Home Blog Security Highlight Security Highlight: Device lifespan implications on security

Security Highlight: Device lifespan implications on security

Author: Marc Witteman

Electronic devices have a limited lifetime. Not so much because the electronics wear out, but because the technology ages. A typical example is a smartphone. People replace them because they seek the newest features, like communication speed, screen size, biometrics, and energy capacity. Due to the fast technological advancements, smartphones have an average lifespan of only 2.5 years. However, this parameter varies per product. TVs have a life expectancy of 6 years, and cars even survive 12 years.

This lifespan variation also has an impact on security. Product vulnerabilities and evolving attacks require frequent product revisions and software updates to maintain a sufficient security level. We all see this in the constant stream of software security updates for our devices. Unfortunately, hardware cannot easily be updated: once the hardware appears vulnerable, the product may need expensive repairs or suffer the consequences of a breach.

It makes sense that device manufacturers focus on software security. Software vulnerabilities have the potential of being remotely exploitable, exposing the device to highly scalable attacks. However, some local attacks are actually so profitable that they become scalable too. These are typically activities where people extend the service or functionality of their own device. Think about counterfeit consumables (e.g., printer ink, spare parts) or content piracy (e.g., games, video). While these attacks do require some adverse action per device, they are quite popular and successful.

We observe that while software attacks are getting more difficult, there is still limited defense against hardware attacks. Recently attacks were published against high profile semiconductor chips, which show that relatively simple voltage glitching attacks are possible and that a single vulnerability can break not only the chip but may jeopardize any device that uses it. Especially devices that have a long life expectancy may be at risk here.

We recommend chip manufacturers to keep taking the fault injection threat seriously, harden their designs, and invest in verification and test capabilities. This way, they can lead the industry in addressing the threat and avoid the cost and embarrassment of large-scale vulnerability exploitation in the field.

Contributed by Marc Witteman, CEO, Riscure. If you have any questions, contact us at inforequest@riscure.com.

Share This