As defined within the first article of this collection, the final two phases of the IC lifecycle, board meeting and board take a look at, are owned and managed by the unique tools producer (OEM).
Determine 1 OEMs are answerable for securing the ultimate two phases of the IC lifecycle: board meeting and board take a look at. Supply: Silicon Labs
Whereas there are fewer OEM phases in a product’s lifecycle than there are throughout IC manufacturing, the safety dangers in every of those phases are much like the challenges confronted by silicon distributors and are equally consequential. The excellent news is that OEMs can construct upon the safety foundations established by their silicon distributors and reuse lots of the identical methods.
- Board meeting
Board meeting is very like the package deal meeting step in IC manufacturing; nonetheless, as a substitute of placing a die inside a package deal, packages are mounted to a printed circuit board (PCB), which is then usually put in in some kind of enclosure. Bodily and community safety on the package deal meeting website is the primary line of protection in opposition to assaults; nonetheless, this could range broadly from contractor to contractor and tends to be poor resulting from value concerns and the character of board testing.
Determine 2 Board meeting is sort of much like package deal meeting in IC manufacturing stage. Supply: Silicon Labs
Probably the most vital threats at this stage are theft, system evaluation, and modification. Mitigation for these threats is described under.
Theft
Machine theft for the aim of resale as professional gadgets is the first concern at this step. As with the package deal take a look at stage in IC manufacturing, theft of any vital amount is definitely detectable by evaluating the incoming and outgoing stock of the board meeting website.
The most important danger for OEMs at this stage is an attacker acquiring a big variety of gadgets, modifying them, after which introducing the modified merchandise to end-users. If the silicon vendor affords customized programming, an OEM can significantly mitigate this danger by ordering elements with safe boot enabled and configured. Safe boot will trigger the IC to reject any modified software program the attacker makes an attempt to program.
Machine evaluation
The potential for an attacker to acquire programs for evaluation is significantly lowered on this step in comparison with the package deal meeting stage throughout IC manufacturing. Boards at this step usually don’t comprise any helpful info to be analyzed. If an attacker is occupied with analyzing the {hardware} building, they’ll simply acquire samples by shopping for the system. As well as, as a result of the system has not but been programmed, acquiring a tool on this method doesn’t afford the attacker the flexibility to entry and analyze any device-specific software program.
{Hardware} modification
Covert modification of a PCB at scale is difficult to attain given the benefit of detecting such modifications. OEMs can implement a easy sampling take a look at in a trusted setting that visually inspects boards and compares them to identified good samples to detect adjustments. Assaults which try to switch solely a particular set of boards will evade such testing however are additionally tougher to coordinate and implement.
- Board take a look at
The board take a look at stage presents threats much like these for package deal take a look at throughout IC manufacturing. For instance, it’s widespread for take a look at programs to be shared amongst a number of distributors, rising the danger of safety breaches or assaults from unhealthy actors. Nonetheless, OEMs are likely to have a fair higher range of distributors than these for IC manufacturing at this step, which makes board take a look at much more troublesome to safe than package deal take a look at.
Determine 3 Once more, board take a look at is sort of much like package deal take a look at in IC manufacturing stage. Supply: Silicon Labs
Board take a look at usually has poor bodily and community safety. It’s extraordinarily widespread to share area and take a look at hosts between merchandise, and take a look at programs is probably not stored patched. Lastly, the danger of exposing confidential information at remaining take a look at relies on the implementation of the product and its remaining take a look at course of. If an IC has adequate safety capabilities, then a remaining take a look at structure that fully protects information from unhealthy actors within the take a look at setting is feasible. Sadly, that matter is simply too advanced to dig into on this article.
Malicious code injection
The only methodology of assault at board take a look at is to switch the system’s software program. As a result of safe boot enabling and utility programming happen in the identical board take a look at step, there may be concern that an attacker gaining full management of the take a look at might inject malicious code and go away safe boot disabled. This danger could be mitigated by implementing pattern testing or a twin insertion take a look at movement.
As well as, if customized programming is obtainable, then having the silicon vendor configure and allow safe boot will create a strong protection in opposition to malicious code injection. When a programming service is used on this method, it’s nonetheless essential that board take a look at confirm that safe boot is accurately configured and enabled. Working collectively, the package deal and remaining take a look at steps can validate one another such that an attacker would want to compromise each steps to change the silicon vendor or OEM code.
It’s essential to notice that the energy of safe boot is reliant on conserving the non-public key a secret. It’s extremely really useful that signing keys be generated in a safe key retailer corresponding to a {hardware} safety module (HSM) and by no means exported. As well as, the flexibility to signal with keys needs to be extremely restricted and ideally require authentication from a minimum of two people to make sure that no particular person actor can signal a malicious picture.
Identification extraction
Since it’s common for OEMs to inject credentials—cryptographic keys and certificates—in board take a look at, attackers could search to realize entry to credentials or the important thing materials they’re based mostly upon.
