Securing the Internet of Things: ‘Side channel attacks’ expose sensitive data collected by IoT devices

German startup introduces technology that facilitates wider use of encryption as IoT expands

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Securing IoTCore insight: IoT devices col­lect data and con­nect to the Inter­net. In doing so, they emit sig­nals known as “side chan­nels.” These sig­nals show lev­els of pow­er con­sump­tion at any giv­en moment, as well as elec­tro­mag­net­ic and acoustic emis­sions. An attack­er can over­come the encryp­tion pro­tect­ing an IoT device by exe­cut­ing what’s known as a “side chan­nel attack.”

In a side chan­nel attack, the intrud­er eaves­drops on the device’s side chan­nel emis­sions and takes note when an encryp­tion key is used to access the device. This tiny amount of infor­ma­tion can then be used to, in effect, dupli­cate the key.

Emerg­ing expo­sure: Com­pared to attack­ing the math­e­mat­i­cal prop­er­ties of encryp­tion, side-chan­nel attacks require much less time and trou­ble to cor­rect­ly guess a secret key. They require inex­pen­sive equip­ment, can take just min­utes to exe­cute suc­cess­ful­ly and are very dif­fi­cult to detect.

Wider impli­ca­tions: As IoT expands, a myr­i­ad of cheap, low-pow­er devices will record data and inter­act with humans and com­pa­nies across the Inter­net in count­less ways. As IoT devices and sys­tems become cheap­er and more ubiq­ui­tous, device man­u­fac­tur­ers like­ly won’t have much incen­tive to invest in com­plex secu­ri­ty mech­a­nisms. Cyber crim­i­nals will take advan­tage using well-under­stood hack­ing tech­niques, such as side chan­nel attacks.

Christian Zenger, PhySec project manager
Chris­t­ian Zenger, Phy­Sec project manager

Excerpts from ThirdCertainty’s inter­view with Chris­t­ian Zenger, who is project man­ag­er of Phy­Sec, a start­up, based in Bochum, Ger­many, that is seek­ing to make IoT sys­tems less sus­cep­ti­ble to side-chan­nel attacks.

3C: How com­mon are side chan­nel attacks?

Zenger: Not all attack­ers and affect­ed ven­dors make attacks pub­lic. How­ev­er, in acad­e­mia, side chan­nel attacks were respon­si­ble for some of the most spec­tac­u­lar attacks with dra­mat­ic real-world impli­ca­tions. One promi­nent exam­ple was the attack on the KeeLoq cipher, a remote key-less entry sys­tem used in many cars. The attack­er was able to clone car keys from a distance.

Anoth­er attack broke the secu­ri­ty of the Mifare DES­Fire smart cards used for cash­less tick­et­ing in pub­lic trans­porta­tion sys­tems. A third attack tar­get­ed so-called FPGA devices typ­i­cal­ly used to pro­tect against theft of intel­lec­tu­al prop­er­ty. Research has shown these attacks can tar­get any indus­try and can enable large scale car theft, tick­et manip­u­la­tion and even theft of intel­lec­tu­al property.

3C: What is your solution?

Zenger: We extract ran­dom num­bers from a wire­less chan­nel shared between two par­ties legit­i­mate­ly using the IoT sys­tem, let’s call them Alice and Bob. This sequence of num­bers, emit­ted in the side chan­nels of the device, reflect the phys­i­cal sur­round­ings and move­ments of Alice and Bob at a giv­en moment, and thus is high­ly unpre­dictable. So if a third par­ty, let’s call her Eve, came along and tried to eaves­drop, she would have to be very close (less than 6.25 cen­time­ters for Wi-Fi) to Alice or Bob in order to lis­ten in.

Physics guar­an­tees that beyond a cer­tain dis­tance, Eve can­not learn any­thing. By this prin­ci­ple, we have a syn­chro­nized ran­dom num­ber gen­er­a­tor between Alice and Bob and a guar­an­tee that it can­not be eaves­dropped if Eve is beyond a defined threshold.

3C: Where might this approach help as the Inter­net of Things grows?

Zenger: In a smart fac­to­ry, or a smart home, a set of sen­sors col­lects data, sends it to a cen­tral gate­way, which then stores the data in the cloud. The con­nec­tion between the sen­sors and gate­way is wire­less. The col­lect­ed data can then be retrieved by a user to visu­al­ize infor­ma­tion on a smart­phone or tablet.

A pri­va­cy-savvy com­pa­ny, or an indi­vid­ual user, might like to keep her data to her­self and not share it with the cloud stor­age provider or the man­u­fac­tur­er of the sen­sors. This would pre­vent a third par­ty from being able to inter­cept, or manip­u­late, data mov­ing between sen­sors and gateways.

Ide­al­ly, data would be encrypt­ed on the sen­sors, and then trans­mit­ted and stored in encrypt­ed form and only the user of this data could decrypt it. Our tech­nol­o­gy can now help to estab­lish this end-to-end sce­nario for ultra-low-pow­er devices in a user-friend­ly way.

3C: How might your solu­tion even­tu­al­ly be use­ful to indi­vid­ual consumers?

Zenger: The con­sumer is put into con­trol over his data with a solu­tion that is con­ve­nient to use. Tra­di­tion­al argu­ments against end-to-end encryp­tion, like ‘it’s too cost­ly’ or ‘it’s too ener­gy hun­gry’ no longer apply. Con­verse­ly, cloud providers would not need to fear leaks as all data is encrypted.

3C: What else should our audi­ence understand?

Zenger: Secu­ri­ty and pri­va­cy have to be part of the entire design process of any device that impacts our dai­ly lives. It can­not be an after­thought. Typ­i­cal­ly, man­u­fac­tur­ers want to deliv­er new prod­ucts with inter­est­ing fea­tures and the top­ic of secu­ri­ty is a nui­sance for them. Encryp­tion is often just added to a prod­uct to tick some mar­ket­ing box.

How­ev­er, we have seen in many real-world attacks that these sys­tems nev­er live up to their promis­es, which results in loss of cus­tomer con­fi­dence, loss in rev­enue, and bad pub­lic relations.

If ‘data is the oil of the dig­i­tal econ­o­my’ we should care about what hap­pens to our data and who is mon­e­tiz­ing it.

More on Inter­net of Things:
Secu­ri­ty must be part of device design as Inter­net of Things evolves
Samsung’s SmartTV fore­shad­ows Inter­net of Things eavesdropping
Health care data at risk: Inter­net of Things facil­i­tates health care data breaches
Impen­e­tra­ble’ encryp­tion arrives to lock down Inter­net of Things


Posted in Cybersecurity, Data Security, Featured Story