Pim Tuyls, Founder & CEO |
During a conversation with one of Intrinsic ID’s customers, I spent a few minutes talking about security – the risks from hackers, the ramifications of a breach, etc. After a while he stopped me and said, “Pim, only 15 percent of my customers are asking for security. It doesn’t justify this much effort.”
I looked at him and asked one question: “Two years from now, when your customers realize the risks they face and ask you for this, what will you say?”
He had been missing the point – and the opportunity – but I understood why. Most people are good at not addressing the problems we’re facing, and it happens in business as well.
This story came to mind as I’ve been thinking about our upcoming Security Summit next week. I find it important to think about security not just in terms of technology, but in terms of the ramifications that breaches have on business.
The IoT is Growing – So is the Risk
The risk of breaches is multiplied in the Internet of Things. What is the IoT? At its core the IoT is simply a network of devices that are connected and make decisions autonomously – that is, without human intervention. Traffic lights change colors without being told when, or which color to display. Gateways, security cameras, drones – all are connected, and being connected means they are all at risk to hacking.
We all know how rapidly the IoT is growing. In fact this growth is exponential. But it also means we face an even faster growing exponential attack surface. Let’s look at some numbers.
Sometimes during speaking appearances I ask how many in the audience own more than five connected devices. Then ten. Usually a number of hands are still in the air by the time I get to 60, and I was once in a meeting with someone who claimed to have more than 85 connected devices. Remember what I said about exponential growth?
About two billion PCs exist worldwide. About three billion smartphones. And already eight billion connected IoT devices. And what are the predictions? Softbank says 1 trillion connected devices by 2035.
And what’s happening in terms of the number of IoT device attacks? We’re seeing more of them. More on this later.
The Attacker’s Tool: Deception
So what is in the toolbox of an attacker? Deception. This was known thousands of years ago, in the time Sun-Tzu of “The Art of War,” which asserted deception is the most powerful tool of the attacker. Today nothing has changed, it’s still about deception. All big battles have been won this way – D-Day on the beaches of France to turn the tide in World War II, and the Battle of Canae by the Romans. World-changing battles in history, and all won by deception.
It’s no different for the IoT. How do you win by deception? It has a lot to do with impersonation. This can be applied at the device level – a device claims to be a device it is not, by asserting it has the credentials of another device.
Robert Joyce’s name is one I bring up from time to time, although not everyone knows who he is. He was head of the Tailored Access Operations Group and has downplayed zero day vulnerabilities as overrated, asserting that “credential stealing is how to get into networks.”
Almost all security problems are authentication problems. If you can authenticate who is on the other side, you can know who is legitimate and who is not.
Let’s look at what this means for the IoT. Think about a car. A hacker can attack a car right now, and he doesn’t need the IoT, he can just do it in the parking lot. But with the IoT this guy can simultaneously hack 1, or 10, or 1,000 cars, possibly in various cities around the world. And the bigger problem is that, with the IoT, the hacker can be ANYWHERE and make these attacks; he need not be physically nearby the hacked devices.
Now think about the freeways you drive on each day. And how many cars you share the freeway with. Worried yet?
Back to some numbers, this time about breaches that businesses face. Results of a survey conducted by Altman Vilandrie & Company indicate that small companies – those with annual revenue less than $5 million – experience an average annual breach cost equivalent to 13.4 percent of total revenue. And for companies with annual revenue greater than $5 billion, the annual breach cost is greater than $20 million. After incidents such as these, executive teams are sometimes fired, so this is not a minor matter.
Why do these things happen? As you can see in the accompanying table, the fact is attackers have most of the advantages. An attacker has unlimited time, so he can be patient and wait until a vulnerability presents itself. The attacker has the flexibility to choose any target; he is not bound by geography. Attackers are usually not constrained by budget
the way targets are. An attacker can utilize unlimited power compared to the target, because the hacker can access as much power as he needs, whereas the target IoT device has limited resources, and sometimes run on only battery power. And the attacker has the flexibility to utilize temperature range to his advantage, invoking extreme cold or extreme heat if it will help gain access.
So to start thinking about a solution, think of a voice-assisted devices, which combine components such as a microprocessor, a microphone, memory, connectivity chip, etc. The same for a connected car. IoT security starts with the semiconductor. To authenticate this device requires an unclonable identity. Where can it come from? Well, what is better than what is intrinsically in the device? We determine the physics of the device and use that to build an identity. Any connected device – a voice-assisted device, a connected car, a drone, a watch, a thermostat, a light bulb – has its own identity. With that we can authenticate the device, protect the data’s integrity and ensure the data’s confidentiality. When I talk about unclonable identities, I sometimes draw an analogy with human identities.
Think about it:
- A human has a fingerprint, and (certainly with SRAM PUF) so does a semiconductor device
- Humans have a birth certificate issued by a government authority, and a device has a device certificate issued by a certificate authority
- People have a passport or visa, and devices have registration to the cloud
My point here is that the birth certificate, the device certificate, the passport, the visa, the cloud registration – any one of these can be cloned. But in combination with an unclonable identity, as we do with IoT devices, it’s very difficult to bypass the authentication safeguards.
The bottom line is that if we want to make the IoT successful, we need authorization we can count on. And that requires security based on an unclonable identity – even if you don’t think it’s needed TODAY.
Because, back to the point of the question I started this blog with, one day your customers will realize they need security. And what will you do then?
Pim Tuyls, CEO of Intrinsic ID, founded the company in 2008 as a spinout from Philips Research. It was at Philips, where he was Principal Scientist and managed the cryptography cluster, that he initiated the original work on Physical Unclonable Functions (PUFs) that forms the basis of Intrinsic ID’s core technology. With more than 20 years experience in semiconductors and security, Pim is widely recognized for his work in the field of SRAM PUF and security for embedded applications. He speaks regularly at technical conferences and has written significantly in the field of security. He co-wrote the book Security with Noisy Data, which examines new technologies in the field of security based on noisy data and describes applications in the fields of biometrics, secure key storage and anti-counterfeiting. Pim holds a Ph.D. in mathematical physics from Leuven University and has more than 50 patents.