In The Boardroom Press Room About Us Media Kit Research Reports Contact Us
Boardroom
NXP


In The Boardroom With...

Mr. Sami Nassar
Vice President

Cyber Security Solutions at NXP Semiconductors



SecuritySolutionsWatch.com: Thank you for joining us today, Sami.  Before discussing NXP solutions in greater detail please tell us about your background.

Sami Nassar: I have been in the high-tech industry for over 20 years.  In my current role as Vice President and General Manager at NXP Semicductors, I manage NXP’s cyber security solutions portfolio, which delivers security in devices for the Internet-of-Things, system integrity for industrial networks and privacy for consumers using NXP advanced security technology. Secure element ICs are a key product line at NXP and are a cornerstone to chip and pin/EMV bank cards, government IDs/passports and more recently in mobile payments.  

SecuritySolutionsWatch.com: We understand NXP is closely involved with the FIDO Alliance. Please tell us about FIDO’s mission and NXP’s participation.

Sami Nassar: FIDO's mission is to create a protocol to support an interoperable ecosystem of vendors that develop and deliver products, services and solutions that enable users to use the same “key” across multiple cloud services and devices. Today, reliance on Internet services increases as people move from using the Internet to browse websites to using the Internet for gathering, storing, accessing, and sharing digital information. As the Internet continues to permeate our daily lives and more and more devices connect to the Internet, we need to ensure these devices are protected. 
NXP engaged with FIDO since its inception, starting with the concept of replacing the Username/Password Authentication with Strong Authentication. Originally this concept was created to help Google resolve enterprise security issues, but as work progressed, we realized this solution would be of high interest to the consumer. The idea was to anonymize an Internet user via their physical possession and therefore protect their digital identity.  Security technology, like the secure element IC from NXP, plays a key role in enabling Strong Authentication which links the virtual or Internet world with a physical asset while maintaining privacy. 

SecuritySolutionsWatch.com: Please give us an overview of NXP’s security solutions?

Sami Nassar: For the past 20 years, NXP, and previously Philips, developed security chips, which today are called secure elements. These security chips embody defenses against different types of hacks. They are built as independent units that can be integrated in a variety of applications or systems. Our focus is on developing a solution that provides customers, who do not have in-depth knowledge on security, the ability to integrate a secure element without having to hire an entire team to do so.  We started by creating a building block. This building block creates a unique, non-clonable feature that can prove its authenticity at any time. This feature was initially found of great value to banking cards, which clearly shouldn’t be replicated, cloned or faked. This building block then moved into other applications like IDs and passports and more recently into mobile payments. We view this same building block as an essential element in a networked environment where you need to know exactly who or what you are talking to. Proving authenticity is enough, without having to provide the details of the identity of the authentic end point. Now, you can have different widgets in a network that are able to assert their authenticity and role in the network without saying who is the owner and therefore also maintaining privacy of that owner.  

For example with the smart grid you have to make sure all meters are authentic and provide the right information. Today with the use of green energy like solar or wind power, a system needs to be dynamic to compensate for changes like a large cloud or lack of wind so it can continue to aggregate data and manage the flow of energy between transformers. A compromised meter can interrupt the flow of energy and potentially blow up a transformer – if you blow up enough transformers you can end up with a city in the dark. So the integrity of a meter in a system is very important. This can happen with any command and control network like an oil field, nuclear power plant, and so on. 

Another example is what we are doing with FIDO. Today an Internet user registers conveniently for a service with a username and password. The weakness however, is that the username and password can be stolen at any time and could be used to access your other services without your knowledge. One way to secure your private data is to have a unique physical key, that way, you would immediately know if it were stolen and you could immediately deregister its access. That unique key can be a USB key, car key, Bluetooth dongle, smartphone or any other asset you want to use to access your services. In FIDO, we enable you to have one key to access as many services as you want, so the same key for email, stocks, etc. And then more importantly you can have the same key to access multiple devices. For example you can access your streaming media from your car, phone and computer using the same key.

SecuritySolutionsWatch.com: How has password authentication proven insecure?

Sami Nassar: Today, many techniques exist to steal a username and password and the problem is aggravated by the fact that people use the same username and password or a derivative of it across many services. So as a hacker all you have to do is break into the weakest system, steal the database, then try out the username/password with other services. There is a high likelihood you would be able to break into some other online service. The other problem is that once a username/password is stolen the user doesn’t immediately know they have to fix it. Once they do figure it out and they go to change the username/password, you can create more vulnerability because there is the possibility that that is exactly what the hacker was waiting for so they could steal your new credentials.  There are many tools that exist today in the hacker community to steal a users’ username/password and this is amplified by the weaknesses discovered in OpenSSL and other communication protocols. 

SecuritySolutionsWatch.com: It seems to us, Sami, that the threat environment has never been more challenging...with constant threats on the one hand and tight budgets + legacy systems on the other hand. What is your perspective on the unique value proposition that NXP delivers in this environment?

Sami Nassar: The challenge is being able to leverage existing infrastructure and meanwhile ensure security. We believe the best way to do this is by adding an independent component like a secure element to the different points on the network. Going forward, we need to have security by design. Today, if security of different points on a network isn’t managed by a secure element, security is likely being done in software which introduces issues like who wrote the software, where is it from? Sometimes, when you run the software you can have a fault attack or break in to happen. Authenticating the points on the network could prevent such issues. 

SecuritySolutionsWatch.com:  Are there any particular success stories, “wins” or customer voices you would like to talk about?

Sami Nassar: The most recent growth in use of secure elements is with the smartphone platform. This powerful platform has enabled us to do more things like payment and access. As reliance on the phone continues, FIDO can use its protocol to move toward more security in the Internet of Things. We have several customers using a secure element for door locks, or IP cameras which seem more sensitive than other IoT end nodes right now. Providing secure logical access will create a safer Internet for everyone.

SecuritySolutionsWatch.com: Thanks again for joining us today, Sami.  Are there any other subjects you would like to discuss?

Sami Nassar: I think the most important advancement for the future is how to link the physical world with the virtual or digital world. For example, governments are struggling with how to protect their enterprises and populations because they don’t know how to manage digital identities. The rules of the road in the physical world are clear by borders, laws and governing bodies. In order to ensure the digital universe grows, we need to ensure some governance.