This Week In Hardware Security 10/11/17

Comment

This Week In Hardware Security 10/11/17

Bringing you the latest in Hardware Security every week!

'Crypto Anchors' Might Stop the Next Equifax-Style Megabreach

"Firewalls, intrusion detection systems, and even encryption haven't kept hackers out of hoards of data like the ones stolen in the catastrophic breaches of Equifax or Yahoo. But now, some Silicon Valley firms are trying a deeper approach, building security into the basic design of how data moves between a company's servers."

https://www.wired.com/story/crypto-anchors-breach-security/

Hack-Vulnerable Voting Machines a 'National Security Threat,' Experts Warn

"A new report breaks down the lessons learned at the DEF CON 25 hacking conference, which amounted to a concentrated attack—orchestrated in the name of public safety—on the programming and machinery used in U.S. elections."

http://www.newsweek.com/hacking-defcon-voting-machines-technology-software-eac-russia-meddling-681759

 

Want More Hardware Security News? Sign Up For Our Mailing List!

Comment

This Week in Hardware Security 10/4/17

Comment

This Week in Hardware Security 10/4/17

Bringing you the latest in Hardware Security every week!

Security-Oblivious Design Makes TrustZone Vulnerable to Attack

"Many automotive SoCs take advantage of ARM’s TrustZone. But researchers at Columbia Univ. succeeded in attacking a security-oblivious design by compromising the DVFS SoC support."

http://www.electronicdesign.com/automotive/security-oblivious-design-makes-trustzone-vulnerable-attack

FBI won’t have to reveal details on iPhone hacking tool used in San Bernardino case

"A federal court ruled yesterday that the FBI does not have to disclose either the name of the vendor used or price the government paid to hack into the iPhone 5C."

https://www.theverge.com/2017/10/1/16393074/apple-iphone-fbi-hacking-tool-san-bernardino-case-secret-court-order

 

Want More Hardware Security News? Sign Up For Our Mailing List!

Comment

This Week in Hardware Security 9/27/17

Comment

This Week in Hardware Security 9/27/17

Bringing you the latest in Hardware Security every week!

CLKSCREW Attack Can Hack Modern Chipsets via Their Power Management Features

"A team of three scientists from Columbia University has discovered that by attacking the combo of hardware and software management utilities embedded with modern chipsets, threat actors can take over systems via an attack surface found in almost all modern electronic devices."

https://www.bleepingcomputer.com/news/security/clkscrew-attack-can-hack-modern-chipsets-via-their-power-management-features/

'Smart' Hospital IV Pump Vulnerable To Remote Hack Attack

"...security researchers have discovered eight vulnerabilities in a syringe infusion pump used by hospitals to help administer medication to patients intravenously."

https://www.techdirt.com/articles/20170920/09450338247/smart-hospital-iv-pump-vulnerable-to-remote-hack-attack.shtml

 

Want more Hardware Security news? Sign up for our mailing list!

 

Comment

This Week in Hardware Security 9/20/17

Comment

This Week in Hardware Security 9/20/17

Bringing you the latest in Hardware Security every week!

New Bluetooth vulnerability can hack a phone in 10 seconds

"Security company Armis has found a collection of eight exploits, collectively called BlueBorne, that can allow an attacker access to your phone without touching it. The attack can allow access to computers and phones, as well as IoT devices."

https://techcrunch.com/2017/09/12/new-bluetooth-vulnerability-can-hack-a-phone-in-ten-seconds/

Second Researcher Drops Router Exploit Code After D-Link Mishandles Bug Reports

"Embedi, a hardware security firm, has published details about two vulnerabilities that have yet to be patched in the firmware of D-Link routers. This marks the second incident of this sort in the last five days."

https://www.bleepingcomputer.com/news/security/second-researcher-drops-router-exploit-code-after-d-link-mishandles-bug-reports/

Risky Routers? New Malware Attacks Leverage Popular Hardware by Proxy

"Hardware is now a top-tier threat vector for cybercriminals. Internet of Things (IoT) devices are leading the charge, since many lack basic security protections but have almost unlimited access to network resources. "

https://securityintelligence.com/news/risky-routers-new-malware-attacks-leverage-popular-hardware-by-proxy/

Comment

NEW whitepaper - "Verifying Security at the Hardware/Software Boundary"

Comment

NEW whitepaper - "Verifying Security at the Hardware/Software Boundary"

We have a new whitepaper that describes:

• That Hardware Security review is a time-consuming and unreliable process

• How the inclusion of boot code can exacerbate the complexity of Hardware Security review

• The landscape of known Hardware Security threats

• How Unison, Tortuga Logic's new Hardware Security simulation platform, can drastically decrease the time it takes to perform security review at the hardware/software boundary

Click here to download!

