Want to prevent a cyberattack? Good hardware security is key

Thema:
Trusted ICT
1 October 2024

A self-driving car remotely controlled by an attacker. Game controllers that let you bypass paying for games. People replicating machines from big tech companies. These are all examples where the hardware was not secure enough, resulting in people misusing it. To prevent such errors, we need to check and secure cryptography in hardware – preferably before it has even been made. This is what TNO is working on.

October is Cybersecurity Month

Therefore, TNO shares an article on cybersecurity every week. In these articles, we share the importance of addressing vulnerabilities in the design phase of software and hardware.

Suppose people could just break into our phones and see our messages and photos. That is what would happen without cryptography in our phones. Among other things, cryptography is used to shield all our data and information from unauthorised persons. It is present in applications, software, and hardware.

Good security starts with our hardware

The advantage of cryptography in hardware is that it works faster and more efficiently than in software. In addition, secure hardware is key, because applications and software also depend on it. 'However good the security is in applications and software, if the hardware they run on is not secure, sensitive information can still fall into the wrong hands,' says Maaike van Leuken of TNO.

maaike_van_leuken

'However good the security is in applications and software, if the hardware they run on is not secure, sensitive information can still fall into the wrong hands.'

Maaike van Leuken

Integrator and PMC Lead

Hardware is not cracked by ‘traditional’ hackers

Does this mean that our hardware is constantly at risk? Not necessarily! Someone with the wrong intentions does need to have physical access to your hardware in order to break in. The classic image of a hacker breaking into a system from an attic room only applies to software and applications, not hardware.

So why are we now focusing on cryptography in hardware?

'While software is easier to crack, cracking hardware has a greater impact. For example, someone could gain access to the entire system and thus eavesdrop on everything from past conversations to future conversations. It’s harder for someone to break in, but the consequences can be many times greater,' Van Leuken says.

Economic impact on Dutch high-tech companies

It could also have a major economic impact on companies in the high-tech industry – for instance, if they have put millions into developing a complex product and another company is suddenly able to replicate it. 'This is a major concern for Dutch high-tech companies right now,' says Dimitri Hehanussa of TNO. 'Whereas the high-tech industry’s focus used to be more on protecting networks, it’s now shifting more towards protecting products. Hardware is the foundation.'

dimitri-hehanussa-tno

'Whereas the high-tech industry’s focus used to be more on protecting networks, it’s now shifting more towards protecting products. Hardware is the foundation.'

Dimitri Hehanussa

Business Development Manager

Hidden attackers in a chip

How do we know when hardware is safe? One method TNO has studied involves checking chips in hardware after they have already been made. Indeed, as in the Trojan horse, those chips may contain hard-to-detect ‘attackers’ that are activated at a given moment and cause damage to the hardware.

TNO has studied technologies that examine whether a chip does exactly what it is supposed to do, among other things by looking at power consumption. Even such a hidden attacker can be detected in this way. In addition, TNO has conducted research into automated formal verification tools of software implementations to see whether it can translate them into hardware implementations.

'This method of checking chips after production is already widely used and works reasonably well,' Van Leuken explains. 'However, if it turns out that the chips aren’t safe, it takes a lot of time and money to put right.'

It would be better to be able to check the chips before they are made – in the design phase, in other words. After all, how do you know if the chip still corresponds 100% to what you originally had in mind? The chip may have been optimised further during the production process and therefore no longer does exactly what it is supposed to do.

This check is currently done by hand, but this method is not convenient if companies want to perform checks on a large scale. Indeed, there are European directives on the way that instruct companies to guarantee cybersecurity in their products. Companies could then be held liable if they fail to comply with the directives. In addition, performing checks is currently very time-consuming and therefore costly. For these reasons, TNO is looking into how to automate this process.

Making a test chip first

One method we are already working with is checking a test chip before the chips actually go into production. This test chip is made using a Field-Programmable Gate Array (FPGA). It is identical to the production chips, except that it is cheap and easy to modify afterwards. Only when we are sure that the test chip is in order, the real chips will go into production based on the test chip’s design.

Interested in working together?

'There are still many challenges in the area of automatic pre-checking of cryptography in hardware, and we’re keen to address them,' Van Leuken says. 'We’re looking for parties who are interested in this and want to work with us on a specific use case. We’d like to build a generic solution together, which will also be useful for the wider public.'

If you are interested in hardware security, please contact Dimitri Hehanussa.

Get inspired

24 resultaten, getoond 1 t/m 5

In-depth software testing made easier

Informatietype:
Article
TNO’s innovations streamline fuzzing, making deep and efficient software testing less reliant on human effort.

No migration without an inventory: protection against quantum computers starts with insights

Informatietype:
Insight
22 October 2024

Robust application communications security testing: ​as easy as can be

Informatietype:
Insight
15 October 2024

SOARCA tool: automated security against cyber attacks

Informatietype:
Insight
8 October 2024

TNO’s view of 2030: Digital privacy and security for everyone

Informatietype:
Insight
20 September 2024