Tamper resistance and physical security are particularly important for IoT devices. In many scenarios, an IoT device will be remote and without the safeguards of on-premises devices. This is analogous to the Enigma machine of World War Two. Retrieving a working machine from the German submarine U-110 helped break the cipher. An attacker with access to the IoT device can use whatever tools are at their leisure to crack the system, as we saw with the Chain Reaction exploit.
Side channel attacks, as shown, deal with power analysis; other forms are timing attacks, cache attacks, electromagnetic field emissions, and scan chain attacks. The common theme of a side-channel attack is the compromised unit is essentially a device under test (DUT). This means the device will be observed and measured in a controlled environment.
Additionally, techniques like DPA use statistical analysis approaches to look for the correlations of random input to output. The statistical analysis only works if the system behaves identically from run to run with the same input:
|
Methodology |
|
|
Timing Attacks |
Attempts to exploit small differences in the timing of algorithms. For example, measuring the timing of a password decoding algorithm and observing early exits from the routine. Attackers also can observe cache utilization to witness the characteristics of the algorithm. |
|
Simple Power Analysis (SPA) |
Similar to a timing attack but measures large changes in dynamic power or current due to the behavior of an algorithm and opcodes. Public keys are particularly susceptible. The analysis needs few traces to work but the traces need a high degree of precision. As most cryptographic algorithms are mathematically intensive, different opcodes will show up as different power signatures in a trace. |
|
Differential Power Analysis (DPA) |
DPA measures dynamic power but can observe changes that are too small to be observed directly as in SPA. By injecting random input (such as different random keys) into a system, the attacker can perform thousands of traces to build a data-dependent set. Attacking an AES algorithm, for example, simply means building two sets of traces depending on the value of the bit (0 or 1) being cracked. The sets are averaged and the difference between the 0 and 1 set is plotted to show the effect of the random input to the output. |
Methods of prevention are well known and several can be licensed and used in a variety of hardware. Countermeasures for these types of attacks include:
- Modify the encryption function to minimize the use of the key. Use a short-lived session key based on a hash of the actual key.
- For timing attacks, randomly insert functions that will not perturb the original algorithm. Use different random opcodes to create a large work function for the attacks.
- Remove conditional branches that depend on the key.
- For power attacks, decrease leakage at every opportunity and limit the number of operations per key. This reduces the attacker working set.
- Induce noise into power lines. Use variable timing operations or skew clocks.
- Change the order of independent operations. This reduces correlation factors around the S-Box calculation.
Preventing access to debug ports and channels. Often these are exposed on the PCA as serial ports and JTAG ports. Headers should be removed and fuse bits blown to prevent debug access in the most hardened cases.
ASICs typically use ball grid array (BGA) pads to attach to a PCA. High-performance adhesives and thermally-resistant glue should be used to surround the package and may cause irreparable damage if tampered with.