Living on the Edge: MEMS, Sensors and Cybersecurity
ByMaria Vetrano 06.20.2019
While there are a multitude of ways to hack into any given system, MEMS and sensors are especially vulnerable to attack. What is the fix?
Though sensors and MEMS are exceedingly vulnerable to malicious hacking, it is possible to harden them against attack.
Over the past decade, cyber-savvy thieves have used hacked IoT devices in homes for pre-theft reconnaissance. Security researchers have demonstrated the ability to control vehicles by hacking on-board sensors.
Infrastructure is also at risk. In 2012 Iranian hackers compromised control systems of a dam in upstate NY, and the 2018 gas-line explosions in the Boston area — while not cyberattacks — were caused by the kind of pressure-sensor errors that a hacker could emulate.
While there are a multitude of ways to hack into any given system, MEMS (micro electro-mechanical systems) and sensors are especially vulnerable to attack. The attributes that make them so cheap and powerful also make them difficult to secure: they are tiny, have limited processing power, and offer little physical room for memory or additional computing.
And they're ubiquitous. Mitre Corp.’s principal cyber security engineer Cynthia Wright explained, “In homes and offices, we find MEMS and sensors in air-quality alert and fire-detection systems. In cars and trucks, they enable vehicle airbag-crash sensors, tire pressure monitoring systems, collision avoidance and a multitude of other safety functions. In medical wearables, they monitor blood glucose levels, heartrate and other biological functions. We use them for insulin delivery and for neural, cochlear and retinal implants. They are integral to prosthetic arms and limbs.
“MEMS and sensors also play a role in critical infrastructure such as power plants and transportation systems,” said Wright, a retired military officer with over 25 years of experience in national security and cyber strategy and policy. She added that they are widely deployed in military applications such as battlefield robots and exoskeletons, bomb bots for defusing ordinance, and laser tuning for communications and satellites.
Although these MEMS- and sensors-enabled systems are incredibly diverse, they have one thing in common: their wireless connectivity — the conduit through which they become vulnerable. Despite these challenges of connectivity and capacity, the MEMS and sensors industry can improve the cybersecurity of connected electronics.
Carmelo Sansone, director, SEMI-MEMS & Sensors Industry Group (MSIG), sees this challenge as an opportunity for MEMS and sensors suppliers. “Suppliers don’t need to reinvent themselves to secure wirelessly connected electronic products,” said Sansone. “They do need to fearlessly explore potential vulnerabilities in order to address them, and they need to decide which types of devices warrant added security.”
Understand Vulnerabilities Sansone advises that manufacturers must first understand the potential points of vulnerability of their products. As devices that enable interaction with the environment, MEMS/sensors generally reside at the system edge. They are often used in systems that provide physical asset security, such as motion, fire or other hazard detectors, or in security cameras. They also provide the data used by higher-level system software to make operational decisions, such as opening a valve or lowering a diverter.
Wright noted that because MEMS/sensors tend to be deeply embedded in a system, the data they collect is often either personally, proprietarily or operationally sensitive. “These characteristics, combined with the simplicity and low-level functionality required for such ubiquitous sensors, make them both very attractive and quite vulnerable to hackers,” she said.
Wright offered an example. “In an IoT product such as a medical device or vehicle proximity sensor, MEMS and sensors gather sensor data that is essential for the device to function properly,” she offered. “A hacker might alter that sensor data to communicate erroneous information to IoT software, which, in turn, alters system performance — sometimes disastrously.”
Which end-user applications are most vulnerable? According to John Chong, vice president, product & business development, Kionix, “The most vulnerable devices are unprotected network-connected devices with single points of failure. The most important to secure are those in which a compromised sensor puts the safety and security of items of value — including human lives — at risk.”
Tzeno Galchev, product marketing manager, MEMS Technology Group, Analog Devices, agrees with Chong that the key question isn’t which types of connected devices are most vulnerable but rather how they are used.
“It is hardest to secure MEMS-enabled connected devices in the consumer space because the threat surface is generally more expansive,” said Galchev. “As there is no physical restriction on who handles a smartphone or a wearable, for example, implementing additional protection at the device level can make it prohibitively expensive or degrade the user experience, deterring user adoption. In markets such as automotive, public infrastructure or military/aerospace, on the other hand, designers recognize the criticality of security, so they take extra care in building security into their systems. To do otherwise could result in catastrophic and life-threatening implications on a mass scale. That’s why the MEMS-enabled connected devices embedded into such systems are required to support system-wide security.”
Not All Attacks Are Equal Some security attacks on sensors are more sophisticated — and potentially damaging — than others. According to Wayne Chavez, business development manager, IoT Sensors, NXP Semiconductors, “Some attacks simply ‘defeat’ the sensor entirely, rendering it inoperable. Other more elaborate attacks can replace sensor data with errant information, potentially manipulating functions, commands or the system as a whole.”
Wright pointed out that shutting down a proximity sensor in an automatic garage door versus altering sensor data in a train to cause a collision are attacks of very different magnitude.
There is also a difference between isolated cyberattacks and attacks with cascading effects. “One cyberattack might cause a piece of factory equipment to malfunction, which ruins the equipment,” said Wright. “Another attack might cause a refinery’s systems to fail, which then causes an explosion with a toxic plume.”
