WIBU-SYSTEMS

Perfection in Protection, Licensing, and Security

It is time for those in the IoT arena to “Up Their Security Game”. Here’s why…

WIBU-SYSTEMS AG
MarketingWIBU-SYSTEMS AG on March 3, 2020 at 3:32 PM

IoT devices have long passed through the “early adopter” phase and should no longer be considered as new or emerging technologies. Such “things” as smart doorbells, smart surveillance cameras, smart coffee makers and even smart toilets have gained wide-spread adoption among consumers worldwide. The promises of more convenience and better use of time have been realized by many of these consumer “things”.

However, there are now enough smart devices in consumer’s homes that we are starting to hear more than a few horror stories about hackers gaining unauthorized access to these devices and causing mischief, if not outright fear. Popular Mechanics reported in a December 16, 2019, article an instance where some sort of racist creep had a verbal exchange with an eight-year-old girl when she noticed the blue light blinking on the security camera installed in her bedroom. (The blinking blue light meant someone was watching her.) The parents were horrified when they replayed the recording of the verbal exchange. Apparently, the hacker was able to access the camera because “non-secure passwords, reused too many times left the security service vulnerable”. Further, it appears this hack was endemic and not the result of user error caused by this little girl’s parents.

As nauseating and troublesome as these stories are, they pale in comparison to what havoc might be wrought if the “thing” hacked is a train traffic sensor… instead of a Ring doorbell or an Alexa microphone.

Asking, or even requiring, users of “things” to change default passwords is a solution for the last decade and is not good security practice for the 2020s. Two-factor authentication and the use of public/private key exchanges are among the technologies that should become mandatory for “things” designed for Healthcare, Smart Cities or any IoT device sold into the manufacturing or public service sectors. Such security technology should be designed into these devices… beginning now.

Marcellus Buchheit, CEO at Wibu-Systems USA, Inc. and a member of the IIC Security Committee’s Trustworthiness Task Group, said the IIC has designated, in a recent report, several technologies mature enough for immediate implementation. They include:

Secure Communications

A secure end-to-end communications protocol stack is required, including as appropriate:

  • Support for extensible authentication protocols with endpoint level non-repudiation or authentication,
  • Support for cryptographically protected endpoint-to-cloud connectivity, when appropriate,
  • Support for cryptographically protected endpoint-to-endpoint connectivity (for example based on standards-based group key PKI for key lifecycle management),
  • Trusted data transport based on secure public-private key pairs (PKI), and use of modern quantum resistant cipher suites.

Cryptographic Services

Comprehensive endpoint security requires proper use and implementation of cryptography across transport protocols (data-in-motion), storage (data-at-rest), and applications (data-in-use). Confidentiality and integrity should be protected with:

  • PKCS standards-based asymmetric and symmetric cipher suites, hashing functions, and random number generators of appropriate strength,
  • NIST/FIPS standards-based validated cryptographic algorithm implementations,
  • Cryptographic algorithm agility with in-field upgrade capability, especially in light of the rise of quantum computing and the expected need to deploy post-quantum cryptography,
  • Dynamically deployed policy-based control of application use of cryptographic functions based on permissible cipher algorithms and suites and
  • Interoperability of cryptographic key types and certificates across multi-vendor systems, as needed to enable secure communications within an ecosystem.

Secure Boot

Secure boot attestation of the firmware (immutable or cryptographically protected bootstrap code executed at power on) and UEFI or U-Boot bootloaders for multi-stage boot may be performed using PKCS standards based cryptographic key hashes.

Root of Trust

Each endpoint contains a Root of Trust (RoT) that forms the basis for the endpoint’s security. For enhanced or critical security levels, the RoT should be implemented in hardware (SLE, SLC).

FURTHER, devices should be designed so that security update patches can happen automatically.

IoT manufacturers need to design several security layers into their devices; not just for market advantage. But because, the reality is, the regulatory climate in many jurisdictions is undergoing changes that will mandate new levels of security compliance. The wise company will be ahead of these regulators.

Login or register now and enjoy all the benefits of a community!

To get the whole functionality of IndustryArena Forum you need to login or register. This process is absolutely free.

Password forgotten?
Contact request
Guest Photo
Your message
The controller within the meaning of Art. 4(7) GDPR is: IndustryArena GmbH, Katzbergstraße 3, 40764 Langenfeld, Germany.
You may reach our data protection officer under [email protected].

Purpose of processing
We process your personal data concerning the use of the contact form and the communication with the company of the newsroom as well as the transmission of your data to this company in accordance to Art. 6 (1a) GDPR. This constitutes a legitimate interest for us in accordance to Art. 6 (1f) GDPR.

Recipient of the data
Within our organization, those units gain access to your data, which are necessary to fulfil the above purposes.
Personal data will only be transmitted to third parties if this is necessary for the aforementioned purposes or if another legal basis exists. If necessary, we conclude the corresponding data protection agreements with third parties, in particular pursuant to Art. 28 GDPR.

Data storing
Your data will be transmitted to the company of the newsroom for further processing. The period of storing is the duration of the processing of your request by the respective company.

Select contact person

Newsroom Logo

Design options

  • Title text color:
  • Content background:
  • Content text color:
  • Navigation background:
  • Tab text color:
  • Active tab text color:
  • Link text color:
  • Active link text color:
  • Background image Background color:

    How do you want to position the background-image?

    Please note: Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.

    Set the link for the background image

  • Banner

    How do you like to align the banner?

    Please note: Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.

    Set the link for the banner

  • Skyscraper

    Set the link for the skyscraper

Please note:

Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.