A researcher at the University of Massachusetts Amherst has been awarded for being part of a team that is developing...
a way to make it easier to detect product piracy and intellectual property theft of thumb drives, keyfobs and just about any embedded device.
When someone gets sick because [an] insulin pump was spoofed, there will be some major losses there.
founder, Logical Elegance
A hidden signal in the power supply of embedded devices can validate the authenticity of devices, he said, and it could reduce costs currently associated with reverse engineering or overriding software protections.
Georg T. Becker won the Best Cybersecurity Solution award at the second annual Advanced Cyber Security Center conference with his research, titled Side-channel based watermarks for embedded devices (.pdf). Becker proposed the use of small circuitry into the power consumption of the device that produces a unique signature. The watermark would be indistinguishable from noise, but using side-channel analysis, the hardware maker could reliably detect the signature, Becker said.
Product piracy and intellectual property theft have been rising concerns of software makers and manufacturers of embedded devices. Some of the focus on embedded device security is in preventing device attacks, in which an attacker targets the device to alter its processes or leverages it to gain access to more critical systems. But a more immediate concern is gaining control of the costs associated with device piracy and intellectual property theft. McAfee and its parent Intel have made the area a priority, trying to develop ways to create chip-based or hardware-based security.
The Verizon Data Breach Investigation report noted intellectual property theft as a serious issue. The problem is being fueled by targeted, persistent attacks believed to be originating from China, and designed to gain access to corporate systems and maintain a presence on them. The malware remains stealthy, stealing intellectual property and other sensitive data over long periods of time.
Becker also believes the same technique can be applied to software for embedded devices by adding assembler instructions to the software program that can produce a unique signal in the power consumption of the device. The technique would eliminate the need for an evaluator to overcome the memory read protection to verify the authenticity of the device, Becker said.
The idea was first introduced by Becker and two other researchers in 2010 at the IEEE International Symposium on Hardware-Oriented Security and Trust. The software protection was presented in August at the IEEE Transactions on Information Forensics & Security.
Embedded systems experts said the embedded systems research and other techniques being developed hold promise.
The technology would not fit with all markets, but it may meet the needs of some areas were antipiracy and security is a priority, said embedded systems expert Michael Barr, CTO of his Baltimore-based consultancy, Barr Group. Cost is a critical factor in the mass producing of some embedded devices, he said.
"Now that the consumable device is smart, it still has to be low cost so we get into some complicated issues there," Barr said. "Most embedded systems are insecure either because nobody has taken the time or money to secure them or because each device has a unique type of attacker with different motivations."
Card readers, smartcards and ATM machines are hardened with encryption and other technologies to prevent spoofing and tampering, said Elecia White, founder of Logical Elegance, an embedded systems consulting company based in San Jose, Calif. Manufacturers and software makers are increasingly concerned about security to protect both their own interests and the sensitive data being collected and potentially transmitted by the devices, White said.
"Vendors have to be pretty strict about encryption and security so they don't get a bad reputation because the cheaper pirated products not only cut in on the bottom line, they typically perform poorly," White said.
Intellectual property theft and piracy is a growing problem with health care clinical consumables, such as thermometers, needle guides and ultrasound transducers, which are thrown away after use. A watermark or other technique that can prevent piracy and cut the costs associated with identifying pirated items would likely be highly considered by manufacturers of those items, White said.
"When someone gets sick because [an] insulin pump was spoofed, there will be some major losses there," White said. "People working in [the] medical device field are very aware of security and how to make it as bulletproof as possible."
Other manufacturers and software makers of items such as Roku, the Sony Wii and other consumer devices have the processing power to put strong encryption in place and take other steps to protect the IP, White said.
"Children's toys and other consumer products have such a fine margin of profit that building something into the system isn't always viable," White said. "It's sometimes better to get it into the market, get it done, and build a new one, instead of spending more time on something that can't be copied."