-1-

IoT, CPS, & Security issues of embedded devices

Yasuyoshi UemuraPresident

Electronic Commerce Security Technology Research Association

July 8th 2015, at Kyushu University

-2-

Definition; Machine to Machine communication

DeviceSensor

ComputerDevice

Closed network

Open network

Direct communication

-3-

Definition; Internet of things

Internet, Open network

DeviceSensor

Devices are connected with open network

MainframeComputer

-4-

Definition; Cyber Physical Systems

Network, either open or close

DeviceSensor

MainframeComputer

Devices connected with network, either open or close

-5-

Definition; Embedded Device

● Combination of hardware(system LSI) and software (operating system + application software)

● Does not depend on versatile operating system

● Generally, a part of security function depends on hardware

● Eg; Hardware crypto-library is implemented

-6-

Social InnovationAuthentication between elements in the closed system

-7-

Social InnovationAuthentication between elements in the open network

-8-

Social InnovationAuthentication between Control part and Controlled part

-9-

Machine to Machine AuthenticationDevice recognizes each other as “right entity”, without human being

Authentication between control part and controlled part

Devices as the system element recognizeeach other as “right entity”.

In this case, the guard system center recognizeseach camera or sensor as “right entity” belong to the guard system.

Machine to machine authentication through cloud

-10-

From Protocol authenticationTo Crypto-Authentication

Seeds of secure technology come from smartcard techniques

High security authentications are already realized in the smartcard world.

系 複合的な機器システム

金融決済Field of transportations

社会的なシステムFrom linier smartcard authenticationTo multiple M2M authentication in Cyber Physical SystemsFor “No false entity” in the system

Technological innovation in CPS age

Secure crypto-modulefor M2M authentication

Field of finance and retailing

-11-

Incidents related to M2M authentication service・

By threats such as copying key data, delete key data, replace key data, the system strays from proper function, and important incident occurs.

・ Going out of control　 etc.

・ Illegal payment・ Leak of informationetc.

・ Abnormal operation・ Breakdownetc.

・ Picture spillage・ Hijacking of cameraetc.

-12-

Threats against crypto-devicesThere is abstract threat analysis for M2M service layer as ESTI TR

Estimated threats Target of attacks

Leaking, deleting, replacing of key data M2Mdevices/ M2M gateways

Leaking of key data Monitoring communication between entities

Modification of data M2M service capabilities

Corrupt or corrupted software M2Mdevices/ M2M gateways

Bypass checking process of integrity M2Mdevices/ M2M gatewaysMonitoring, modification, re-transmission of message in M2M service layer

Communication between entities

Invasion of privacyM2Mdevices/ M2M gateways/M2M service capabilities/Communication between applications

• ETSI TR103 167 Threat analysis and counter-measures to M2M service layer• We have to develop evaluation techniques to assure crypto-devices implement enough security functions.

ETSI TR 103 167 v1.1.1 (2011-08)　Machine-to-Machine Communications (M2M);　Threat analysis and counter-measures to M2M service

Leaking, deleting, replacing of key data for authentication

Leaking of key dataMonitoring, modification, re-transmission of message Invasion of privacy

Communication

Modification of dataCorrupt or corrupted software

-13-

ISO/IEC15408 Common Criteria for HW fieldThird party evaluation/certification for hardware field IT products

Main target;　 Smartcard and similar devices

Expanding to embedded devices

CC; Logics and structure

Common Criteria

ISO/IEC15408International standardTarget; all IT productsDictionary of security requirements

ProtectionProfile

SecurityTarget

Security requirements forspecific field of product.Certified by CC schemePP is pointed by purchaser to developer of the product.There are many cases thatdeveloper group edit PPs.

Product

EvaluationEvidencedocuments

Third party evaluationAlmost all assurance families are evaluationwhether the product designis conform to ST or not, through document checking.

Security target depends onPP pointed by the purchaser.ST is declaration by developerthat the product is designedsecure.

ADV_VAN class is quite deferentfrom othersThe class is vulnerability analysis independently done by evaluation body.In HW case, tamper resistance is checked by penetration testing.

-14-

Vulnerability AnalysisUnique operation in HW/CC certification

Assumption; Attack technique is advancing.Standardization of protection technique cannot catch up above.

To integrate a mechanism of preemptive protection into the third party evaluation scheme.Raise the criteria of countermeasure to pass the vulnerability assessment, year by year, little by little.

Papers

Conference papers presage new attacks

Real experiences of attack

CCCertification Body

Inner circle

International discussion

How strong the countermeasure shall be implemented to pass thevulnerability assessment?

CC CertificationAVA_VAN class

The criteria to pass ADV_VAN evaluation is modified inside of CB,year by year

-15-

International communityas the inner circle

● Protected by strong NDA.

● Share the newest vulnerability information, but do not disclose.

● Engineer’s group tied each other with private confidence.

● Discussing “how strong the countermeasure shall be in the real world”.

● Modifying criteria for protection, little by little, year by year.

● Input the discussion results to CBs to modifying rating for vulnerability assessment in CC hardware evaluation/certification.

● Members are from users, system-vendors, chip-vendors, evaluation facilities, laboratories, certification bodies, and all stakeholders of hardware , security, in smartcard and similar devices field.

-16-

Managing vulnerability information

Software vulnerabilityVulnerabilities at application software on versatile operating systems such as Windows, Mac, UNIX, LINUX and so on.

JPCERT Coordination centerCSIRT (Computer Security Incident Response Team) representing JapanManaging JVN ( Japan Vulnerability Network) with IPA.Users can download the “Patch” by themselves and protect their own software.

ソフトウェアの脆弱性については充実した社会制度がある理由： End userが直接パッチを当てる等の対策が可能

Hardware vulnerabilityVulnerabilities of HW=IC chip which incorporate software on it.

Almost vulnerabilities of HW in PC/Main frame computer have not been cared so far.Reason; Existence of Intel, if Intel is secure it is secure.

Almost all attacks through logical interfaces.Smartcard & similar devices;　 JHAS/ICSS-JC liaison inner circle

Vulnerability is not disclosedReason; It is difficult for each user to implement the “Patch” to own device.

Serious vulnerability directly connects to recall of the product.It is usual to raise countermeasure a bit strong in alternation of product generation, if vulnerability is not so serious.

Embedded software vulnerabilityVulnerabilities at application software on original operating systems.

Eg; Cars, Robots, Guarding devices, Medical devices, Smart-meters, Information home electrical appliances

For third-party security evaluation, CC concept will be available.Vulnerability assessment for each product field is needed.

Inner circle such as in “Smartcard and similar devices” field is neededto discuss the “extent of countermeasure strength”.

Embedded software vulnerability + Hardware vulnerability“Managing organization for embedded device vulnerability information” is needed.

-17-

Development issues for secure M2M module

M2M認証用セキュア ICモジュール

Performance Tamper resistance

・ Implement high crypto-functions・ Implement tamper-resistant functions

・ Simple circuit・ High speed calculation・ Low cost Implement sensors

RandomizationProcess encryptionTamper detection→Stop, delete dataAccess control etc....

High performance in calculation part is needed, for secure implementation of the module.

Summarize development issues for secure M2MModule.

More fastMore light

Ultra high crypto-calculation performance,with tamper resistant implementation

More strongMore complex

More secureMore fastMore light

Contradiction

Supported with both cryptographic techniques and chip design techniques.

-18-

YASUYOSHI UEMURAPRESIDENT, ELECTRONIC COMMERCE SECURITY TECHNOLOGY RESEARCH ASSOCIATIONUEMURA@ECSEC.ORG

Phone　 81-3-5259-8062