In-circuit programmer secures production with remote contract manufacturers

March 17, 2017 // By Graham Prophet
Segger’s Flasher Secure offers a means of programming production runs when the manufacture is contracted to a remote site. The programmer is designed to be issued to the manufacturing site.

Concerns around contracted-out manufacture include protection of the IP that is to be loaded into the end-product; ensuring that only the specified number of prodcts are built, with no “grey” production copies; and eliminating the possibility of counterfeit components finding their way into the production run.

 

Flasher Secure controls IP and the production volume. To prevent counterfeit devices, the Flasher reads out a unique ID from the system it is going to program. This ID is sent to a server that is under physical control of the IP owner. This server validates the ID and determines whether a programming run is allowed.

 

In this case, a signature is generated for the device. The signature is sent back to the Flasher which stores the signature inside the target device it programs. This method of secure programming is also in the best interest of the CM. The CM can now boast that the production floor will protect the customers IP.

 

Firmware running on the system, or an external application communicating with the system, can now verify that the system is genuine. With an additional signature for the firmware, the bootloader in the system can also verify that the firmware is genuine and unmodified. If any of the above verification steps fails, the device stops working. As each signature is unique for each device, it is not possible to create a non-approved system by simply copying the firmware.

 

The signature generation uses a proven asymmetric algorithm where the private key is not accessible by anyone but the IP owner. This prevents attackers from forging a signature for a given ID. All communication between Flasher and server is encrypted and authenticated by a secure SSL/TLS connection to prevent unauthorized access. All actions are logged and accessible through an administration interface to provide as much transparency to the IP owner as possible.

 

Any attempt to compromise the Flasher Secure itself