Nothing is True and Everything is Possible

Pim Tuyls, Founder & CEO |

At panel discussions on IoT security, such as those at the recently completed RSA Conference, speakers often cover topics such as “the expanding attack surface” and “zero-day vulnerabilities.” One attack vector that’s often missing and highly underrated in those discussions is – and I’m sure Robert Joyce would agree with me – “Deception.”

Deception was known to be effective thousands of years ago, in the time of Sun-Tzu of “The Art of War,” which asserted it as the most powerful tool of the attacker. All big battles have been won this way. Think of the Battle of Canae by the Romans, or D-Day on the beaches of France turning the tide in World War II. World-changing battles in history, and all won by deception.

Today, with the advent of IoT, this is no different. How do you win by deception? It has a lot to do with impersonation. For example, in the military, if hostile signals pretend to be coming from your drones, you are in big trouble. And if in the near future smart traffic lights have been tampered with, sending out deceiving signals to autonomous cars, the outcome can be disastrous.

A villain can attack one car right now, but can do it just in the parking lot. But with the IoT a hacker can simultaneously hack 1, 10 or 1,000 cars, possibly in various cities around the world. And the bigger problem is that, with the IoT, the hacker can be ANYWHERE and make these attacks; he need not be physically near the hacked devices. He can be on the other side of the ocean.

Authentication is the Key

Robert Joyce’s name is one I bring up from time to time, although not everyone knows who he is. He was head of the Tailored Access Operations Group and has downplayed zero-day vulnerabilities as overrated, asserting that “credential stealing is how to get into networks.”

Almost all security problems are authentication problems. If you can authenticate who is on the other side, you can know who is legitimate and who is not. But how do you authenticate a device? A drone or a car? Hence the title of this article – it is possible the request to access your device is legitimate, but it might not be.

When I talk about device authentication, I often draw the human analogy. Customs officers identify people by their passport. And for some countries it must be accompanied with a visa. To be really secure, they have to verify your identity by checking your fingerprints.

For devices that connect to the cloud it’s very similar. Devices identify themselves in the cloud by showing their device-unique certificate. This certificate has been registered at the cloud provider and certain permissions are linked to it – similar to a visa on a passport. But it is not very hard to copy certificates from one device to another. Identification is not enough. The identity needs to be verified. And the best way to do this – the unclonable way – is by checking something that’s unique to the device. Some unique element in the hardware of the device that cannot be copied from one device to another.

PUF as a Device Fingerprint

At Intrinsic ID we use a “fingerprint” that can be found in the static random access memory (SRAM) of every chip. This fingerprint is called an SRAM physical unclonable function (PUF). Just as human fingerprints are unclonable, that device-unique fingerprint is also unclonable. Combined with the device certificate, which serves as a passport, we can build unclonable device identities. For every connected device – a voice-assisted device, a connected car, a drone, a watch, a thermostat, a light bulb – we can create an unclonable identity based on PUF that makes it very difficult to bypass the authentication safeguards. With that we can securely authenticate the device, protect the data’s integrity and ensure the data’s confidentiality.

The bottom line is that if we want to make the IoT successful, we need authentication we can count on. And that requires security based on an unclonable identity.

Pim Tuyls, CEO of Intrinsic ID, founded the company in 2008 as a spinout from Philips Research. It was at Philips, where he was Principal Scientist and managed the cryptography cluster, that he initiated the original work on Physical Unclonable Functions (PUFs) that forms the basis of Intrinsic ID’s core technology. With more than 20 years experience in semiconductors and security, Pim is widely recognized for his work in the field of SRAM PUF and security for embedded applications. He speaks regularly at technical conferences and has written significantly in the field of security. He co-wrote the book Security with Noisy Data, which examines new technologies in the field of security based on noisy data and describes applications in the fields of biometrics, secure key storage and anti-counterfeiting. Pim holds a Ph.D. in mathematical physics from Leuven University and has more than 50 patents.