Can Chip Fingerprinting Secure IoT Devices Against Malware?

Researchers in Japan have developed a way to uniquely identify Internet of Things devices: creating a "fingerprint" based on subtle variations in chip composition.
Researchers in Japan have developed a way to uniquely identify Internet of Things devices: creating a “fingerprint” based on subtle variations in chip composition.

In-brief: Researchers in Japan have developed a way to uniquely identify Internet of Things devices: creating a “fingerprint” based on subtle variations in chip composition, according to a report in IEEE Spectrum.


No two fingerprints are the same. So too microchips, according to IEEE Spectrum, which writes about a new way to uniquely identify processor chips that could be used to provide security on the Internet of Things.

According to this article, Mitsubishi Electric, Ritsumeikan University, and the Japan Science and Technology Agency have developed a security scheme that can be used to identify individual logic chips by their “fingerprints:” slightly variations in the chemicals and other materials used during the chip fabrication process.

From the article:

Amounts of dopant chemicals or other materials added during the fabrication process.  These differences produce random glitches or signal variations, though without affecting the computed results.

To create a unique ID, researchers applied a series of four, predefined 32-bit input signals to portions of the chip’s circuitry. Each of these generates a 32-bit string of 0s and 1s based on the counted glitches. An embedded algorithm then combines the four results to produce a unique 128-bit number string, which is placed in the chip’s register when the power is turned on.

The researchers say the method could support 4,096 bits – more than enough entropy to support even the huge Internet of Things, which is predicted will swell to over 50 billion devices by the end of the decade, by one estimate. According to the article, just 80 bit IDs could cover 100 billion different devices.

The IDs could be deployed to prevent malware infections from spreading between distributed IoT devices. In essence, the unique ID would function as a kind of private key, encrypting and decrypting information in conjunction with a shared (public) key.

Unlike existing PKI schemes, however, the ID is only activated when the chip is running, making it impossible to do offline, reverse engineering.

Mitsubishi will deploy the technology first in its own products starting in April 2016, targeting areas like factory automation, the auto industry, billing systems, and critical IoT devices, IEEE Spectrum reports.

Comments are closed.