Posted by Stefan Eberhardt | April 30, 2019
In this blog, I want to do a security assessment of an end device. To get started, we will avoid making a mistake that happens a lot in our business! So please forget all security solutions that you have heard of and let us look at what you really need - and then, let us find the best match…
Where should it be used?
Let me give you two extreme examples: Worst case here is a public, unregulated access to the device, the opposite would be a system in the basement of a central bank with no access to any/or just a small internal network. In the second case, a file that has a unique key for communication might be enough for a start. In the first case, you should use a secure element, handling unique and private keys and consider encrypting the whole file system and memory. Locks and limiting access and functionalities are also big parts of fighting the first scenario, because what simply doesn’t exist, can´t be used for an attack.
Is it connected?
If the answer is no, ask yourself, if the system is maintained or services using e.g. a potential unsecure service notebook or smartphone? If the answer is still no, we are done, otherwise: Think about a secure update mechanism, which means, an old system checks the integrity of a file (typically hash) and only if the signature is correct and valid, it accepts the update. And yes, of course do (or let somebody else do, like maybe S&T) regular penetration tests on your solution, to secure potential security holes.
Take into consideration the physical setup.
So, on the one side, if you hide away the system in a metal cage with a big lock, the efforts of breaking a TMP are much higher, because you have to break that lock or maybe the cage. I think this makes sense, but please also consider, if there is access to the Ethernet cable and USB ports. If so, think about, what might be the worst case here, with USB maybe booting a different OS or just viruses that start with the auto start functionality (this can also be hidden in the USB Stick Firmware). But since this is about physical access, remember: the more you expose, the more you have to secure.
What am I protecting, or basically what am I loosing if…?
As an example: if you use “one secret” for all the communication in your devices network, and that secret gets lost, the attacker can take over your whole network of devices. So, if I lose that private key, the whole product installation is compromised, and all business associated with it.
How high should the security wall be?
Let´s stick to this example, to understand the accepted risk. Breaking a TMP 1.0 and extracting its private keys, costs about 10.000 EUR. If I hide this with one private key in all TPMs of all my devices, regardless which one was hacked, we would lose the whole device fleet. By using individual keys per device, we can reduce this risk considerably. Because then, the attacker has to invest 10.000 EUR just to get access to only one device, which seems more acceptable, doesn´t it?
One thing that I´d like to mention here is, that there is no 100% security. It is like with most things: the more you want to reach the 100%, the more expensive it gets. So basically, this is just a business decision.
Where do I want to ship it?
Now, we must take a look at the measures or mechanisms, we can use to secure our product. In fact, this highly depends on, where we want to ship our stuff to, because this limits the technical solutions, we can apply to mitigate risks.
So, there is a lot of stuff to think about and if you are one of the poor guys that must face these problems alone, start talking about it, and be as transparent as possible. Also prepare stuff for decision makers, because at the end of the day, it’s a business decision. At the beginning of this blog, I prompted you to forget all the technical solutions for this chapter. But I promise we will look at them within the next chapter, where I will explain to you what SUSiEtec offers you, from a security perspective.