Embedded World 2017 – IoT coming of age.

by Cesare Garlati – Chief Security Strategist, prpl Foundation

Last week I had the pleasure of attending Embedded World 2017 in Germany as I was invited to give a couple of presentations on the pioneering work we have been doing at the prpl Foundation with regards to the prplHypervisor™ and prplPUF™ APIs for securing IoT. As it turns out, IoT was the top line at the conference that drew in more than 30,000 trade visitors – and the event solidified the notion that embedded computing is now synonymous with IoT.

IoT Security: Pushing the boundaries of resource constrained devices

The main theme running throughout was the challenge of pushing resource constrained devices to the limits. From a tech provider’s perspective, this was the most pervasive, well-defined issue being tackled at the show – how do we push the capabilities when it comes to functionality and security in low power devices with limited memory and minimal CPU resources?

With IoT, applying security technology after the fact or using encryption as used in a traditional security model is simply not an option in devices that don’t have the battery power, memory or CPU to support such measures, much less being able to afford the expense when the device itself costs so little. Yet, the fact that these are physical devices makes them so much more dangerous to human life and therefore the security should be taken just as seriously as that of a data centre.

Open Source as (one) answer

The answer for much of these basic security questions meant that more and more vendors are adopting – or seriously considering – the use of open source software. Though not everyone was aligned with the true value of open source, some even felt opportunistic, it was encouraging that the message of using open source, with all the extra eyes on it, is getting through.

Having said that, and knowing that open source software is notoriously more resilient than proprietary, closed source software – it does have its issues that vendors and manufacturers need to be aware of. Namely, though it is open and freely available, open source is not free. Yes, there is no licensing fee, but that is not to say it doesn’t come with the expenses of developing expertise, ensuring the organisation using it has the right liability cover, maintenance and working with open source communities to get the best out of it. As with anything in life, using open source requires upkeep to get the most from it.

In silicon we trust

Using open source protocols to get the basics right in IoT means that embedded devices can truly be interoperable with each other. What stops this from being a security risk is trust. The other element I discussed and which received over an hour of questions from the audience was the prplPUF™ API, the Physical Unclonable Funtions implementation of the prplSecurity™framework. I think everyone can agree that we’ve established that embedding secrets in a device is just not a good idea – and if you need proof, look no further than the Vault 7 revelations; not even the CIA can hide such secrets. Instead, what if you could extract a unique identifier from the silicon itself, something that is exclusive and repeatable and unable to be cloned?

This could have all sorts of applications for improving and strengthening security in embedded devices and the real genius of it is that it’s something that already exists with in the hardware itself – much like a digital fingerprint.

By using the prpl platform which combines open source with the use of a light-weight hypervisor for security by separation and PUF to establish trust in embedded systems, we’re looking at a much safer future for IoT.

 *   *   *

For more information or to get involved in the groundbreaking work prpl is doing with improving embedded computing security, visit us at http://prpl.works or contact me directly at @CesareGarlati

Prpl Foundation tackles how to secure the Internet of Things at Embedded World 2017

Not for profit and its members showcase innovation and push the limits of embedded computing

Santa Clara, Calif. – 9 March 2017 – At Embedded World in Nuremburg, 14-16 March 2017, prpl Foundation and several of its member companies will address of the security concerns presented by embedded computing systems as they become more intertwined in our lives.

During two separate presentations on March 14 at the show, prpl’s chief security strategist, Cesare Garlati, will outline and demonstrate how a new separation-based approach anchored in hardware can create the trust needed across the IoT from node to cloud. How We Can Fix Embedded Computing Through an Open Source, Silicon-Layer Approach will take place at 9:30-10:00 and the Interactive Session: How a New Hardware-Based Approach Can Fix Critical Areas of Embedded Computing Security will take place at 14:30 – 15:00.

Continue reading

(Not so) Random Musings from RSA Conference 2017

Cesare Garlati, Chief Security Strategist, prpl Foundation

cesare-garlati-rsa-sf-2017The world’s great and good of the information security industry descended on San Francisco this week for RSA Conference 2017. On the surface, it looked like more of the same this year.  There weren’t a huge amount of new companies exhibiting this year and the traditional vendors all seemed to be consolidating and streamlining their product lines in attempt to demystify buyers.  It even saw the McAfee brand back this year after a noticeable absence in the previous “Intel Security” era.

What was extremely apparent, however, was a return to the future.  By this I mean the return of focus on securing  the endpoint.  From laptops, desktops and mobile phones, BYOD reared its head again under a different guise – Bring Your Own Anything.  The reason for this is likely the shift to the cloud and away from traditional on-premises offerings, where RSA vendors have typically focused in the past.  This trend has meant that as applications, services and virtual workloads move to the cloud and third parties, the corporate data centre is becoming less and less central to IT budgets.  As such, we are now seeing a trend where established vendors are following suit and looking once again the endpoint as a source of revenue, albeit from a slightly different perspective this time.

This difference comes in the form of Internet of Things (IoT) – which, based on the amount of presentations at RSA this year, is clearly of major significance within the industry.  Kaspersky jumped on the bandwagon and announced its platform for IoT and AT&T, IBM, Symantec and others announced an IoT Cybersecurity Alliance.

