Hardware security: A vacuum to be filled by Indian startups in the IoT era

A group of researchers at the head office of the Data Security Council of India (DSCI) located in a cosy neighbourhood of Noida are generally busy dissecting various smart devices from an automated table fan to a smartwatch, to name a few. They aim to find out the security vulnerabilities of the chipsets used in these devices.

The arrival of the Internet of things (IoT) has created a scope for new hardware security solutions that could make the ‘smart’ consumer products secure by design. Home automation and smart appliances saw a sharp rise in India during the pandemic. The total number of connected devices jumped to 2 billion in 2021 from around 200 million in 2019. This has given rise to several startups innovating solutions for customisation, analysis, and security assessment of hardware used in consumer products.

“Hardware attacks are more potent, more or less unpatchable, and so difficult to be fixed. For example, if you have a software bug, it is comparatively easier to patch-in with software fixes. It becomes quite expensive even for manufacturers to fix any hardware vulnerabilities,” said Teja Chintalapati, Senior Consultant at DSCI.

Chintalapati works at the team, which is part of the Centre for Hardware Security Entrepreneurship Research and Development (CHERD) – a five-year-long project of DSCI in collaboration with IIT Kharagpur, and IIT Madras. The program is also an incubation and acceleration centre for startups in cybersecurity, funded by the Ministry of Electronics and Information Technology.

“We believe that the best product security should start from the design stage. Security should never be an afterthought,” Chintalapati said.

Payatu, a Pune-based startup helps manufacturers with security assessment for any IoT or embedded device before its launch in the market. Its main offering includes a list of vulnerabilities in the system, which can be leveraged by attackers to gain control of the system. Payatu has over 100 customers across sectors.

“We test healthcare devices, mobile phones, modems, routers, industrial equipment, scooters, or cars. Basically, anything that has a hardware component and also the connected software. Besides this, we are also launching a platform to automate the security testing of the devices. It can analyse hardware, firmware, or radio interfaces of the product before its release,” said Aseem Jakhar, co-founder and director of R&D at Payatu.

The government, with an ambition to reduce reliance on other countries in critical areas has created new use cases for emerging device security startups. Headquartered in Bangalore, Chipspirit develops end-to-end encryption for several government agencies. The team of hundred-odd techies has developed original solutions for network security and offline encryption for USB transfers.

“It is for the server-to-server communication done on an Ethernet cable. Our solution establishes a hardware-based tunnel through which whole data can be transmitted. We are working with the Indian navy and a couple of other ministries on classified products, which need hardware-level encryption. With customised chips, we develop a custom algorithm that contains our proprietary architecture, which cannot be hacked.” Mohan Jindal, CEO, Chipspirit.

However, the hardware security startup ecosystem is still at a nascent stage in India. According to the startup data platform Tracxn, eight startups are working in the hardware security domain, registered in India. At the same time, there was only one funding round in the sector worth $501,000 in the last quarter.

On the other hand, there is a significant interest in the domain from the academic community and researchers. Prof. Debdeeb Mukhopadhyay from IIT Kharagpur 2016 incubated ESP Pvt Ltd. after working in academia for a significant amount of time. The company works at developing side-channel attacks and their corresponding countermeasures.

Mukhopadhyay said, “The aim was to convert some of our findings from academia into actual products. Even if a cryptographic algorithm is mathematically secured, there are several sources of information like timing requirements, power consumptions, the electromagnetic radiations on the device, and the behaviour under faults that can be used by attackers. So we try to simulate such attacks to improve security.”

He added that the startup has launched a solution called ESP Anweshak – a tool for side-channel evaluation. “Our potential customers include R&D units like different agencies as well as hardware design companies. In particular, we are looking at the automotive and power sectors, as the cost of not having security in these areas is too high.”