The global unrest has caused an increase in various cyberattacks, urging companies to adopt a zero-trust environment.
There are various risks that come with being a part of the digital world. Fraud, malware, and data theft are only some of the cyber threats that can be alarming for both regular users and companies. They can cause financial or reputational damage.
Ordinary Internet users tend to secure themselves with traditional measures, such as a password manager. However, businesses are in need of more complex solutions, for instance, PUF (Physical Unclonable Function) technology for IoT devices.
For this reason, we invited Pim Tuyls, the Chief Executive Officer and Co-Founder of Intrinsic ID – a company that provides security IP for embedded systems. Tuyls agreed to share his views regarding cybersecurity and the most optimal threat prevention methods.
Tell us how it all began. How did the idea of Intrinsic ID originate?
Intrinsic ID was formed from the work I was doing as a principal scientist at Royal Philips Electronics. I was leading the crypto cluster group and our job was to identify and plan security needs of the future. I first started working with Physical Unclonable Functions back in late 2001 early 2002. Our team studied some of the earliest PUF implementations and a lot of our work was around something we called “Ambient Intelligence,” which was the precursor to what we refer to today as the Internet of Things (IoT).
Once we identified the need for security at the chip level and the applicability of PUFs to enable this – specifically SRAM PUF, Intrinsic ID was born. This was back in 2008 when we spun out of Philips and focused on commercializing the technology for the market. Flashing forward to today SRAM PUFs are everywhere – we find them in more than 350 million devices ranging from network gateways to medical equipment like hearing aids, as well as laptops, wearables, and smart home voice-assisted gadgets.
You take great pride in your Physical Unclonable Function technology. Would you like to share more about how it works?
PUFs essentially create a “silicon fingerprint” or “biometrics of the chip” that can be turned into a cryptographic key unique to that individual chip. PUFs convert tiny variations in silicon into a digital pattern of 0s and 1s that is unique to that specific chip and is repeatable (but not predictable) over time. Since these characteristics are random and a natural part of the physical structure of a device, they are hard to duplicate, clone, or predict. What’s more is that PUFs require very little overhead, which is essential for IoT components.
In particular, the SRAM PUF uses the behavior of standard SRAM memory, available in any digital chip, to create a digital fingerprint of the chip. This can be used to differentiate chips from each other and is suitable for applications such as secure key generation and storage, device authentication, flexible key provisioning, encryption, and chip asset management.
In your opinion, which industries are especially vulnerable to attacks carried out via IoT devices?
IoT devices are pervasive in our world today and leave many industries at risk. Critical infrastructure is one where we have already seen the impact of a hack. The Colonial Pipeline attack illustrates the level of disruption that can result and how essential it is to protect and secure our systems at the component level. Cyberattacks against critical infrastructure also hit U.S. meatpacking plants and caused disruption to a wide range of sectors from fuel deliveries to health care provision, education systems, and more. Our cars are a huge risk today. Automobiles are full of IoT devices and sensors that rely on dynamic information. In autonomous driving mode, for example, a hack can result in severe damage – from tapping its GPS system to stopping a vehicle on the highway.
While these risks are significant, to me, the biggest threat of the IoT is that security at the base level may be overlooked and the weakest link can be the smallest, simplest sensor or device. While there are a lot of measures in place to protect mission-critical IT infrastructure with things like two-factor authentication and changing passwords, there isn’t the same level of awareness and caution around the low-cost devices (like those found in IoT) that can also pose a huge risk to manufacturers and ultimately users. For these types of components, there is a great need to add a device-level security foundation and further security measures and policies to protect networks and all elements of the IoT.
Have the recent global events altered your field of work in any way?
