When most people hear the term “counterfeiting,” their knee-jerk reaction is to think of currency, the counterfeiting of which is as old as the concept of money itself. Around 400 BC, for example, metal coins in Greece were often counterfeited by covering a cheap-and-cheerful material with a thin layer of a more precious metal.
Or take the original American colonies. Throughout northeastern America, Native Americans would employ shell beads known as wampum as a form of currency. White shells came from quahog (a large, rounded edible clam found on the Atlantic coast of North America), while blueish/purplish-black shells came from certain types of whelks (sea snails). Since the blueish/purplish-black shells were rarer, they were perceived as having a higher value. It wasn’t long before wayward traders started dipping white shells in a blueish/purplish-black dye and passing them off as the more expensive items.
In reality, counterfeiting has probably been practiced as long as people have been able to articulate something along the lines of: “Of course this isn’t a common long-haired sheep — it’s an extremely rare cross between an Arapawa, a Beltex, a Najdi, and a Zwartbles — it’s the only one of its kind — almost a family heirloom — I couldn’t possibly accept anything less than two cows and three goats for this little beauty!”
The higher the stakes, the greater the incentive to counterfeit something. Even if I won the lottery, I’d be reluctant to invest in a hitherto undocumented early rendition of the Mona Lisa that someone I met on my travels claimed to have found in his attic, for example. On the bright side, when I was young, counterfeiting was not too much of a problem for people in our circle and circumstance. Although we were a happy bunch, my family didn’t have a lot of money, and what we did have left over as disposable cash we mostly spend on food at the local greengrocer, butcher, and fishmonger (when that man monged a fish, it knew it had been monged, by golly). Unless your audience is overly susceptible, or you are a virtuoso at sleight-of-hand, it’s a tad tricky to pass off a cluster of carrots as a passel of parsnips, for example.
Like most of us, as I’ve grown older, I’ve been exposed to counterfeit products. Once, whilst ambling around in Hong Kong circa the mid-1980s, I was approached in the street by someone asking if I was interested in purchasing a genuine fake Rolex. I wasn’t, but I had to admire the “genuine fake” portion of the portrayal. A few years later, while presenting a paper in Singapore, a friend took me to a small backstreet shop he knew, where he said I could purchase some cheap jeans. After I’d found a couple of pairs I liked, I took them to the checkout, which was comprised of a little old man sitting on a stool next to a wooden desk upon which resided a cash machine and a sewing machine. When this wizened gentleman asked me what sort of jeans I preferred, I assumed he was just making polite conversation and I responded that I was partial to Levi 501s. He immediately whipped open a drawer under the counter, removed two Levi 501 labels from one of numerous compartments, and sewed them into the jeans before I could think of anything to say (which isn’t like me).
As an aside, my grandfather was part of the team that charted Singapore Harbor using rowing boats, surveying equipment, and weighted lines (to measure the depth of the water), and he was also in the party that charted Borneo to create the first credible map of the area (see also The Times They Are a-Changin’). I wonder what he would have thought if he’d been informed that his favorite grandson would one day be strolling the streets of Singapore clad in counterfeit jeans, but we digress…
Amusing (or rambling) stories aside, counterfeit products can produce very bad outcomes. One aspect of this is to impact a company’s revenue stream and damage that company’s reputation. Earlier, I noted that “The higher the stakes, the greater the incentive to counterfeit something,” and I mentioned the Mona Lisa as an example, but — rather than counterfeit one incredibly expensive item — counterfeiters are also more than happy to generate fakes of large numbers of lower-priced articles.
Take printer ink cartridges, for example. If you purchase a half-price unit from a shady-looking man in a bar, and that unit’s package flaunts a skull-and-crossbones accompanied by a legend along the lines of “Weasel & Sons, Purveyors of Printer Ink to the Aristocracy,” then you will probably accept your part in any ensuing fiasco should things go pear-shaped. On the other hand, if you visit a reputable store and purchase a full-cost printer cartridge that purports to have been produced by HP (I use this company as an example only because this happens to reflect the printer on my desk), and if that cartridge is counterfeit and contains sub-standard ink, and if that sub-standard ink ends up “gumming up the works,” as it were, then — if you honestly believe that the cartridge is an HP original — your impression of that company will be negatively impacted, which may cause you to express your contempt to your companions, and which may well have long-term ramifications with regard to any future purchases on your part.
And, of course, things can get much, much worse. We could be talking about anything from counterfeit water filter cartridges that don’t perform the desired filtration functions or that allow pathogens to grow inside them, to counterfeit inhaler cartridges that contain too much or too little (or none at all) of the active ingredients, thereby impacting the user’s health, to counterfeit chargers that may under-charge or over-charge devices like smartphones and tablet computers with the potential of some part of the system spontaneously combusting.
Sometimes I fear that there are so many bad guys doing so many bad things that the rest of us don’t have a chance. And then I see a little flicker of light that gives me hope. For example, I was just chatting with Timo Grassmann (IFAG CSS ESS DA APK) from Infineon (I dare to counter Timo’s over-enthusiastic surfeit of qualifications with my own GMMS — “Grand Master of the Mystic Sprout”).
Described as a “Best-in-class, anti-counterfeit turnkey solution, combining enhanced device authentication with unprecedented levels of configuration flexibility,” OPTIGA Authenticate IDoT is comprised of both hardware and software elements. First, we have a small hardware chip containing a private cryptographic key that will reside in the consumable portion of the product (printer ink cartridge, inhaler cartridge, water filter cartridge, etc.).
OPTIGA Authenticate IDoT chip (Image source: Infineon)
Happily, this image is not to scale, otherwise we would need substantially larger pockets to hold our inhalers. In reality, this little scamp is just 1.5 x 1.5 x 0.38 mm in size, boasts 8kV IEC61000-4-2 ESD protection, and is available in a variety of temperature options (-40 to +85°C, -40 to +105°C, and -40 to +120°C).
In addition to a unique 96-bit identifier (UID), these little beauties support 163-bit key Elliptic Curve Cryptography (ECC), four integrated lifecycle counters with independent End-of-Life (EoL) structures, options for 1Kbit, 2Kbit, and 5Kbit Secure Lockable non-volatile memory (NVM), and two serial communication options (SWI and I2C + GPO).
The keys, counter values, and other software elements are preloaded into the chips before they leave the factory. With regard to the counters, these can be used for a variety of tasks, such as limiting the number of times a water filter can be used, for example. The reason for maintaining the counters in the chips rather than on the host system is in case the consumable portion of the product is moved from one host to another.
The IDoT chip is going to set the security world on fire (Image source: Infineon)
And, speaking of the host system, this is where the software containing the corresponding public cryptographic key resides. Every time the user attempts to access the product, the host system sends a challenge to the chip in the consumable portion of the product. If the chip responds appropriately and passes the test, everything works as expected; otherwise, the host informs the user that the consumable portion of the product is not to be trusted or employed.
The host system works with any microcontroller. Infineon provides a C library that you can use as the basis to implement whatever additional functionality you require, such as limiting the number of times the consumable portion of the product can be used or what to do if a counterfeit product is detected, for example.
To be honest, I long for a simpler life and a simpler world where we could all just get along and trust each other. A world without passwords and security certificates and cryptographic keys. A world in which we could happily create fun and interesting devices and connect them to the IoT without fear that some nefarious scoundrel might take them over and use them to our disadvantage. However, since we don’t live in such a world, we do need some way to verify and validate the identity of things (IDoT), so Infineon’s OPTIGA Authenticate IDoT is a very welcome addition to the party. How about you? Do you have any thoughts you’d care to share about any of this?