Wednesday, July 27, 2011

The Economic Reality of Mobile Device Security

The smarty-pants over at iSEC Partners demonstrated a GSM network hack to break into a car, presumably one equipped with OnStar or a similar system.

This is a really important conversation that I've been tracking since 2005. They nailed about 1/3 of the problem with this statement:
One problem is that vendors are using smaller chipsets to save money and they don't have enough code space to handle large number cryptographic processing.
The simple economics are that faster chips are more expensive, require more electrical power, and tend to be larger in size. So if you really want to squeeze the last dollar out of an embedded system (which you do if you're going to build millions of them and sell them at the biggest margin possible), you use the cheapest chips possible. Similarly, if you want the device as small and/or low-powered as possible, you typically have to make compromises on speed as well. Combine all three of these requirements, and you tend to end up picking a pretty wimpy little CPU.

Encryption is really hard work, even for a computer. So much so, that for many embedded sensor devices or other systems, the actual work being done on the device is far less complex than the task of encrypting the data for transmission or storage. So it becomes a very expensive proposition to do encryption.

The other problem that they failed to mention is that encrypted messages tend to require MUCH more bandwidth. Sending a given message in an encrypted format requires more bytes than sending it without encryption. And when you want to scrunch the data down into the smallest possible M2M wireless data plan, encryption becomes very expensive here as well. Even if you have sufficient horsepower on board, the monthly overhead of a bigger data plan can represent millions of dollars added to the cost of your product. For something as wide-spread as OnStar, this might be tens or even hundreds of millions of dollars.

The reason I think that the chip itself is only 1/3 of the problem is because the bandwidth costs are recurring and never-ending. Going from a $10 chip to a $20 chip might increase the cost of your product by $10 up front, but going from a $5/month data plan to a $7/month data plan will increase the cost of your product a lot more over time.

But the fundamental problem with security is that it is what we in the software world call a "non-functional requirement".

Product requirements break down into two categories: functional, and non-functional requirements. Functional requirements represent the stuff your product needs to do in order to fulfill its intended purpose for your customer. "Unlock the door on the car" is a functional requirement. Non-functional requirements are requirements that don't directly meet the customer's need, but are required in order to deliver the product. They represent "criteria that can be used to judge the operation of a system, rather than specific behaviors." (Wikipedia)

Unfortunately, when you start figuring out the cost of a system, the non-functional requirements are the first to take a hit. You can get the job done without it. Whether or not you can do the job well, or properly, may be up for debate. It is the difference between "must" and "should".

Most mobile embedded systems can do everything they need to do with a less powerful computer chip and a cheaper mobile data plan. When you do the cost analysis, meeting stronger non-functional requirements around security becomes really expensive. But they're a business, so they want to bring the product to market at a competitive price, with the highest margins they can manage. There's no laws covering this kind of information, and the consumer hasn't demanded stronger security. So they simply don't do it.

Like almost everything in the world, it all comes down to money and risk. If people really cared about security, they would demand it. But then the cost of many services we take for granted today would go up significantly. Some might no longer be economically feasible. much do you want to pay for someone to say "Hello, this is OnStar, how can I help you?" at the push of a little red button?

The only good news in this is that both chips and bandwidth are becoming cheaper. Who the time the public starts demanding secure systems, it might actually be feasible to deliver them.

No comments:

Post a Comment