Skip to Content

Hope in Hardware

Since it’s so hard to analyze the security of ever-changing software configurations (see “Measuring Security”), many researchers are pursuing hardware-based security. They believe that hardware can be made simpler than software, is easier to verify, and is harder to hack once it’s deployed.

One example of this strategy is the use of smart cards and USB tokens as an alternative to usernames and passwords. The U.S. Department of Defense uses such methods to control access to sensitive websites and to digitally sign and encrypt e-mail. Another approach is the Trusted Platform Module (TPM), a fingernail-­size microchip that can be built into computers. An advantage of TPM is that the chips are already in many laptop and desktop computers, as well as in game consoles such as the Xbox 360. The modules give each of these systems an unforgeable serial number and a secure place to store digital cryptographic keys, which can then be used instead of passwords.

Unlike smart cards and USB tokens, TPMs can also be used for something called “remote attestation,” which lets a computer prove to another that its operating system hasn’t been modified by a third party. And since TPMs are already widely deployed, they represent the best immediate hope for hardware-based security.

Unfortunately, relatively few applications take advantage of these modules, but people in both industry and academia are looking to change that. For example, MIT professor Srini Devadas and his students have shown how TPM microchips can improve security without requiring the operating system to be secure–an important step forward, since today’s operating systems are too complex to be secured completely. Such a system might make online banking safer for consumers, for example. And last year researchers from the Technical University Munich in Germany showed how to use the modules with OpenID, an authentication protocol increasingly used by blogs and many of the smaller social-networking websites.

It takes a significant effort to crack the chips, as Christopher Tarnovsky, a former U.S. Army computer security specialist, demonstrated in February. By dissolving the chip’s outer casing with acid, removing a protective inner mesh with rust remover, and tapping the communications channels with tiny needles, Tarnovsky was able to force a module to release its secret information. Such an attack might let someone who had stolen a laptop unlock remote websites or pose as the laptop’s owner, but fortunately, it would be impractical to do this on a large scale.

Keep Reading

Most Popular

individual aging affects covid outcomes concept
individual aging affects covid outcomes concept

Anti-aging drugs are being tested as a way to treat covid

Drugs that rejuvenate our immune systems and make us biologically younger could help protect us from the disease’s worst effects.

close up of baby with a bottle
close up of baby with a bottle

The baby formula shortage has birthed a shady online marketplace

Desperate parents just want to feed their babies. They’re having to contend with misinformation, price gouging, and scams along the way.

"Olive Garden" NFTs concept
"Olive Garden" NFTs concept

I tried to buy an Olive Garden NFT. All I got was heartburn.

Our newest issue spells out what you need to know about the dizzying world of digital money.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.