Safe provisioning of id credentials has confirmed to be a very advanced and nuanced drawback. It entails the system’s capabilities, the contractor’s bodily and community safety, and the provisioning methodology’s design. It additionally presents distinctive challenges as a result of scale and value of producing. As well as, as with all safety, there isn’t any approach to affirm you haven’t missed some flaw within the system. Offering gadgets with identities is simple. Offering them with sturdy safe identities at a suitable value and large scale is extremely troublesome.
In well-designed programs the place non-public keys by no means go away safe key storage, having access to key materials wanted to forge credentials shouldn’t be doable. For instance, within the implementation utilized by Silicon Labs, the non-public key used to generate system certificates is saved in a Trusted Platform Module (TPM) on a PC that’s hardened to bodily and logical assault and situated in an access-restricted cage within the website’s information heart. Additional, these keys are restricted in utilization, making use of to solely a single manufacturing lot, and in time, present just a few days earlier than that lot is examined and deleted as soon as the lot is full. Lastly, if such a key’s compromised, the gadgets manufactured beneath that key can have their credentials revoked, indicating they need to not be trusted.
Equally, all gadgets that help safe key storage generate their non-public keys on-board, and people keys are by no means in a position to go away the safe key retailer. Gadgets that don’t help safe key storage will need to have their keys injected and might be extra weak to an attacker on the take a look at infrastructure accessing their non-public keys. To stop certificates for low-security gadgets from being handed off as credentials for high-security gadgets, all certificates generated in manufacturing have information indicating the energy of storage used for its non-public key.
OEMs ought to use take a look at programs that are hardened in opposition to modification and limit bodily entry. Bodily safety needs to be reviewed, and commonplace entry controls and logging maintained. Lastly, commonplace safety practices for networks and PCs needs to be maintained. For instance, take a look at programs shouldn’t be allowed to have direct Web connections and shouldn’t use communal login credentials. Periodic evaluations needs to be performed to make sure that any adjustments to those processes are observed and reviewed.
These commonplace actions can forestall an attacker from having access to a take a look at system within the first place. Along with these practices, OEMs can consign testers to contract producers (CMs) that received’t be shared with different distributors, additional rising bodily and community safety. These programs will also be put by way of penetration testing to determine and repair vulnerabilities earlier than they are often exploited.
Lastly, higher-level keys saved within the OEM’s IT infrastructure have to be dealt with appropriately. They need to be saved in a secret key retailer and have acceptable entry restrictions. Their use needs to be monitored in order that any surprising operations could be recognized, and the suitable workers alerted.
For OEMs that don’t want to arrange their very own credential provisioning infrastructure, there are silicon distributors that provide safe programming companies. For instance, Silicon Labs gives credentials in its catalog Vault-Excessive merchandise and may program credentials onto any customized elements ordered although customized half manufacturing service (CPMS). These companies switch this burden from board take a look at to the programming step by the silicon vendor.
Extraction of confidential info
When confidential info corresponding to keys or proprietary algorithms is programmed as a part of board take a look at, there’s a danger an attacker will acquire this info by compromising the tester. All of the suggestions made for hardening the board take a look at stage in opposition to id extraction apply right here as nicely. Equally, utilizing a programming service can switch this danger from the board take a look at stage to the package deal take a look at stage.
With the best set of safety features, it’s doable to provision confidential info and defend it even when take a look at programs are compromised. This provisioning requires a central, secured machine, as mentioned above, and a tool with a safe engine that may attest to the system’s state in a method that’s outdoors the affect of the take a look at system and is verifiable by the central machine. The board take a look at will program the IC, allow safe boot, and lock the system.
The system then will attest to its state. If the tester was compromised and didn’t do what it was presupposed to do, the central machine will detect it within the attested info. When the central machine is aware of the system is configured correctly, it may carry out a key trade with the known-good utility after which ship the confidential info over that secured hyperlink. This course of prevents the take a look at system from with the ability to see or alter the confidential info.
Finish-product safety requires OEM diligence
In the case of securing an end-product, OEMs face lots of the identical challenges as silicon distributors. Whereas a well-designed product and sturdy bodily and community safety are the primary layers of protection, OEMs can forestall the majority of safety assaults in opposition to their end-products by following lots of the identical steps and procedures practiced by their silicon distributors.
As well as, many silicon distributors present companies and capabilities that OEMs can use to scale back the hassle and complexity of securing their manufacturing setting. Placing these methods in place right now will assist guarantee safety for all their linked gadgets and the ecosystems through which they take part. Collectively, silicon distributors and OEMs can ship on the promise of a safe Web of Issues (IoT).
Joshua Norem is a senior programs engineer at Silicon Labs.
Editor’s Observe: That is the second and remaining a part of the article collection on OEM-specific safety dangers. Half 1 recognized the threats at every step of the IC manufacturing lifecycle and described learn how to mitigate them.
Associated Content material