Yes, for sure – digital security is the top priority for everyone now – the stakes are much higher than ever before. Both as a business owner and as a security provider, I am encouraged by the Executive Order from the US White House which gives higher visibility to the need for a Zero Trust environment. Awareness is a key first step to making progress in implementing better security measures. Also, the growing movement – especially in Europe – for privacy and more regulation complements the need for higher-level security measures in all types of applications. Finally, COVID increased the number and severity of cyberattacks while also increasing the risk as we moved more of our lives online throughout the pandemic. Perhaps the most worrying issue of our time right now is the geopolitical situation in Russia/Ukraine – where cyber threats are playing a role in the ongoing conflict.
Demand for security is growing worldwide – we need to be aware and sensible about who we do business with and have procedures in place to protect valuable assets. This has made me increasingly diligent about our own security measures as well as how we operate and function, including ensuring the safety of our personnel and data. These are always concerns for any business but have risen to the top of the list with the recent world events.
As the world gets more connected, what threats associated with connected devices do you think can become a common occurrence?
Attacks on devices connected to the Internet of Things (IoT) are rapidly increasing. In the first half of 2021, the number of attacks on IoT devices grew by more than 100% to 1.5 billion in just six months! The typical areas of weakness that are exploited are things like weak passwords, lack of regular patches and updates, insecure interfaces, and insufficient data protection, and a new critical vulnerability is emerging. A recent study by Bishop Fox shows that the hardware random number generators (RNGs) used in billions of IoT devices fail to provide sufficient entropy. This makes hacking smart home devices – such as baby monitors and smart lights – more likely, and it can pose significant risks to users.
Another threat to the IoT is the installation of malicious software (malware) on IoT devices that changes the behavior of these devices to facilitate very specific attacks. This malware is often the first step toward the use of the device in a botnet that allows attacks like directed denial of service (DDoS), but also more subtle attacks that use the now-compromised device as a stepping stone toward further infiltration of connected systems that run critical processes.
What security tools and practices should everyone have in place to tackle these new threats?
One of the best ways to ensure security is to start at the device level. From the smallest sensors found in IoT devices to the core microprocessors managing critical infrastructure, device-level security is required. A comprehensive solution starts with the trustworthiness of the underlying hardware: chips and boards. Without sufficient security for every hardware component and its supply chain, the hardware itself cannot be trusted. Any given chip might have been tampered with, replaced, and/or counterfeited, as we learned with the Supermicro saga, which demonstrated the widespread risk in global supply chains.
Many times software is the focus of security, but software cannot be secure unless it leverages the trustworthiness and security of the underlying hardware on which it runs.
Hardware-first security is embodied in a zero-trust approach. Zero trust is an information security model based on the principle of maintaining strict access controls by not trusting anyone or any action by default, even those already inside the network perimeter. Each transaction is evaluated for need and risk.
What aspects of our daily lives do you hope to see enhanced by IoT devices in the next few years?
Every aspect of our daily lives is already being enhanced by IoT devices. Wearables, for example, give us critical information about our health status and fitness level that can help enhance our lives. In the same way, sensors are being deployed in ways that will help us fight pollution and climate change. Autonomous systems can reduce the amount of traffic and the number of accidents happening daily. Another way I see IoT devices making an impact is with user authentication. Today, authentication is a big burden for many people. Think about the number of passwords that you have to remember (or that are now being managed by an app) and how cumbersome the whole process is – authentication is not user-friendly at all. Even biometrics do not adequately solve the problem. IoT devices with a PUF inside can help streamline the user authentication process.
What does the future hold for Intrinsic ID?
With so much at stake and our digital security being in mind, Intrinsic ID is expanding its market presence – from semiconductor and chip makers to IoT devices – and we will be providing more products to support a strong security architecture. To do this, we will continue to grow our ecosystem and play a role in evolving standards.
We have a number of strategic partnerships with industry players, such as Rambus, Silex Insight, OpenTitan, and other top technology companies. We will continue to build more solutions to further strengthen the ecosystem around the Intrinsic ID PUF technology and create solutions to make it easier for IoT device makers to build a solid base of security in their systems.
We will also continue to play an active role in helping to ensure more standardization in the industry and with our own IP.