Perhaps industry will offer varied levels of assured security and privacy for different applications. One level of security could suffice for smart lightbulbs, for example, while another is established for biomedical devices, automobiles or infrastructure such as dams and refineries.
Who’s Responsible? Scores of MEMS and sensors suppliers. Dozens of industry standards bodies and government regulators. Thousands of original equipment manufacturers (OEMs) and system integrators. While all have skin in the game when it comes to securing devices from cyberattack, it is unclear who should take responsibility for addressing this highly complex issue.
While government regulation might provide some long-term solutions, government is too grid-locked to offer meaningful regulation soon. Industry has the most to gain from getting ahead of this problem, and MEMS/sensors suppliers in particular can outshine the competition by offering more differentiated secure products.
Chavez suggests that we to look to automotive for an example that works. “Years ago, the automotive industry united to address safety integrity levels, or ASIL,” he said. Learning from an industry steeped in safety-critical electronics sounds like good advice for MEMS/sensors suppliers.
Galchev agrees that MEMS/sensors suppliers should consider best hardware security practices developed for other technologies or industries. “We should explore emerging IoT security standards, such as ISA 62443 for industrial, ETSI TS 103645 for consumer, and ISO/SAE 21434 for automotive, when we consider security standards for MEMS and sensors,” he said. “While I am less optimistic about industry-wide standardization, I am more hopeful that we can reach consensus by sensor type or use-case.”
Sansone observed that setting security standards for sensors is highly complex because sensors do not share the same common classes of semiconductors such as power products, converters or microcontrollers. Galchev agreed, noting that “the sensor industry is anything but homogenous. Different types of sensors use different sense mechanisms, have different cross-sensitivities to other physical phenomenon, and generally have different security threats.”
After recognizing the inherent vulnerabilities in MEMS/sensors, agreeing that we need varied levels of security for different classes of products, and acknowledging that we cannot actually determine who is responsible for fixing the cybersecurity risks associated with these intelligent devices, let’s look at something very practical and positive: how to reduce the risks associated with such devices.
How Do We Fix It? When I asked SEMI-MSIG experts how to increase the security of MEMS/sensors, they offered helpful pragmatic approaches. Galchev suggested that reducing the number of hardware ports to the device would limit the number of avenues through which physical threats can occur. At the same time, he recommended increasing software-defined functionality to add market differentiation.
“The right approach requires a balance in design, development and deployment,” said Galchev. “We need to design functionality that is market-competitive as we think holistically about the possible threats early-on during design, and then determine what needs to be mitigated while we consider any residual risks. We also close off any debug ports that are not required during device deployment.” Wright loves this design philosophy, which aligns with MITRE’s simple cybersecurity precept: “Build it in. Don’t bolt it on.” Chavez also agrees, stressing that security cannot be an afterthought, adding that his company practices a “secure-by-design” philosophy that extends from the platform level to hardware-based root-of-trust.
According to Chong, ensuring that the data in motion has not been tampered with is itself a form of authentication. “Securing the data between points of encryption/decryption is one of the easier things to implement,” he said. “While it does not address other vectors of attack, such as spoofing the sensor, physically destroying the sensor, or compromising the data outside the encryption/decryption points, it is still a valuable security measure.”
Galchev advocates for balancing cybersecurity approaches against the common system requirements of all edge-nodes, which include energy budget, computational capability, network and communication limitations, and cost. Like Chong, Galchev recommends establishing the level of data integrity at the hardware level, where it is first processed. The National Institute of Standards & Technology (NIST) is examining approaches for “lightweight” encryption at the sensor level, which would secure the data as it is collected and pre-processed, without overtaxing MEMS/sensors’ capacity.
Chavez also noted that encryption at the edge is increasingly driving security for the IoT and industrial markets, offering tire pressure monitor sensors (TPMS) as a good example. “TPMS devices live autonomously inside the wheel/tire assembly and therefore only share data wirelessly to the network,” he said. “Encryption at the edge is essential to ensure that valid data is transmitted to the vehicle.”
Pros and Cons of OTA While most of us are familiar with our smartphone operating systems’ annoying-but-necessary Over-the-Air (OTA) updates, many are not aware that designers of IoT, biomedical, transportation and industrial devices also frequently employ OTA updates. As the mere idea of an insecure OTA update for an insulin pump, security system or electrical grid strikes fear into even the bravest heart, I asked the SEMI-MSIG experts what they thought of this cybersecurity technique.
Chong can see both sides of the issue: “On the positive side, once bugs or vulnerabilities are found, they can be fixed quickly. On the negative side, this is a vector itself for mal-intent.” Chavez identified the network connection as the greatest point of vulnerability. He warns that “the more the system is exposed to external connection, the higher the risk.”
Wright added that other protections, like establishing preconditions for accepting an OTA update — such as authentication of the source — could also help to ensure that OTA functionality is only used to secure a system, not compromise it.
Let’s Fix It Whether launched by domestic or international attackers, threats to the cybersecurity of MEMS/sensors-enabled wirelessly connected products and systems are real.
It is clear that some suppliers have already accepted the challenge — and have the technical expertise to design more secure devices that play such a critical role in smart, wirelessly connected systems of every flavor.
SEMI-MEMS & Sensors Industry Group (SEMI-MSIG), the leading technology community representing the global MEMS and sensors supply chain, looks to its membership – and to the technology community at large — to get involved in the conversation. We will be watching for your comments on this page.