Physical AI is a hot topic in recent years, wherein AI autonomously operates a physical node having sensors and actuators to collect data for the AI’s learning. Physical node is, generally, hardware such as industrial machines, auto-driving vehicles, autonomous robots and drones, smartphones, any kind of connected computers, etc. A large physical existence is composed of not only those sensors and actuators but also data acquisition systems, processors, communication devices for wireless and/or wired communications inside and outside, etc. These are all regarded as IoT devices or simply say “device”. In other words, physical AI has a small IoT network inside, managed by AI. If a physical AI communicates with another one or a system having many IoT devices such as factory, hospital, transportation system, etc., then the total IoT system is expanded to manage all the IoT devices over huge amounts of physical nodes. There may be some vulnerable IoT devices.
On the other hand, it has been recognized that AI is a strong tool for an attacker so that they can find an easy path to reach an attacking target through devices or accounts with security vulnerabilities. Cyber defender can also use strong AI to find vulnerable devices or accounts in the network that the defender defends before an attacker will find it. But it is a 50-50 match. I want to give a great advantage to a defender.
The worst case to the defenders is that vulnerable account or device has been spoofed but the defender cannot discover impersonation. Such devices or accounts are routinely abused. Indispensable are:
1) to discover spoofing at as early stage of attacking as possible (Stop Spoofing)
2) to build firewall in which we can trust no spoofed devices (Hardware Firewall)
3) to change security codes in all devices in the firewall remotely, easily and securely always as necessary (Resilient IoT)
Carefully consider that both AI of attacker and defender has a common weak point. Since AI is inherently software, AI can trace which account collected, processed and input data to AI, but cannot trace which device collected, processed, and input data to AI with no external support. Though physical AI is the hottest topic recently, AI may expose such essential weaknesses. We propose a method to grant a great advantage to defender by resolving this weak point.
The essence of solution can start with protecting against session spoofing. For this, it is well known that device identification is indispensable using physically unclonable function (PUF). However, it is also well known that PUF implementation is a problem. Because the existing solutions of PUF are all based on specially designed silicon on chip (SoC). The existing problem for device identification is, therefore, the cost and the supply amount of specially designed SoCs. High-end IoT devices can be installed with PUF but the other cannot be. It leaves many vulnerable devices without PUF in the IoT network. Attacker’s AI can discover such vulnerable devices and hence the attacker can use a discovered path to easily reach an attacking target.
Our proposal is a new type of PUF without using specially designed SoC, that is, engineless PUF. Our engineless PUF is pretty stable to environmental change (-40C to 105C) with zero bit error rate for more than 10 years. We call usage model of engineless PUF as Physical Cyber Authentication (PCA). In this, we can resolve the problem of session spoofing and perform automatic client (device) certification and easy replacement of security codes of all devices always as necessary. The last one is indispensable to build a resilient IoT network. We review the existing PUF and engineless PUF and then discuss a method to apply PCA using several examples. We also show proof- of-concept of engineless PUF briefly.