Detecting Unauthorized Activity in Lightweight IoT Devices

Document
Description

The manufacturing process for electronic systems involves many players, from chip/board design and fabrication to firmware design and installation.

In today's global supply chain, any of these steps are prone

The manufacturing process for electronic systems involves many players, from chip/board design and fabrication to firmware design and installation.

In today's global supply chain, any of these steps are prone to interference from rogue players, creating a security risk.

Manufactured devices need to be verified to perform only their intended operations since it is not economically feasible to control the supply chain and use only trusted facilities.

It is becoming increasingly necessary to trust but verify the received devices both at production and in the field.

Unauthorized hardware or firmware modifications, known as Trojans,

can steal information, drain the battery, or damage battery-driven embedded systems and lightweight Internet of Things (IoT) devices.

Since Trojans may be triggered in the field at an unknown instance,

it is essential to detect their presence at run-time.

However, it isn't easy to run sophisticated detection algorithms on these devices

due to limited computational power and energy, and in some cases, lack of accessibility.

Since finding a trusted sample is infeasible in general, the proposed technique is based on self-referencing to remove any effect of environmental or device-to-device variations in the frequency domain.

In particular, the self-referencing is achieved by exploiting the band-limited nature of Trojan activity using signal detection theory.

When the device enters the test mode, a predefined test application is run on the device

repetitively for a known period. The periodicity ensures that the spectral electromagnetic power of the test application concentrates at known frequencies, leaving the remaining frequencies within the operating bandwidth at the noise level. Any deviations from the noise level for these unoccupied frequency locations indicate the presence of unknown (unauthorized) activity. Hence, the malicious activity can differentiate without using a golden reference or any knowledge of the Trojan activity attributes.

The proposed technique's effectiveness is demonstrated through experiments with collecting and processing side-channel signals, such as involuntarily electromagnetic emissions and power consumption, of a wearable electronics prototype and commercial system-on-chip under a variety of practical scenarios.