Security Highlight: Lifespan Implications on Device Security
Electronic devices have a limited lifespan. This is less about the electronics wearing out and more about the natural aging of technology. A common example of this is a smartphone. Users replace them because they seek the newest features, such as communication speed, screen size, biometrics, and energy capacity. Due to fast technological advancements, smartphones have an average lifespan of only 2.5 years. However, this varies per product. TVs have a life expectancy of six years, and cars even survive twelve years.
This lifespan variation also impacts on security. Product vulnerabilities and evolving attacks require frequent product revisions and software updates to maintain a sufficient security level. We all see this in the constant stream of software security updates for our devices. Unfortunately, it’s not easy to update hardware; once the hardware appears vulnerable, the product may require expensive repairs or suffer the consequences of a breach.
It makes sense that device manufacturers focus on software security. Software vulnerabilities have the potential of being remotely exploitable, exposing the device to highly scalable attacks. However, some local attacks can be so profitable that they become scalable, too. These are typically activities where people extend the service or functionality of their own device. Think about counterfeit consumables (e.g., printer cartridges, spare parts) or content piracy (e.g., games, video). While these device security attacks do require some adverse action per device, they are quite popular and successful.
We observe that while software attacks are getting more difficult, there is still limited defense against hardware attacks. Recently, attacks were published against high profile semiconductor chips, which show the possibility of relatively simple voltage glitching attacks and demonstrate that a single vulnerability can break not only the chip but may jeopardize any device that uses it. Devices that have a long life expectancy may be especially at risk here.
We recommend chip manufacturers to keep taking the fault injection threat seriously, harden their designs, and invest in verification and test capabilities. This way, they can lead the industry in addressing the threat and avoid the cost and embarrassment of large-scale vulnerability exploitation in the field.