PREVENTING IOT EDGE DEVICE VULNERABILITIES JEFF MILLER, PRODUCT MARKETING & STRATEGY, MENTOR, A SIEMENS BUSINESS A M S D E S I G N & V E R I F I C A T I O N W H I T E P A P E R w w w. m e n t o r. c o m
As an EDA toolchain provider, Mentor keeps a close eye on security issues that occur in the world of electronics. We see volumes of research centered on protecting complex SoCs from attacks and interesting studies about detecting malicious logic in these ICs. There are studies on preventing recycling of old chips that are sold as new by using odometer circuits, adding co-processors on board to monitor suspicious activity, and techniques to hide chip activity from outside monitoring. Also of concern are the potential touch points along the supply chain in which some security vulnerability could be added to the IC. But, security issues around IoT edge devices are rarely mentioned in the literature. However, the projected billions of IoT edge devices out in the wild makes for a vast attack surface. Should hardware designers be concerned about security for IoT edge devices? And, is it worth the effort and cost to ensure security at this level? We are starting to see a few news reports of actual malicious attacks on IoT edge hardware committed by hackers intending to steal data or wreak havoc. There was a recent attack that occurred through IoT video cameras using a botnet that exploited one particular brand of device whose firmware did not allow the user to change the password. However, there are many reports of serious vulnerabilities uncovered by researchers, universities, and folks intent on publicly exposing the risk: Samsung Smart Home System: researchers at University of Michigan hacked the PIN code to open a locked door and to reset the vacation mode. In a separate hack, a Samsung Smart Fridge was shown to allow the intercept of Gmail credentials when synching to Google Calendar. Jeep Cherokee: security researchers disabled transmission and brakes. This event caught the most attention in the press. Tesla : a DefCon hacker discovered vulnerabilities in the Model S that allowed him to start the car. But, he had to physically connect his laptop to a system bus. Pacemaker: University of Alabama students wirelessly hacked a pacemaker installed in a dummy and sped up and slowed down the device. Mattel Hello Barbie and child monitors: Wi-Fi connectivity allowed interception of conversations between a child and the Barbie doll. And, there are several reports of hacking into child monitors to post live video online. Sniper rifle: a hacker demonstrated to Wired magazine that he could re-direct the aim of a Wi-Fi enabled TrackingPoint sniper rifle. Vulnerabilities in IoT edge hardware fall into 2 major categories (Figure 1): 1. Design: somewhere during the design or fabrication process, someone inserts extra logic that establishes a back-channel to the device. 2. 3 rd -party: an externally-exploitable vulnerability is discovered by a 3 rd -party entity that is used to gain access to the device. 2
DESIGN VULNERABILITIES Figure 1: Design and 3 rd -party vulnerabilities. Design vulnerabilities take place during the IC design flow where someone inserts extra logic in order to create a hidden method of taking control of the chip. Finding extra RTL code, gates, or transistors has always been very difficult. Even matching requirements to implemented logic does not mean that there are some gates or transistors that do not belong. Legitimate extra logic is often inserted by tools to decrease power or to improve timing. And, just because every gate is touched during simulation, does not mean it is part of the official design. EDA tools can play a role in this space, but they cannot exhaustively prevent a determined employee from adding malicious logic. In fact, a paper from the University of Michigan entitled A2: Analog Malicious Hardware 1 shows how tiny and undetectable malicious logic can be. The authors of the paper established very tough requirements for themselves, as they attempted to create a backdoor attack circuit that would be undetectable and deployable by a person at fabrication time. Meaning, someone at a foundry could insert the circuit into a GDSII file after the design team submitted the IC for fabrication. However, the technique that they invented could also be deployed during the design of the IC before handoff to the foundry. All it takes is one person on the inside, determined to open up the IC for attacks. In a novel attack insertion strategy, the authors invented a single gate, analog trigger circuit that is extremely low power and had negligible timing impact (Figure 2). 1 K. Yang, M. Hicks, Q. Dong, T. Austin, D. Sylvester, A2: Analog Malicious Hardware, University of Michigan 3
Figure 2: Analog trigger circuit (Source: University of Michigan). The attack is based on capacitive charge accumulation and the circuit is attached to a wire of a processor register. The capacitor accumulates voltage until a threshold is hit and then triggers the output to deploy the attack payload. The leakage current drains off the charge to disable the trigger (Figure 3). Figure 3: Behavior of the trigger circuit (Source: University of Michigan). By simulating the design using several benchmarks, a victim signal is selected in the design to attach the analog trigger circuit. They look for a signal that is not very active during normal operation based on toggling rates. The circuit is then attached to a supervision register of the processor in order to take control of it and deliver a payload that grants privilege escalation. The circuit was placed into the layout in an unused area of the chip. The team actually fabricated the design and performed extensive testing on the chip. The scary results? All known detection techniques failed to detect the attack circuit. As a result of the authors work, we can see that a single gate, analog circuit can be employed in a design to pull off an inside job (or an outside job at the foundry) with no real means of detecting it. Does this give any hope of detecting malicious design from the inside? The authors offer some ideas, such as splitting the manufacturing of 4
