations and policies may emerge following significant security or privacy incidents.
While this may be more pronounced in the information security domain – where regulators establish privacy acts and data protection laws – the same could also happen for general technology products. As hardware solutions become more integrated into our day-to-day lives, our safety is increasingly dependent on the security robustness of these technologies. Just look at medical devices or autonomous vehicles. New policies and standards often come when emerging solutions run the risk to do more harm than good.
Solutions that support robust in-field update capability are better positioned to scale with product security requirement changes. But technology providers must stay up to date on the latest regulatory developments and be prepared to implement necessary updates that ensure compliance.
Such rapid changes to product security requirements become particularly challenging when it comes to hardware. In stark contrast to software, hardware technologies take years to develop, and the process for resolving new security issues involves much more than a quick patch. It often requires tight collaboration among researchers, software vendors, operating system vendors, hardware manufacturers, customers and other ecosystem partners.
Robust in-field update infrastructure still uncommon
Unfortunately, many hardware technologies available in the market today do not offer a robust, in-field update solution. This is especially true for chips used in a resource-constrained environment such as IoT devices and sensors. This can present some significant hardware security challenges.
Take home automation technologies as an example. More and more users have installed a variety of connected devices in their homes, including smart devices like thermostats, doorbells, cameras, wall plugs, and more. Users often need to install various smartphone apps to help manage devices from different IoT vendors.
Many of these smart devices cannot perform remote update on their own without the associated smartphone app or smart hub serving as the middleman. In addition, firmware updates are often not automatically initiated unless the users first open each vendor app. These high-touch user interactions present a practical roadblock to facilitate timely deployment of critical security patches.
For devices that have direct internet connections to perform updates on their own, if not designed or implemented correctly, the update mechanism could present a convenient attack surface for adversaries to introduce malicious code to the devices. Adversaries can then use the compromised devices as launching pads to attack other systems sharing the same network.
Hardware security is easily one of the most challenging technology disciplines today. Researchers and adversaries are constantly looking for new weaknesses, while product usage models and security regulations are a moving target.
Beyond that, user expectations for security have never been higher. The process for deploying hardware security patches remotely is often far more intricate than that of software. What can be done? In Part 2 of this article, I will explore some areas of innovation and collaboration that have the potential to deliver outsized impacts to hardware security.
About the Author:
Jason M. Fung is Director of Academic Research Engagement & Offensive Security Research at Intel