RSA Conference 2017
RSA Conference 2017

But is IoT just another buzzword? The scepticism comes from the fact that traditionally, RSA has been a datacenter/network security event.  Granted, network perimeters are changing significantly with the advent of things like the cloud and IoT, but I’m still unconvinced that people can define IoT successfully in this context.  It simply isn’t a problem that traditional network security is going to fix, as evidenced in prpl’s extensive research into how to secure the IoT. We know that security IoT has to start at the hardware level, and that traditional RSA conference vendors have little understanding of this space

It was encouraging to see a large presence by the not for profit Cloud Security Alliance that was poised to tackle the IoT issues and the crowd for the CSA seminar exceeded 1,400 – with queues out of the door for attendance.  Its approach, which advocates open standards, is one which prpl aligns itself with and it is heartening to see everyone coming together in an organised manner to undertake the problems associated with IoT security.

Finally, the last significant observation for me at RSA was the emerging role of identity  as it relates to securing corporate data.  There was a lot of innovation happening around the idea of making passwords obsolete and start-up UnifyID even took the RSA Innovation Sandbox contest with its implicit authentication platform that combines machine learning and the array of devices around us to match our bodies, and more specifically the way we move, to our identities.

It’s innovations like these and the group mentality of coming together to face security issues head on that mean RSA will be successful for years to come. It just needs scratching away at the surface to get to the real innovation: end to end security cloud to silicon.

Prpl interviewed by Share Radio on smart home security

While Cesare Garlati, prpl’s chief security strategist, was in London in December, he visited the Share Radio studios to pre-record an interview on the prpl Smart Home Security Report. His interview was aired on the 13th of December as part of the Share Radio Evening Show.

Cesare Garlati at Share Radio studiosCesare tackles the issue of whether smart homes are as secure as they should be and refers to prpl’s one of a kind global study that found that while there was more adoption of smart devices people were failing to secure their smart home. Jinan Rahma of Share Radio spoke to Cesare and began by asking whether the smart home was a thing of the future and dove deeper into what users should be doing to protect their connected homes.

shareradioThe full podcast is available to listen to here: https://www.shareradio.co.uk/podcasts/are-smart-homes-as-secure-as-they-could-be-13-dec-16/

Prpl takes part in IoTSF discussions on industry collaboration

Last Tuesday the prpl Foundation took part in the annual IoTSF conference in London. Art Swift, President on the prpl Foundation, took part in a panel Tuesday afternoon on “United We Stand; Addressing the Bigger Challenges of IoT Security with Collaboration”. The panel centered around the idea of the building an “Internet of Trust” and how security through collaboration can help. Along with Art, the panel featured John Hayne, chairman of the IoTSF, Paul Wilson of the Multos Consortium, Hugh Boyes of the IET, Idris Jahn from IoTUK and Aapo Markkanen, principle Analyst at Machina Research.iotsf

The panel began by asking each member how they see the IoT terrain changing over the next few years, and how can the current work being done by the IoTSF in promoting best practices in security could help this. The main theme throughout all answers was simple: trust. The IoT needs to invest in a supply chain of trust between manufacturers and consumers,with consumers being able to trust that the security of the products is up to standard, and that manufacturers will take the security of their products more seriously. Continue reading

Alliance between prpl Foundation and IoTSF puts ‘security by design’ at the heart of embedded computing

New collaboration to transform security of the Internet of Things

LONDON, UK – 5 December 2016 – The prpl Foundation and the IoT Security Foundation (IoTSF), two influential not-for-profit organizations working to promote security and openness in the Internet of Things (IoT), today announced that they have entered into a formal agreement to cooperate on projects that put ‘security by design’ into the IoT.  One element of the collaboration, around the IoTSF Self Certification Working Group, will be discussed tomorrow in London at the IoTSF Conference 2016 entitled Building an Internet of Trust.

”The prpl Foundation and the IoTSF share a belief that security is a fundamental requirement to the enablement and adoption of connected devices,” said Art Swift, president of the prpl Foundation.  “We are delighted to work together to advance the many aspects of IoT security to make its widespread use less risky so consumers can use the IoT to its full potential safely.” Continue reading

prpl Foundation and CABA create important alliance to advance smart home security

Open source foundation joins forces with leading smart home and building organization

November 28, 2016 – SANTA CLARA, CA

Today, the not for profit prpl Foundation, an open-source, community-driven, collaborative, foundation with a focus on enabling next-generation datacenter-to-device portable software and virtualized architectures, announced a significant collaboration with the Continental Automated Buildings Association (CABA), an international not-for-profit industry association dedicated to the advancement of intelligent home and intelligent building technologies. The mutual alliance will see both membership groups working together on research projects and whitepapers to improve standards in smart home security.

“prpl’s alliance with CABA is an incredibly important step in the advancement of smart home technology,” said Art Swift, president of the prpl Foundation. “By collaborating with CABA’s wealth of smart home security experts and members, we will work together to provide high quality research and guidance that will push IoT industry standards to make sure that consumers are kept safe as connected device usage in their homes grows.”
Continue reading