WHY THIS MATTERS IN BRIEF
As the number of connected devices increases we need new ways to prevent them from being hijacked by cyber criminals.
While we embrace the way the Internet of Things (IoT) already is making our lives more streamlined and convenient, the cybersecurity risk posed by millions of wirelessly connected gadgets, devices and appliances remains a huge concern. Even lone targeted attacks can result in major damage, and when cybercriminals control and manipulate several network nodes, or several million, as happened recently with the Mirai botnet which took down most of the US east coast internet, the potential for destruction increases dramatically.
And this is the issue that University of California Santa Barbara computer science professor Dmitri Strukov is working to solve. He and his team are looking to put an extra layer of security on the growing number of internet and Bluetooth enabled devices using a technology that aims to prevent cloning – the practice by which nodes in a network are replicated and then used to launch more attacks from within the network.
In order to accomplish this Strukov has built a computer chip that makes use of “ionic memristor technology,” in other words it’s an “analogue memory hardware solution to a digital problem.”
“You can think of it as a black box,” said Strukov, whose new paper, “Hardware intrinsic security primitives enabled by analogue state and nonlinear conductance variations in integrated memristors,” appears on the cover of Nature Electronics. Due to its nature, the chip is physically unclonable and can thus render the device invulnerable to hijacking, counterfeiting or replication by cyber criminals. Which in short means it cuts these types of cloning attacks off at the knees.
Key to this technology is the memristor, or memory resistor technology – an electrical resistance switch that can “remember” its state of resistance based on its history of applied voltage and current. Not only can memristors change their outputs in response to their histories, but each memristor, due to the physical structure of its material, is also unique in its response to applied voltage and current. Therefore, a circuit made of memristors results in a black box of sorts, as Strukov called it, with outputs extremely difficult to predict based on the inputs.
“The idea is that it’s hard to predict, and because it’s hard to predict, it’s hard to reproduce,” Strukov said. The multitude of possible inputs can result in at least as many outputs – the more memristors, the more possibilities. Running each would take more time than an attacker may reasonably have to clone one device, let alone a network of them.
The use of memristors in today’s cybersecurity is especially significant in light of machine learning enabled hacking, in which Artificial Intelligence (AI) technology is trained to “learn” and model inputs and outputs, then predict the next sequence based on its model. With machine learning, an attacker doesn’t even need to know what exactly is occurring as the computer is trained on a series of inputs and outputs of a system.
“For instance, if you have 2 million outputs and the attacker sees 10,000 or 20,000 of these outputs, he can, based on that, train a model that can copy the system afterwards,” said Hussein Nili, the paper’s lead author. The memristor black box can circumvent this method of attack because it makes the relationship between inputs and outputs look random enough to the outside world even as the circuits’ internal mechanisms are repeatable enough to be reliable.
“It has to look random, but it should also be deterministic,” he said.
In addition to the variability embedded in these memristor circuits, other features include high throughput, speed and economy of energy use, making them an ideal component in the tight energy budget of the Internet of Things. Then there is the fact that this is already a semi-practical technology which can be used to both secure device identity and encrypt information.
“If we scale it a little bit further, it’s going to be hardware which could be, in many metrics, the state-of-the-art,” Strukov said.
As they continue to refine their technology, Strukov and his team are investigating whether there will be any drifts in the characteristics over time. They also are developing “strong” security paths that require larger memristor circuits which would use additional techniques that are suitable for sensitive military equipment or highly classified information, and “weak” paths geared more toward consumer electronics and everyday gadgets – situations in which it would likely not be worth an attacker’s time to spend hours or days hacking into a device.