the IC between two foundries to prevent fabrication-time attacks, but research will have to continue in order to address this attack technique. 3 RD -PARTY VULNERABILITIES After the IoT device has been sold and deployed, a 3 rd -party attacker can attempt to find and exploit vulnerabilities in the hardware. If the attack is successful, this could mean that the original IC design team overlooked one or more vulnerabilities during the design and verification of the chip. A different team at the University of Michigan (plus a team member from University of South Carolina) completed a project to see if they could gain control of a MEMS accelerometer already out in the wild. This culminated in the paper WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks. 2 The team investigated if they could find a way to gain control over the MEMS sensor output using sound waves. This is a fascinating study of a third-party vulnerability in a capacitive MEMS accelerometer which is a common device in smartphones. A capacitive MEMS accelerometer typically contains a sensing mass suspended by springs and connected to a variable capacitor. When the device is accelerated, the mass moves, creating an electrical signal due to capacitance change (Figure 4). Using Newton s second law of motion and Hooke s law to form an equation, the measured acceleration can be calculated. Figure 4: How a capacitive MEMS accelerometer works (Source: University of Michigan). Of course, an accelerometer is not just the MEMS component. The MEMS capacitive voltage is typically fed to an amplifier which is low-pass filtered, and then converted to a digital signal using an analog-to-digital converter (ADC). This signal is typically an input to a processor which takes the data and performs the calculation to determine acceleration (Figure 5). That value is then used as a variable in a software program running on the processor that performs some action or presents data to the user. For example, in an RC car that is controlled with a smartphone app, the x-axis accelerometer data created by tilting the phone forward or back, causes the car to move forward or back. 2 T. Trippel, O. Weisse, W. Xu, P. Honeyman, K. Fu, WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks, University of Michigan & University of South Carolina 5
Figure 5: A typical accelerometer system. The university team set out to determine if they could use sound waves to resonate with the moving structures of the MEMS accelerometer to create an out-of-spec pathway through the design in order to attack the processor and take control of it. Initially, the team set up a testing apparatus to check a wide range of commercial accelerometers. And, just to see if the results differed due to process variations in the IC fabrication, they tested two of each. Using a tweeter, they found the resonating frequency of the MEMS component that achieves the maximum displacement of the mass. By hitting this frequency, they noticed two affects: Improperly-designed low-pass filters did not fully suppress the sensor output signals, causing fluctuating output values, which means the sensor thought it was under high vibration. Improperly-designed amplifiers clipped the output signals, causing constant-shifted output, which means the sensor thought it was attached to a rocket with constant acceleration. The devices with improper low-pass filters were designed with a cut-off frequency that was too close to the resonant frequency of the MEMS sensor and the signal slips through to the ADC. A proper low-pass filter completely attenuates the signal. The devices with improper amplifiers showed that the external acoustic trigger displaced the sensing mass to create a signal that exceeded the dynamic range of the amplifier (Figure 6). Figure 6: Responses to sound (Source: University of Michigan). The team found that 75% of the 25 accelerometer devices tested where vulnerable to taking control of the sensor output. The team then set up an experiment to see if they could take control of an RC car driven by a smartphone application. With knowledge of the smartphone accelerometer resonate frequency (from the previous testing of the ICs in the experiments above), they created a malicious music file with the resonating frequency that uses the smartphone speaker for the acoustic attack. The software on the smartphone allows the user to tilt the phone in 6
the direction that they want to move the car, which employs the accelerometer. The music file contained a signal that simulated the output signal to drive the car forward and back (Figure 7). Figure 7: Taking control of an RC car (Source: University of Michigan). Some scary implications of this experiment should be jumping to mind at this point. For example, what if this was a military drone? This project points out several IoT edge device security ideas that should be considered during design and verification of the accelerometer: Designers should not assume that the sensor signal input to a processor is 100% legitimate, without any checking of the signal path. The analog elements of the signal conditioning path can provide an attack surface: The low-pass filter should be designed such that the resonant frequency of the MEMS device does not lie within the transition band, so that the interference signal is fully attenuated. The amplifier should be designed to account for high-amplitude interference noise to prevent signal clipping. Designers should consider an additional filter before the amplifier to filter out the acoustic noise. Why is the team s paper called WALNUT? In another experiment, they took control of an accelerometer output to spoof the sensor to spell out WALNUT (Figure 8). Figure 8: Spoofing the sensor (Source: University of Michigan). 7
