Hardware security is the only real security

I just came across the epic hack that Wired‘s Matt Honan had perpetrated on him. A hacker added a credit card number to his Amazon account. The next day they called Amazon and said they lost the password. “What is the number of the credit card on the account?” asked the helpful Amazon employee. Once they were in the Amazon account they got into his Google accounts, all helpfully linked by Matt himself, and then the Apple accounts. The hacker was some sociopath kid. He was not interested in money; he just wanted to hurt someone, so he wiped out all the pictures and data on Honan’s phone, computer, and yes, the precious precious cloud. Yes, my precious, one cloud to rule them all.

One-cloud-to-control-them-all

Just like the Ring in The Lord of the Rings, the cloud can be your worst enemy in the hands of a bad person.

Now initially Honan lamented that he lost all the pictures of his new baby and a bunch of other stuff. The next article showed how he got it all back in a couple days. He says he believes in the cloud even more now. Beats me why he thinks that. If he had not inadvertently left his 1Password account password in his Dropbox on his wife’s computer it might have been much more difficult to recover control of his accounts.

As to all the wiped data, well it was lost forever on the precious cloud, but the nice folks at DriveSavers got his SSD (solid-state drive) in his mac mostly recovered at a cost of $1,690. So since the whole thing gave him half a dozen popular articles to write-up, you could argue getting hacked was the best thing that ever happened to his career. It reminds me of when King Louis XIV’s minister Colbert asked a bunch of writers “What can France do for you?” One shouted back—“Throw us in prison.” It would give them something to write about and the time and solitude needed to write it.

DriveSavers-clean-room

DriveSavers have a full cleanroom to save hacked, damaged, or corrupted hard drives. They can also do forensic hardware analysis on solid state drives (SSDs) as in Matt Honan’s case.

What astonishes me is that this hack happened to a technically astute denizen of San Francisco. Maybe he should move to Silicon Valley, we know a lot about security here and Atmel’s group in Colorado knows even more. Not only did Honan misplace his trust in online accounts and the precious cloud, he kept no secure data backup. He courageously accepts the blame, but also tries to deflect some blame onto Apple and Google. Sorry, your data is your responsibility. Apple and Google quickly closed the social-manipulation hacks the sociopath used, but it is not their job to accept responsibility for your data. That is your responsibility.

This is what we keep harping on here at Atmel. Security is a key pillar in the Internet to Things, and the best security, the only real security, is hardware security. You don’t want these malicious hackers changing your thermostat, or running up your electric bill, or stealing your security camera feeds. Atmel has inexpensive tiny chips you can use to secure these gizmos. Some of our chips use symmetrical authentication. The security chip is programmed with your secret key, and you know the secret key. The microcontroller, and it doesn’t have to be an Atmel microcontroller— it can be anyone’s, sends a random number to the Atmel security chip. The Atmel chip does a mathematical operation on the random number using the secret key, and sends that result back to the microcontroller. The host microcontroller has a local Atmel security chip to do the same mathematical operation on the same random number and then it compares the two results. If they don’t match, the code stops executing. That way no-one can put in bogus code and take over your gizmo. It gives you secure boot and secure downloads and upgrades. You can also use Atmel security chips to verify a battery or accessory is genuine and not some knock-off product.

Basic RGB

Atmel’s CryptoAuthentication™ system uses hardware and extreme security to protect your system.

Now since the microcontroller is connected to the Atmel security chips by way of a common SPI port, you might fear a hacker could snoop on the communication and learn the random number sent to the Atmel chips or the mathematical result sent from it to the micro. That’s the beautiful part of this. The micro generates a new random number every time. If the host micro is too small and simple to generate a reliable random number, the tiny Atmel security chip has its own true random number generator (TRNG). So the micro can query the Atmel chip for the number, then query for the result, then do the same operation using the same secret key. So snooping on the serial port will only give you the last serial number and the result. You will have no idea of what the operation was that produced the result. Its like snooping and seeing the number 12 transmitted, but you still don’t know if that was based on 2 time 6 or 3 times 4. Now imagine that problem with numbers hundreds of bits long, and you can see how secure this makes your system.

Hardware-security-usb-drive

This USB memory stick has a keypad to unlock it. You can store all your passwords or love letters on it and no one can get in without the code.

So it’s great to have services like 1Password, which is a browser extension combined with a remote server that generates and stores different passwords for all your needs. If, however, you need to use two computers, and who doesn’t, now you get to involve Dropbox so that you can store the master password there so you can get your 1Password even if you are at a Kinkos computer. Thing is, I just feel better with hardware security. In this case, it would be using a USB stick with hardware keypad or fingerprint sensor. Those are great since you don’t need a program on the computer of Surface Pro tablet to run it. You swipe your finger or type in a code and the stick unlocks and you can cut-and paste passwords as you need to. Thing is, there I worry about Windows saving some temporary file. I looked into this a few years ago, and sure enough, even a text file seemed to get cloned somewhere once you opened it off a stick. So the real hardware security is two-factor authentication like you get with an RSA dongle or a YubiKey. Once again, the essential element is a real physical piece of hardware that makes the system secure. I love the YubiKey since it emulates a keyboard, so unless someone infected your computer with a keylogger, there is no record that you used it. And, like the RSA SecurID, even if they do keylog it, the same code never works twice. They are just like that Atmel security chip and just as uncrackable.

YubiKey-Nano-+-lanyard

The YubiKey is a two-factor authentication system accepted by more and more sites for login. The Nano model is as small as the USB contact pins. Pressing a little button on the device makes it send the one-time log-on code as though it was a USB keyboard.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s