Don't let hackers in the JTAG port
June 22, 2016
If you've been watching the ongoing discussions about security in the Internet of Things (IoT), you know that protecting your devices means that you s...
If you’ve been watching the ongoing discussions about security in the Internet of Things (IoT), you know that protecting your devices means that you should authenticate anyone trying to gain access to your device. For most of us, the obvious way to access a device would be through the network—Ethernet, WiFi, and other such protocols.
But there’s a more subtle, and dangerous, way to get into your device: through a JTAG debug port. They’re present on many boards, whether the actual connector is populated in production units or not. On one hand, it’s unlikely that someone can do this remotely (unless you’ve somehow networked the port). On the other hand, if someone can physically gain access, they can get into much more mischief.
JTAG takes you to the low-level heart of a board or chip, giving visibility to things that network access typically can’t provide. Someone who knows what they’re doing can take complete low-level control of the system. They can even replace the firmware with a rogue version.
Fortunately, JTAG ports can be secured, so it’s possible to limit access with a key that’s essentially a secure passphrase stored in the system’s one-time programmable (OTP) memory. Manufacturing boards with Secure JTAG implementation forces you to make a decision about how to properly generate and manage the access restrictions. Do you use one key for all systems or do you give each system its own key?
Putting the same key into every system is the easiest way to “manage” this, but it comes at the obvious expense of security. You can manufacture all of your boards easily, without need for per-unit tracking. Once your systems are in the field, technicians may access the Secure JTAG on any device using the same common key. However, if such a shared key becomes known, then the “secure” aspect of Secure JTAG no longer applies.
In addition, the key may slip into the public over time as people who once legitimately had access to the keys, like employees, move on. Replacing the keys if compromised would be a very difficult task, since it would have to be updated on every system everywhere. Even worse, the secure key storage OTP memory may even make this impossible without significant replacement effort.
It goes without saying that you get better protection if every system has its own Secure JTAG key. The tradeoff is more complex manufacturing, although there’s a well-established flow; you wouldn’t be breaking any new ground. You’ll need to generate unique keys associated to each individual device and track all the keys in a well-protected database.
You’ll also need to use a contract-manufacturer approach that supports building your product with additional security measures in place. This typically involves use of a hardware-secure module (HSM), a trusted system that can prevent abuse by or disclosure of the keys to the manufacturer. Service technicians will also need protected access to the general key database.
Whichever approach you choose, as part of Digi’s upcoming TrustFence security framework, Digi provides tools for manufacturing and maintenance, including Secure JTAG.
Mike Rohrmoser is the Director of Product Management for Embedded Systems at Digi International, where he’s responsible for the definition and delivery of Digi’s current embedded product solutions offerings and future direction.