Comment

Security Vulnerability Found in Haswell Line of Intel Processors

Comment

Security Vulnerability Found in Haswell Line of Intel Processors

"It also highlights the need for CPU designers to be aware of security as part of the design of new processors."

Researchers have discovered a flaw in a fairly new line of Intel processors that can allow the bypass of a key security mechanism built into the majority of operating systems. 

Read more here - http://arstechnica.com/security/2016/10/flaw-in-intel-chips-could-make-malware-attacks-more-potent/

Comment

The Headaches of being a SoC Security Architect

Comment

The Headaches of being a SoC Security Architect

A modern System-on-Chip (SoC) has a wide array of very strict and difficult-to-verify security properties. Issues related to locking critical configuration or key registers, proper implementation of interconnect access control rules, and general configuration during system boot are issues that pain just about every SoC Security Architect. They spend hours reviewing documentation from the verification teams and discussing these issues with separate product security teams. The end result is a process which results in enormous amount of time spent with very inadequate results.

Click here to read the rest of the article.

Comment

You probably have a lot of dead hens in your hardware design

1 Comment

You probably have a lot of dead hens in your hardware design

Meeting timing, keeping under power budget, delivering on time -- all aspects of hardware design are pretty easy if you just relax the constraint of being "correct"! Hardware designers of course know this and are quick to find creative and easy fixes to their problems but are of course held in check by teams of diligent testing and verification engineers providing their evaluation of correctness. Add a cycle of delay here, handle this special case there, power gate this, change the specification of that -- the success of hardware teams relies on the honest back and forth between these competing interests.  Unfortunately, as I touched on in my last blog entry, security is not covered by the traditional specifications and is completely unexamined by traditional test and verification procedures.

Read more here.

1 Comment

Functional Verification Will Not Save You From This Silicon Security Vulnerability

Comment

Functional Verification Will Not Save You From This Silicon Security Vulnerability

More often than not, systems are deployed every day with numerous bugs, both known and unknown. The problem in silicon security is twofold: 1) The behaviors that excite the latent vulnerabilities in designs are decidedly unnatural.  2) Most security systems are fragile. Dropping even a subset of the bits from a single key or flipping a few bits of internal state can be enough to completely subvert years of careful policy design, cryptographic cleverness, and architecture security support. 

Click here to read the rest of the article.

Comment

You Must Verify HW/SW Interactions to Avoid Security Vulnerabilities

Comment

You Must Verify HW/SW Interactions to Avoid Security Vulnerabilities

Imagine waking up tomorrow morning only to discover that your employer's brand is all over the news for the wrong reasons. Qualcomm employees experienced that last week. Over 900 million Android devices containing a Qualcomm processor were shown to have four known security vulnerabilities, and these alarming security issues are not going to be easy to eliminate according to the press. Not exactly the news a semiconductor executive wants to read with their morning cup of coffee.

Click here to read the rest of the article.

Comment

Securing the Internet of Things Starts with Silicon

Comment

Securing the Internet of Things Starts with Silicon

In just a few short years, connected devices of the Internet of Things (IoT) have gone from concepts to reality and as a result there are now major concerns regarding their initial development.

“As every player with a stake in IoT is well aware, security is paramount for the safe and reliable operation of IoT connected devices. It is, in fact, the foundational enabler of IoT.”1 This statement is supported by the work of researchers at the 2016 BlackHat conference where they demonstrated how to hack into smart lightbulbs, medical devices, and many other connected devices.

Click here to read the remainder of this post.

photo courtesy: shutterstock

Comment

Securing FPGAs

Comment

Securing FPGAs

Ask an FPGA design engineer about securing their designs and a typical reply is likely “Oh – we don’t have to worry about that, our FPGA vendor takes care of silicon security”. This perspective is partially true in that FPGA vendors provide security functionality to protect a user’s bitstream and the design data that uniquely programs an FPGA against copying, cloning, and reverse engineering. Some FPGA vendors are now also offering more advanced security features....

Click here to read the remainder of this post.

Comment

Here’s What You Need to Know about Design-for-Security

Comment

Here’s What You Need to Know about Design-for-Security

Security vulnerabilities in silicon designs represent huge potential financial losses, not to mention the severe detrimental damage to a company’s brand name. SoC designers currently attempt to test for security vulnerabilities very late in the design cycle, which produces very little discovery and resolution. Tortuga Logic provides a design-for-security (DFS) process that integrates easily into an RTL process and allows for security verification during the entire SoC design process, from architecture development to tapeout.

Click here to read the remainder of this post.

Comment

Software Security is Necessary but Not Sufficient

Comment

Software Security is Necessary but Not Sufficient

As the silicon designs inside the connected devices of the Internet of Things transition from specifications to tapeouts, electronics companies have come to the stark realization that software security is simply not adequate. Securing silicon is now a required, not optional, part of RTL design processes....

Click here to read the remainder of this post.

Comment