WingNews logo WingNews
top | item 30312571

(no title)

PhantomGremlin | 4 years ago

There's probably a market for a sub $1 "smart chip" that can be added to a design. Something that can be factory programmed with a unique serial number. To keep from being cloned, verification operation wouldn't be as simple as reading out the number. Instead, the chip would respond with some sort of hash. Similar to how Apple secures their SOCs.

The security wouldn't need to be perfect. Even something simple would be sufficient to deter an unscrupulous reseller.

discuss

order

genmud|4 years ago

There are a bunch of options out there for doing this. Many ICs have built in key storage, but there are a few that are separate. There are some pros to using on micro key management, but one of the big cons is that many times the auth can be bypassed if you can overwrite or glitch the firmware.

If I were concerned about counterfeit things, in an application like this, you would pre program each one with a unique key and everything would be tied to it. Firmware upgrades need to be validated, to download, you would need the key, run the software, key needs to sign something back… etc.

https://www.microchip.com/en-us/product/ATSHA204A

myself248|4 years ago

https://octopart.com/atsha204a-sshda-t-microchip-77761819?r=...

But the original would have to see it coming and put this in the design, AND maintain a registry of all the valid chip serials. No hobbyist wants that headache.

triactual|4 years ago

What if I buy one real device and clone the serial number? This has been solved more than a decade ago but it requires hardware with secure storage to maintain a private key. Some centralized service holds the public key and can verify the device by asking it to sign something with the private key. This is basically every cell phone, quality IoT device, etc. The private key is installed in the factory, maybe provided by a secure connection back to the centralized service. Hardware features lock that key in place preventing it from being read out without a ton of work (connections are literally burned open with overcurrent inside the IC).

Since the key is unique to the device, it can easily be disavowed in the central database if a device does become compromised. Anything less than this is probably a few hours from being completely broken. And this scheme can be broken by non-state actors, especially if the private key storage is naively or poorly implemented. Many MCUs have multiple levels of readout protection and it can be easy to misconfigure. A single mistake in memory mapping could expose information on external interfaces. And then you’re trying to do all of this in China, on the cheap. Pack a lunch.

andi999|4 years ago

1$ in component price is like 4$ in device sales price. It needs more to be in the 5 cents range.

buescher|4 years ago

They make ‘em for secure key storage. The kind of drm scheme you’re describing, though, is not going to be too challenging for someone to subvert who’s already willing to use any of a number of methods to have firmware read off a protected chip.

R0b0t1|4 years ago

It's not DRM but serial or secret registry. It allows you to voluntarily check the product you've received against a known list of vendor produced products to allow you to detect a counterfeit.

With the customer as a willing participant such things are hard to subvert.

GrumpyYoungMan|4 years ago

There are inexpensive RFID tags with anti-counterfeiting features meant for retail goods, since that's become an increasing problem. They're primarily intended for retailer use since ordinary people don't have a RFID reader but since RFID readers are getting cheaper all the time, there is talk about consumers being able to authenticate their goods as well sometime in the future.

rsaxvc|4 years ago

One challenge - authenticity checks need to be done end-to-end(where we that end may be)

If you had such a chip, who would check it for authenticity? That check would need to be well secured, so likely not the ARM firmware on the nanovna itself.

Possibly not nanoVNA-saver: the unscrupulous supplier might just include an unlabeled CDR with patched software.

R0b0t1|4 years ago

They have this, people just don't use them. A lot of MCUs have the functionality built in now.