The university team went beyond discovering and showing how to prevent accelerometer hacks. They suggest a method to protect devices already deployed. They offer software update ideas to alter the sampling rates of the ADC (this does not help if the amplifier still demonstrates clipping). For example, sampling at random times within the resonant frequency period can prevent an attack on the sensor output. If you are worried by all the accelerometers in the wild being vulnerable to attack, the team did provide the results and potential solutions to the accelerometer vendors. And, some of those vendors have responded. Also, 25% of the tested accelerometers where not vulnerable to these particular attacks. MANAGING VULNERABILITIES WITH SIMULATION It is clear that teams must think about security when designing and verifying sensor-based IoT systems. While the industry has established design flows, standards, and techniques to help digital IC designers ensure complete simulation of the device, AMS designers do not have access to alike solutions. This often leads to incomplete verification of the analog portions of the design, which are prevalent in IoT edge devices. Usually, teams manage analog simulations manually or they use complex and expensive tools that require intricate setup and proprietary test plans before they can deploy a solution. However, the Tanner Designer flow (Figure 9) helps to address this problem by providing an easy way to manage analog verification to track the large number of simulations required to ensure that there are no vulnerabilities in the IC. Figure 9: The Tanner Designer Flow. Each team member creates the schematic, sets up simulations, and creates testbenches in S-Edit for their block. They can then run T-Spice and Eldo simulations that create results. The measurement data from the simulation runs is aggregated into a database and the results are presented in the Tanner Designer dashboard and detailed reports are kept in a Microsoft Excel workbook (Figure 10). As the lifecycle of the project progresses, the team can customize the dashboard and reports within Excel by adding database queries, graphs, and presenting custom information based on measurements. The team uses the power and flexibility of Excel instead of learning a proprietary language or a verification management environment. 8
Figure 10: Tanner Designer Dashboard, driven by Excel workbooks. The team can use Tanner Designer to automate design reviews in order to ensure that all simulations match the test plan and that the simulation runs have all been completed. The Tanner Designer dashboard shows the actual status of the design blocks and the team can interact with reports and the actual design elements like schematics and waveforms to review each block. This ensures that everyone is examining real design data that is always up to date, with no need to generate large review documents. Finally, if a new exploit technique is discovered, it is very easy to add additional tests or testbenches to evaluate if the current design is vulnerable. Tanner Designer automatically discovers new tests and testbenches in the project, re-simulates if necessary, and updates the reports to ensure that as the design evolves it remains invulnerable to attacks and that it stays within specification. 9
CONCLUSION Thanks to the university experiments summarized in this paper, we learn that design vulnerabilities might never be 100% preventable. But, IoT edge device designers do have control over security at the hardware level to protect against 3 rd -party vulnerabilities. Unfortunately, they cannot think of all the ways that the hardware can be exploited ahead of time, but IoT edge device designers need to formulate plausible use cases of attacks on their custom IC. They need a test plan that exercises their device using hostile input and should decide how the device should respond when subjected to these attacks. Tanner Designer can help teams manage all simulations including the additional tests necessary to check for vulnerabilities and assure complete simulation of the test plan. We also learn that security has to be considered by everyone on the design team from the lowest level sensor, to the entire system. To learn more about Tanner Designer, see the web page here. To learn more about creating the building block of an accelerometer, the resonator, using the Tanner flow, see this whitepaper. Experience Tanner AMS Virtual Lab - Immediate access from any current PC web browser Test-drive Tanner Tools and discover the power of its complete IC design flow, including schematic capture, analog simulation, physical layout, and verification. For the latest product information, call us or visit: w w w. m e n t o r. c o m 2017 Mentor Graphics Corporation, all rights reserved. This document contains information that is proprietary to Mentor Graphics Corporation and may be duplicated in whole or in part by the original recipient for internal business purposes only, provided that this entire notice appears in all copies. In accepting this document, the recipient agrees to make every reasonable effort to prevent unauthorized use of this information. All trademarks mentioned in this document are the trademarks of their respective owners. TFD 9-17 TECH16090-w