Security by Design: Internet of Things Authentification and Self Testing
Have you noticed how many organizations are getting hacked lately? Businesses like Equifax aren’t the only targets of these attacks; government institutions like the NSA have also been hit. Even the Internet of Things (IoT) has been targeted. Hackers infect and control devices in order to use them as a tool for distributed denial-of-service (DDoS) assaults.
I’m sure you’ve gotten your credit card hacked, as well; I have. The difficult part about a world whose interconnectivity is growing exponentially every year is the creativity with which hackers are using to find new entryways into your personal devices. It might seem impossible to properly defend yourself from a determined hacker, but that’s not true. The more security that you add to your devices, the less likely you are to be hacked.
One of the many ways to protect your gadget from these kinds of intrusions is to require authentication for device communications. If we only look at protection, though, we’re missing half the picture. The sheer number of breaches in recent years show that even if we take all the precautions, our boards still might get hacked. That’s why it’s important to self test both hardware and software in the field to mitigate the effects of an incursion.
Secure Your Devices From Getting Attacked
We all use authentication on a regular basis with our passwords for various sites and services, even if we forget them now and again. This kind of identity verification is going to be critical for the IoT, though not just between users and their devices. Machines also interact with each other often without any user behind their interactions. Without proper authentication, this interaction becomes an open door. Designers like us need to work in machine to machine authentication protocols to protect against unauthorized access.
There are already billions of IoT devices around the globe, and the numbers keep growing. These gizmos are being arranged into large networks that can enable things like smart cities or connected highways. In these systems, thousands of sensors can be hooked together and may either communicate directly with each other or talk through a gateway. If your device doesn’t use authentication, it could be accessed by a hacker’s computer pretending to be a sensor on the network. Future IoT systems will be incredibly complex and will need authentication on multiple levels. If your product doesn’t use authentication, it might be the weak link in the chain and allow unauthorized access to entire networks.
So You Got Attacked? Now Parry!
Protecting our systems from attackers is important, but so is what we do after we find out we’ve been hacked. Maybe I should say “if” we find out we’ve been hacked. In August 2013, Yahoo’s system was breached, and in 2016, they reported that over 1 billion accounts had been accessed. It turns out the intrusion actually affected all 3 billion of their users. If our boards can’t self-test out in the field we may end up like Yahoo, wondering if we’ve been hacked or how badly. If my PCB is part of a botnet that’s trying to take down the Internet, I want to know.
There are two main ways to self-test your machine: through its hardware and through its software. By enabling self testing to occur in both, you are ensuring that your machine is capable of catching any unnatural intrusions, errors, or disabled processes. This will be able to help in allowing you to catch your machine if it has, in fact, become infected.
First You Throw a Jab
Sometimes things just fail on their own, and sometimes someone breaks them. It can be hard to tell which it is, but it’s important that you know when your hardware isn’t working correctly. Things like memory are prone to corruption, but luckily there are some fairly simple ways to test if your storage is operating properly. For the specific PCB you’re designing, you should be able to find ways to see if everything is working correctly.
It’s helpful if you provide the results of that self test to other devices in the network as well. If a hacker wants to disable a system, they could feed pieces of it false inputs until the controller assumes those are broken and shuts them down. Then the hacker can continue their attack. If a sensor or peripheral can self-test and show the master that it isn’t broken, that can alert the system to a potential attack. After the alert goes off, you’ve already gone a significant way to disabling potential attacks.
Then You Hit with an Uppercut
Similar to hardware, your software may have self induced errors as well as malicious ones. Finding these errors can be more important than detecting physical malfunctions, though. If a hacker can load malicious code onto your device it may never register as being broken. Instead, the hacker’s program can make everything appear fine while using the device for their own purposes.
For software you can write a part of your program, known as sentinel code or a watchdog, to watch other and ensure they’re operating properly. That will certainly let you detect accidental errors, like data corruption which can be caused by pointers. The more nefarious hackers will often use code-injection attacks in an attempt to gain access to your device. These can be difficult to detect because they may look like normal data to your sentinel code until it’s too late. It is possible to design for code-injection attacks, but you may need to use a static analysis tool to track how data moves through your program. Once you understand exactly how your device handles information, you can make your watchdog much more effective.
When creating a PCB, most of us designers are more focused on getting it to operate efficiently than worrying about how to secure it against hackers. That problem, though, is becoming increasingly important as the list of large scale breaches continues to grow. Protecting your device on the front end through authentication can ensure that your gadget is only talking to authorized users or systems. These are not uncompromising protections though, and it is possible to still fall victim to an attack. If that’s the case then we also need to focus on detecting assaults as they’re occurring, or after they’ve happened. Hardware and software self testing can help us find out when our products have been compromised.
Between conventional design and new security concerns, designers like us have a lot on our plates. That’s why it’s important to use great PCB design software that lets you use your time economically. Altium Designer® comes with a great range of tools and add-ons that can help you work as efficiently as possible.
Have more questions about IoT security? Call an expert at Altium.