Improving IoT security at the point of manufacture
By Ian Murphy
IoT device security, or to be more accurate the lack of security, is an ongoing and increasing problem. From consumer tech to industrial sensors, IoT devices are manufactured by the tens or even hundreds of millions each year. Far too many have either no built-in security or come with default credentials that are commonly available on the Internet.
Sectigo and Infineon have announced a new approach to deal with this problem. The plan is to use a mix of hardware Trusted Platform Module (TPM) chips and security certificates. The goal is to ensure that the devices are secure when they ship from the factory.
How will this work?
Each IoT enabled component is equipped with a TPM chip. The TP chip provides secure key storage which means that once a certificate is added, it is protected from current known attacks. It will increase trust in IoT devices, especially those that are used in sensitive locations. One of the advantages that both companies see is the ability to track a device through the supply chain. It reduces the risk of substitution with counterfeit devices. It will enable dealerships, retailers and support engineers to verify components at any point in time.
This approach has particular relevance in the case of connected vehicles. By being able to verify the security certificate, a device can be installed and trusted by the on-board security system. It means that there is less risk of installing security compromised devices. The same is true in other sensitive markets such as used aircraft parts. It is a market where there is ongoing fraud and counterfeiting of components leading to safety issues.
It is not clear is how certificates will be managed. Certificates typically have a limited life. They need updating. This is normally done via an Internet connection. The two companies may be looking at how to do this via a service centre.
Most people encounter the problem of expired certificates when a website has forgotten to renew its certificate. Browsers warn that certificates have expired and often prevent connection to them. If that happens with a component in a vehicle, for example, it could prevent the vehicle from operating.
Enterprise Times: What does this mean?
Anything that raises the security around IoT devices is to be widely welcomed. However, it is important to realise that the number of devices that this deal covers is likely very small compared to the number of IoT devices shipped every year. What is required now is for the two companies to prove the technology, including the conditions and processes for updating certificates.
It is also important that they demonstrate that the process is immune to fraud. We have seen multiple instances where security certificates were issued to cybercriminals and then misused.
If this can be proven to be practical, adaptable and workable in a broader context, we might have the beginnings of a mainstream solution to fixing IoT, at least in some markets.