1
Over the past five years, the financial sector has witnessed a dramatic transformation, driven by innovations like the Unified Payments Interface (UPI), mobile wallets, and digital lending platforms. This rapid digitisation highlights the crucial need for robust security measures, encompassing both hardware and software, to ensure secure transactions and protect the trust and integrity of the digital financial ecosystem. The widespread adoption of these platforms and services has not only introduced new device form factors, such as payment boxes, which must instantly communicate with banking infrastructure to confirm users' transactions on their mobile phones, but also demanded the existing devices, such as point of sale (PoS) machines to support a more comprehensive feature set such as dynamic QR codes, more interfaces, etc., These new device form-factors and features means more attack surface, including hardware-based attack vectors.
While software attack vectors are well understood, knowledge about hardware-based attack vectors—such as side-channel analysis, fault injection, and hardware trojans—is still evolving. Side Channel Analysis involves analysis of unintended emissions (such as power consumption, electromagnetic radiation, optical emissions, heat, etc.) from the product to understand the inner working(s) of the product(s), which may be leveraged to mount a potent attack. In contrast, the Fault Injection involves operating a device for a short duration beyond its operating parameters (such as voltage, clock glitching, electromagnetic radiation, etc.) to alter the operation flow. Hardware attacks, once successful, are challenging to mitigate owing to the significant operational challenges involved in discovering and replacing vulnerable hardware. Some of the hardware attacks that are in the public domain include:
The accessibility of open-source tools like ChipWhisperer and Flipper-Zero has lowered the barrier to entry for mounting hardware-based attacks, particularly as many lower-cost microcontrollers powering end devices remain vulnerable. In response, chipset manufacturers increasingly prioritise built-in protections against hardware attacks to fortify device security at a foundational level, bolstering the security posture for running secure software.
Join us at DSCI FINSEC Conclave 2024 to learn more about hardware-specific attacks and novel protections such as physically unclonable functions, Differential Power Analysis and Fault injection countermeasures, memory safety, etc., bolstering the device security at the hardware level.