The emergence of the smartphone industry has enabled the commodity hardware market to expand at an astonishing rate. Providers are creating cheap, compact, and widely compatible hardware, which bring about underestimated and unexplored security vulnerabilities. Often, this hardware is coupled with back end and front end software designed to handle data-sensitive applications such as mobile point-of-sale, home security, and health and fitness, among others. Given the personal data passed through these hardware devices and the infancy of much of the market, potential security holes are a unique and growing concern. Hardware providers face many challenges when dealing with these security vulnerabilities, foremost among them being distribution and consequent deprecation issues, and the battle of cost versus security.
The encryption chip for the Square Reader, a commodity hardware device, is located in the bottom right hand corner instead of on the magnetic head. This drastically reduces the cost of the device.
An important part of designing a hardware device is being prepared for a straightforward hardware deprecation. However, this can be a thorn in a provider’s side, especially when dealing with widespread production. These companies create on the order of millions of copies of each revision of their hardware. If the hardware has a critical security vulnerability post-distribution, the provider must develop a way to not only deprecate the revision, but also fix the problem and distribute the fix to their customers. A hardware security vulnerability can be very detrimental to companies unless a clever solution through companion software is possible to patch the issue and avoid a hardware recall. In lieu of this, products may require a full recall, which can be messy and ineffective unless the provider has a way to prevent future, malicious use of the insecure previous revision.
Many hardware providers have begun opting out of conventional product payments and have instead turned to subscription or use-based payments. Hence, the provider may charge low prices for the actual hardware, but still maintain high yields, typically through back end or front end companion software. For example, Arlo creates a home security camera with a feature that allows users to save videos through their cloud service and view the videos on their smartphone. The price of the camera (their hardware) is mid-range when measured against their competitors, but they charge a monthly fee for extra cloud storage. This enables Arlo to have a continual source of income beyond their hardware product. The hardware can be seen as a hook to a more stable source of income, so long as consumers continue to use their products. For this reason, it is critical that providers minimize costs of their hardware, even down to a single dollar—especially given their large-scale production. Unfortunately, the cost of the hardware is typically directly related to the security of the system. For example, a recent vulnerability found by me and my colleagues in the latest model Square Reader is the ability to convert the Reader to a credit card skimmer via a hardware encryption bypass. This vulnerability was possible due to the placement of the encryption chip on a ribbon cable offset from the magnetic head. If the encryption chip and magnetic head had been mounted to the Reader as an assembly, the attack would not have been possible. However, there is a drastic difference in the cost, on the order of several dollars per part, and therefore security was sacrificed for the bottom line. This is the kind of challenging decision every hardware company has to make in order to meet their business metrics, and often it can be difficult to find a middle ground where security is not sacrificed for expense.
New commodity hardware will continue to integrate into our personal lives and personal data as it becomes cheaper, more compact, and universally compatible. For these reasons, commodity hardware continues to present undetermined and intriguing security vulnerabilities. Concurrently, hardware providers confront these demanding security challenges unique to their industry. They face design issues for proper hardware deprecation due to massive distribution, and they play a constant tug-of-war between cost constraints and security, which typically ends with a less secure device. These potential security holes will remain a concern so long as the smartphone industry and commodity hardware market advance.
Alexandrea Mellen is the founder and chief developer at Terrapin Computing, LLC, which makes mobile applications. She presented as a briefing speaker at Black Hat USA 2015 (“Mobile Point of Scam: Attacking the Square Reader”). She also works in engineering sales at The Mellen Company, which manufactures and designs high-temperature lab furnaces. She has previously worked at New Valence Robotics, a 3-D printing company, as well as The Dorm Room Fund, a student-run venture firm. She holds a BS in Computer Engineering from Boston University. During her undergraduate years, she completed research on liquid metal batteries at MIT with Group Sadoway. See alexandreamellen.com for more information.