Since it’s so hard to analyze the security of ever-changing software configurations (see “Measuring Security”), many researchers are pursuing hardware-based security. They believe that hardware can be made simpler than software, is easier to verify, and is harder to hack once it’s deployed.
One example of this strategy is the use of smart cards and USB tokens as an alternative to usernames and passwords. The U.S. Department of Defense uses such methods to control access to sensitive websites and to digitally sign and encrypt e-mail. Another approach is the Trusted Platform Module (TPM), a fingernail-size microchip that can be built into computers. An advantage of TPM is that the chips are already in many laptop and desktop computers, as well as in game consoles such as the Xbox 360. The modules give each of these systems an unforgeable serial number and a secure place to store digital cryptographic keys, which can then be used instead of passwords.
Unlike smart cards and USB tokens, TPMs can also be used for something called “remote attestation,” which lets a computer prove to another that its operating system hasn’t been modified by a third party. And since TPMs are already widely deployed, they represent the best immediate hope for hardware-based security.
Unfortunately, relatively few applications take advantage of these modules, but people in both industry and academia are looking to change that. For example, MIT professor Srini Devadas and his students have shown how TPM microchips can improve security without requiring the operating system to be secure–an important step forward, since today’s operating systems are too complex to be secured completely. Such a system might make online banking safer for consumers, for example. And last year researchers from the Technical University Munich in Germany showed how to use the modules with OpenID, an authentication protocol increasingly used by blogs and many of the smaller social-networking websites.
It takes a significant effort to crack the chips, as Christopher Tarnovsky, a former U.S. Army computer security specialist, demonstrated in February. By dissolving the chip’s outer casing with acid, removing a protective inner mesh with rust remover, and tapping the communications channels with tiny needles, Tarnovsky was able to force a module to release its secret information. Such an attack might let someone who had stolen a laptop unlock remote websites or pose as the laptop’s owner, but fortunately, it would be impractical to do this on a large scale.
How Facebook and Google fund global misinformation
The tech giants are paying millions of dollars to the operators of clickbait pages, bankrolling the deterioration of information ecosystems around the world.
This new startup has built a record-breaking 256-qubit quantum computer
QuEra Computing, launched by physicists at Harvard and MIT, is trying a different quantum approach to tackle impossibly hard computational tasks.
This scientist now believes covid started in Wuhan’s wet market. Here’s why.
How a veteran virologist found fresh evidence to back up the theory that covid jumped from animals to humans in a notorious Chinese market—rather than emerged from a lab leak.
DeepMind says it will release the structure of every protein known to science
The company has already used its protein-folding AI, AlphaFold, to generate structures for the human proteome, as well as yeast, fruit flies, mice, and more.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.