Embedded World 2017 – IoT coming of age.

by Cesare Garlati – Chief Security Strategist, prpl Foundation

Last week I had the pleasure of attending Embedded World 2017 in Germany as I was invited to give a couple of presentations on the pioneering work we have been doing at the prpl Foundation with regards to the prplHypervisor™ and prplPUF™ APIs for securing IoT. As it turns out, IoT was the top line at the conference that drew in more than 30,000 trade visitors – and the event solidified the notion that embedded computing is now synonymous with IoT.

IoT Security: Pushing the boundaries of resource constrained devices

The main theme running throughout was the challenge of pushing resource constrained devices to the limits. From a tech provider’s perspective, this was the most pervasive, well-defined issue being tackled at the show – how do we push the capabilities when it comes to functionality and security in low power devices with limited memory and minimal CPU resources?

With IoT, applying security technology after the fact or using encryption as used in a traditional security model is simply not an option in devices that don’t have the battery power, memory or CPU to support such measures, much less being able to afford the expense when the device itself costs so little. Yet, the fact that these are physical devices makes them so much more dangerous to human life and therefore the security should be taken just as seriously as that of a data centre.

Open Source as (one) answer

The answer for much of these basic security questions meant that more and more vendors are adopting – or seriously considering – the use of open source software. Though not everyone was aligned with the true value of open source, some even felt opportunistic, it was encouraging that the message of using open source, with all the extra eyes on it, is getting through.

Having said that, and knowing that open source software is notoriously more resilient than proprietary, closed source software – it does have its issues that vendors and manufacturers need to be aware of. Namely, though it is open and freely available, open source is not free. Yes, there is no licensing fee, but that is not to say it doesn’t come with the expenses of developing expertise, ensuring the organisation using it has the right liability cover, maintenance and working with open source communities to get the best out of it. As with anything in life, using open source requires upkeep to get the most from it.

In silicon we trust

Using open source protocols to get the basics right in IoT means that embedded devices can truly be interoperable with each other. What stops this from being a security risk is trust. The other element I discussed and which received over an hour of questions from the audience was the prplPUF™ API, the Physical Unclonable Funtions implementation of the prplSecurity™framework. I think everyone can agree that we’ve established that embedding secrets in a device is just not a good idea – and if you need proof, look no further than the Vault 7 revelations; not even the CIA can hide such secrets. Instead, what if you could extract a unique identifier from the silicon itself, something that is exclusive and repeatable and unable to be cloned?

This could have all sorts of applications for improving and strengthening security in embedded devices and the real genius of it is that it’s something that already exists with in the hardware itself – much like a digital fingerprint.

By using the prpl platform which combines open source with the use of a light-weight hypervisor for security by separation and PUF to establish trust in embedded systems, we’re looking at a much safer future for IoT.

 *   *   *

For more information or to get involved in the groundbreaking work prpl is doing with improving embedded computing security, visit us at http://prpl.works or contact me directly at @CesareGarlati

RSA Conference 2016 – A New Hardware-Based Approach to Secure the Internet of Things

Live Demo: A New Hardware-Based Approach to Secure the Internet of Things
RSA Conference 2016 – Abu Dhabi
November 16, 2016 | 11.20 – 12.10 hrs | Level 1 | Room: Etihad Ballroom 2

rsa-2016-garlati-clip

 

Quick look – This session will address four key elements that have introduced serious weaknesses into the IoT: proprietary systems, connectivity, unsigned firmware and lateral movement. Discussion will showcase a new approach to IoT security demonstrating how SoC virtualization and security through separation can address these vulnerabilities, which have already been shown to have potentially life-threatening consequences.

From hospitals dispensing life-saving drugs, to connected cars – embedded computing is transforming the way we live and work. But underlying weaknesses have introduced potentially life-threatening vulnerabilities into the Internet of Things.

Continue reading

The Internet of Things: Life-changing tech or a disaster waiting to happen?

Reposting from Tech City News NOV 02, 2016 http://techcitynews.com/2016/11/02/the-internet-of-things-life-changing-tech-or-a-disaster-waiting-to-happen/

By Cesare Garlati, chief security strategist at the prpl Foundation, an organisation working to make the IoT safer, explains how startups can get IoT security right to avoid being subjected to harm.

miraiThe Internet of Things (IoT) is exciting new territory for many startups and innovative companies looking to push boundaries and connect even the smallest devices to attempt to simplify and enhance our lives. But the security of these devices is fundamentally flawed for a number of reasons.

Continue reading

Automotive security: pen-testing is no replacement for sound product development

automotive-testingReposting from Automotive Testing Technology International

http://www.automotivetestingtechnologyinternational.com/industry-blogs.php?BlogID=1863

By Cesare Garlati

When it comes to testing the components of modern connected cars, of course pen-testing (penetration testing) has its place; however, it is no substitute for solid product development.

In testing, companies often operate under the notion that an identified problem can be fixed or patched. This may be true for some areas of testing, but for security, it is not sufficient. Security needs to be built-in, from the ground up. And that means starting at the hardware layer, which is seldom done today, but which is completely viable given the advancements in silicon and other connected vehicle technologies.

Continue reading

Smart Home Security Report

Study Finds Smart Home Tech Gaining in Popularity, Yet Still Woefully Insecure

Smart Home Security ReportSANTA CLARA, CA – Sep 20, 2016 – The non-profit prpl Foundation today unveiled its global study on the use of smart devices in a domestic setting entitled, “The prpl Foundation Smart Home Security Report.” The one-of-a-kind study, which was conducted through OnePoll, covers the proliferation of smart device use and security within the home. It surveyed 1,200 respondents across the US, UK, France, Germany, Italy and Japan to discover the measures people take to secure their smart homes and their attitudes about the security of devices.

Some key findings include:

  • The smart home isn’t coming; it’s already here and device adoption in certain cases has reached a tipping point
  • The smart home is woefully insecure due to users’ failure to follow best practices
  • Consumers prefer security to usability, and they’re prepared to take more responsibility if it means living in a safer home

Continue reading

prpl @ Microchip MASTERs 2016

U.S. MASTERs 2016prpl Foundation, along with our members Imagination Technologies and Seltech, were excited to participate in Microchip MASTERs conference in Phoenix last week.

MASTERs is known as the “premier technical training conference for embedded control engineers”. We were thrilled to showcase our latest developments for this group: the porting of the prplSecurity™ framework to Microchip’s PIC32MZ controllers sporting the MIPS M5150 core.

Continue reading