Locking hackers out of your gadgets
Companies are inventing more and more devices to make our lives easier: vending machines that order fresh drinks from suppliers when they run out, sports watches measuring our heart rate and ovens and lights that can be turned off even when you’ve left your home. Eurostars project RESCURE holds the key to keeping your data on these devices secure.
The Internet of Things has crept into even the most traditional households without many of us realising it. Academics at Carnegie Mellon University in the United States first modified a drinks vending machine in 1982, connecting it to the Internet, so it could report on the temperature of the drinks and which ones needed replenishing. Following this, developing IoT devices didn’t take off properly until 2008-2009.
In the last decade, the number of devices connected to the Internet has rocketed, and with it the risks that our personal data will fall into the wrong hands. “If you have a smart energy metre, it will upload data from your home onto a cloud, and you want to know the energy company is keeping that data secure,” says Georgios Selimis, a senior security engineer. “An Internet of Things device could be exploited by hackers to steal personal data, or it could be a gateway into a governmental organisation. Every individual and every country should keep all those devices extremely secure.”
Selimis coordinated a Eurostars project with the mission of keeping internet-connected devices safe. He heads the research group at Intrinsic ID (a Dutch spin-off from Philips Research Group, founded by a few engineers in 2008), who invented an unclonable silicon fingerprint for IoT devices, called Physical Unclonable Functions (PUF). The fingerprint makes devices hard to hack. The company patented its SRAM PUF technology and is now expanding the types of products it can protect.
The technology has caught the eye of the European Investment Bank, who granted an 11 million euro loan in May, supported by the European Fund for Strategic Investments (EFSI). “In an ever more digital world, the EIB should definitely support this,” said the bank’s Vice President Alexander Stubb.
The EIB said that Intrinsic ID was a “strategic investment”. Three years ago, Ukraine suffered a blackout in the western part of the country caused by a malware called “BlackEnergy”, and several other countries (including the United Kingdom and Ireland) have been the victims of reported intrusion on their power grids. Companies have also noticed their devices being targeted by data criminals.
Intrinsic ID’s technology is already being used to protect 125 million IoT devices, and the Eurostars project developed products to protect an even wider range of gadgets. The only thing needed to create Intrinsic ID’s unique, unclonable silicon ID is for the IoT device to have a microcontroller (a lightweight computer), which even cheap devices have for processing information. The technology uses a SRAM memory circuit that is in all microcontrollers, and the SRAM cells generate a unique random value: a kind of fingerprint. “Some of the cells are unstable (the fingerprint is a bit noisy), but our algorithm mitigates for this noise and amplifies the randomness to generate the key,” explains Selimis.
To improve its algorithm, Intrinsic ID teamed with researchers at the Technical University of Eindhoven and engineers at TECHNIKON in Austria. The consortium had a unique blend of software and hardware engineers, including experts in “SRAM PUF information theory”: how secret keys can be obtained from SRAM fingerprints using error-correcting codes. “RESCURE’s mission and aim was perfectly in line with our business roadmap of delivering industrial security engineering services based on software and hardware-entangled technology,” said Mario Münzer, a software engineer at TECHNIKON. “RESCURE fostered our collaboration and allowed us to enhance our services.” The partners piloted the technology on different types of IoT devices used in critical infrastructures: those used in home automation, wearables and medical devices.
As a result of its testing, Intrinsic ID are already offering what it calls a “retrofitting of IoT devices”. They are using their technology to help manufacturers make devices secure, even those already on the market. Intrinsic ID are selling that service to device manufacturers and car companies, amongst other clients.
Companies are increasingly worried about potential damage to their reputation if their devices are hacked. “To be able to transform a non-secure device to a secure one is invaluable since it saves redesigning from scratch,” says Selimis.
Earlier this year, one of the company’s products, BroadKey, won “IoT Security Product of the Year” in the industry’s prestigious IoT Breakthrough Awards.
Intrinsic ID have increased their revenues over the last few years and expect this to continue as developers accelerate production of devices. Consultancy McKinsey Global Institute estimates the global worth of the IoT could reach 5.5 trillion euro by 2025, and technology company Intel forecasts the number of smart devices could rise to 200 billion in 2020 (from 2 billion in 2006), and that in 2021, the average person will own more than 26 each.
In the future, even animals will be connected to the Internet, and the way we interact with devices will change, Selimis predicts. ”Digital and physical worlds will converge. We will interact with the devices seamlessly,” he says. “You won’t have to type, because the Internet will be part of our environment. Devices, like virtual assistants and robots will be part of our life, giving us better daily scheduling, better health diagnostics and better waste management in our household.”
He adds: “Obviously, protecting our privacy will be challenging, and security innovation and regulations will all have to evolve to cater for new products on the market.”
Partners: Intrinsic ID (the Netherlands), Technikon Forschungs Und Planungsgesellschaft (Austria), Eindhoven University of Technology (the Netherlands)
Project ID: 11897 RESCURE (Eurostars)
Project duration: February 2018 to January 2020