Device Manufacturing and Security
Manufacturing and security status quo:
As digital devices become ubiquitous at home and at work, and as humans become dependent on these devices to help organize more of their lives, security of these devices becomes an increasingly important area of concern. Security experts agree, that the best place to add security to devices is during their birth, at the time of their manufacture.
Before we delve deeper into issues that impact security in manufacturing, it is helpful to first understand the digital device manufacturing process. Digital devices (e.g. mobile phones, smart thermostats, routers, smart watches, smart light bulbs etc.) are generally manufactured by Original Equipment Manufacturers (OEM’s, e.g. Apple, Samsung, Microsoft, Honeywell). OEM’s use component IC’s (e.g. MPU’s, MCU’s, memory chips, storage chips, modem chips, configurable logic chips etc.) to develop the hardware of a digital device. These component IC’s are procured by OEM’s from Silicon Vendors (SV), who develop and manufacture these component IC’s prior to their use in smart devices developed by OEM’s. OEM’s design not only the hardware of the smart device, but also design and develop the embedded firmware that runs inside the device and makes it a smart device.
Silicon vendors generally design their component IC’s at their development lab. In order to manufacture their IC’s some silicon vendors set up their own fabrication factory( e.g. Intel, Samsung, TI etc.) Others rely on 3rd parties(e.g TSMC, Global Foundries, Samsung, Intel) to fabricate their Silicon for them. To get their devices to market, Silicon Vendors either sell their IC’s directly to OEM’s or use IC distribution partners (e.g. Avnet, Arrow, BTV) to sell their components.
Like silicon vendors, most OEM’s design hardware and firmware of their digital device at their development laboratory. Based on factors that impact quality, cost, time to market of a digital device, OEM’s have multiple choices when it comes to their manufacturing. The manufacturing of an OEM device involves at least three important steps of interest- assembling of multiple IC’s of the device on to a predesigned and fabricated Printed Circuit Board (PCB), programming of the firmware into the storage component IC of a digital device and testing the hardware and the firmware of the manufactured device to ensure that they work together per design. OEM’s can choose to do all the three steps at their own factory. Alternatively, OEM’s can have the programming of firmware into IC’s done at a IC Vendors distribution partner( e.g. Avnet, Arrow) prior to shipping programmed components to a contract manufacturer(Foxconn, Jabil etc.) for assembly and testing. As a third alternative, all the three steps can be done at the same contract manufacturer (Foxconn, Jabil etc.). From the review of the the IC manufacturing process and the digital device manufacturing process above, it is clear that the device manufacturing supply chain is distributed worldwide and the process can includes multiple stakeholders aside from the OEM.
The first critical issue in manufacturing related to security is that- given that the supply chain of IC’s is global and the device manufacturing process can be distributed across multiple entities in multiple geographies, the supply chain that OEM’s use to build the smart device is today in-secure.
There are multiple factors that lead to the insecurity of the supply chain. The first factor is that a large number of IC components manufactured by Silicon Vendors lack a unique digital identity that can be verified by the OEM’s as part of the manufacturing process. Where IC identity exists, OEM’s have not incorporated an IC verification process to validate the authenticity of component IC’s. This could be because verification process has not been developed or such a process exists but is not scalable to high volume manufacturing- its integration into manufacturing adversely impacts cost or time to market (or both) for the OEM
Lack of security in the supply chain of components is not limited to Silicon IC’s. Boot loader and firmware that is developed by an OEM is important IP that also needs to have a digital identity. This IP also needs to be protected (from changes or loss) while in transit from point of creation (OEM development laboratory) to point of programming (OEM factory, Programming Center, Contract Manufacturer). The device manufacturing processes that are deployed today are weak do not ensure such outcomes.
Another insecurity factor comes into play when OEM’s decide to outsource manufacturing to a 3rd party- since 3rd party manufacturing is done at a remote geographical location, OEM’s have no secure process to manage production counts of their devices at the manufacturing site. These OEM’s have to implicitly trust their 3rd party manufacturing partners to build the correct number of devices. Unfortunately, this trust is broken more often than not, leading to overproduction of devices.
The impact of an insecure supply chain on OEM’s is extremely high. Lack of a verifiable component identity leads to the use of counterfeit components in devices. If this happens, these devices may be of poorer quality and may not be functionally equivalents to devices made from genuine OEM authorized components. Lack of IP protection can lead to manufacture of duplicate devices by alternate OEM’s with same feature and functionality as the original OEM device. Use of counterfeit components, overproduction of devices and duplication of devices lead to lower ASP’s, lower revenue, higher warranty and support costs and lower profitability for the OEM. Lack of security in the supply chain costs OEM’s lost revenue to the tune of hundreds of millions of dollars.
The second critical issue in manufacturing related to security has to do with OEM OEM’s ability to manufacture trusted devices. A trusted device is one which has a unique and verifiable system level identity and can store and execute firmware in a tamper free environment. Some devices have additional security requirement to be able to communicate securely with other devices or systems.
The first factor that impacts OEM’s ability to build trusted devices is the choice of components the OEM makes to design and manufacture of the device. Trusted devices need access to have security functionality designed in- ability to securely generate keys, ability to execute cryptology in a secure environment, ability to store firmware in protected storage and ability to run firmware in a protected environment. If the OEM does not embrace “Security by design” paradigm and ignores security requirements, it is likely the device will be built with the wrong components. This is indeed the case today, as a number of OEM’s are ignoring security as a primary device requirement.
The second factor impacting OEM’s ability to manufacture trusted devices is the availability, maturity and cost of additional technology and processes that need to be integrated into the manufacturing process. Embedding security into devices requires secure flow of important OEM key material and roots of trust from an OEM facility to where devices are manufactured. These methods have yet to be developed and integrated into the device manufacturing process. Embedding security into devices also requires advancements in programming technology so that security credentials for devices can be generated and programmed in addition to programming of firmware. Such technology is yet to be designed and integrated into existing high volume manufacturing processes. Protecting firmware on a device also requires extending the programming cycle on the device to first “secure the device” and then to program “encrypted FW” on the device. This change in programming flow requires development of new device algorithms that secure the device and firmware on the device and lock the device out.
Some OEM’s use in system programming (ISP) method to embed security and firmware into devices. Such a process is done late in the device manufacturing cycle, after components are placed on a PCB of the device. From a security perspective, this approach works if the OEM is manufacturing devices in its own factory. However, if the OEM is using 3rd parties for manufacturing, the OEM would have no cost effective method to verify if all the devices were built using authentic components. In addition, the phases of manufacturing prior to ISP programming will remain vulnerable to tampering attacks on a device.
Rajeev Gulati
Chief Technology Officer
Data I/O Corporation