With Security Threats and Vulnerabilities on the Rise, Consider the Root

Each generational advance in areas such as network architecture, cloud infrastructure, smart product design, wireless evolution, smart city deployments and autonomous vehicle operation represents millions of new opportunities for cost savings, efficiency gains and performance acceleration. Cloud data centers and new data storage structures are growing in tandem to meet the demand. Businesses, governments, utilities, consumers and a wide spectrum of public and private institutions all expect to leverage these advances right alongside the inventors of each new element of our increasingly connected world.

Another group eagerly awaits each new incremental leap forward. Hackers.

Some would say the first hackers were teenagers who gained access to telephone switchboards during the early 1900s and rerouted customer calls as a prank. Security meant locking the doors to the office in those days.

To be known as a hacker in the 1960s meant you were probably a mainframe programmer who devised code to push computing operations beyond their intended performance limits. It wasn’t an evil designation. It meant you had advanced the practice of mainframe manipulation and gained the respect of your peers. 

Initially, Telecom Operators

The next evolutionary hacker targets were telecom carriers. Technologists studied devices connecting to networks and mimicked the tones used to route calls – to treat themselves to free long-distance service. These phreakers (a mash-up term describing their phone network understanding and freakish intentions) created a gray market for black boxes that performed this workaround. By the time telephone networks migrated to software-based control systems, hackers had moved on to other sectors like the emerging population of PCs and newly-defined local area computer networks. And – at some point – they crossed the line between seemingly harmless experimenters to criminal disruptors. 

A connected future will offer a variety of hardware, software and service disconnects that security-oriented vendors and manufacturers must address to avoid disruptions in service, theft of operator and customer data, and loss of revenue for service providers. Vulnerabilities that could not be imagined a generation ago now attract the attention of those with good intentions – to plan for new solutions to address weaknesses – as well as those with bad intentions seeking to exploit the vulnerabilities.

In the not-so-distant past, a common prescription to combat the potential for nefarious misuse of popular USB memory drives was to use glue or silicone to fill each USB computer port on enterprise computers and laptops. Today that approach seems obsolete, like pulling teeth to combat a toothache.

Today’s Focus on Communication Networks

While advertising by wireless network operators would have you believe that ubiquitous 5G is here today with companion waves of IoT-enabled devices populating their networks, the reality is on a slightly slower trajectory. 

And, data center architects and storage system designers are building tomorrow’s infrastructure solutions at the same time hackers are testing their vulnerabilities. In an interesting twist, the hacking community may be sensing the arrival of 5G access and billions of IoT nodes as a return to telecom-oriented networks for backdoor access to valuable data and entry points for chaos. The sheer volume of devices and systems available for software and hardware-based mayhem will be unprecedented. Newly-designed bots and scripts will need to be accounted for, as hacker business models will be aimed at emerging ports-of-entry for their malicious code.

Cybersecurity specialists have been battle testing the vulnerabilities of devices featuring embedded sensors and always-on network connectivity since IoT specifications were first popularized. Increasingly sought-after penetration testers are becoming rock stars in corporate IT departments and popular targets of IT recruiters as demand for their services grows. Their skill at breaking into the same systems that nefarious hackers also seek out leads to industry-best preventive, corrective and protective countermeasures that keep system compromises from taking place. A Certified Ethical Hacker (CEH) designation can lead to a corporate role researching and testing the weaknesses and vulnerabilities in target systems by applying the same knowledge base and tools as a malicious hacker. The work of cybersecurity pros supports an ongoing, accurate assessment of the security posture within a corporate IT system.

Critical Protection at the Component Level

It’s not just hardware and computer systems that are subject to attack by hackers. Unprotected components in a system are susceptible as well. The landscape for device security is layered with industry-specific requirements – and market drivers that are constantly changing. 

When companies are publicly called out for security breaches, they are likely to experience a significant loss of credibility and may experience revenue and stock price declines. Unfortunately, no set of standard security guidelines for platform firmware resiliency has been practiced across the board. A dizzying array of considerations must be considered in any security approach to ensure alignment with standards, industry mandates, functionality, costs, customer demands, safety, performance and network paradigms. In embedded designs, security measures interface with many layers of on-device storage, communication hardware and protocols, node and gateway implementations, device management systems, cloud data access and more. 

Security needs to be considered and planned at the inception of each embedded design. Microchip has a long history of delivering solutions that directly protect products and, ultimately, protect intellectual property, corporate brand, reputation and revenue. 

Microchip customers can confidently rely on embedded solutions that protect their products with our comprehensive security portfolio and world-class Security Partner Program. From authentication devices and trusted platform modules, to crypto-enabled microcontrollers and microprocessors, software libraries and enhanced protocols – the Microchip approach to security is central to everything we do. 

Security at the Root

Firmware injected into a system via rootkit (or bootkit) attack is an especially stealthy form of malware. Rootkits are not only difficult to detect and remove, they load before an operating system boots and can hide from ordinary anti-malware software. One way to defend against rootkit attacks is to enable a system to use a secure boot device that is purpose built to detect non-authorized firmware in the pre-OS environment.

Secure boot with hardware root of trust is critical because it protects a system against threats before they can be loaded into the system. The secure boot process only allows the system to boot using software trusted by the manufacturer. There are two primary pillars to the secure boot approach that make it secure:

• The secure bootloader is stored in memory that is immutable – in other words, it cannot be changed.

• The secure bootloader authenticates the first-stage firmware bootloader before it is executed in-system to verify it has been signed by the trusted original equipment manufacturer (OEM).

Learn more about protecting your designs with our embedded security solutions.

Further Reading

Learn how a leading data center server original equipment manufacturer (OEM) upgraded its battle plan for hardware and OS-based security with our CEC1712 microcontroller. 

Microchip’s Soteria-G2 custom firmware on its full-featured CEC1712 Arm® Cortex®-M4-based microcontroller provides secure boot with hardware root of trust protection in a preboot mode is for those operating systems booting from external SPI Flash memory. Read the case study.

And, check out Defending Against Rootkit Attacks and Avoiding Malicious Malware blog page to learn more.