Veeam Availability Suite 5-min Demo on Data Security. In mid-2018, the average ransomware payment was $41,198. By late-2019, that price more than doubled to $84,166. With modernized data protection, however, 96% of organizations cut their average ransomware recovery cost down to $5,000, with 76% of companies not paying anything at all. How? This demo shows how to protect your data with immutability from Veeam®.
Updating CA root SSL certificates requires updating the firmware on streaming devices, smart devices, routers, cameras, and more.
A security expert predicts trouble ahead for IoT device makers and customers due to expired root SSL certificates. Terry Dunlap, is the chief security officer and co-founder of ReFirm Labs, a company that specializes in firmware security analysis.
A CA is a certificate authority, an organization that certifies the S in HTTPS, including Let’s Encrypt, Sectigo, DigiCert, and Comodo. The public key infrastructure is used to authenticate users and devices online. There are a minimum of three links in a certificate chain, including the root CA certificate that is embedded in browser or OS, and an intermediate CA certificate and an end-entity certificate, both provided by a server. The root CA is embedded into the client device, and updates must be done on the device itself via a software update.
The challenge with smart devices is that they are not updated as frequently as other devices like phones and laptops, and there is no automated system in place to deliver these updates. The other element in the equation is that these devices like plugs, lightbulbs, and cameras have low profit margins and short life spans. Many manufacturers don’t prioritize security until after there is a breach or a problem.
“They are not worried about security until after the fact, and there is a lack of attention to secure coding practices and a QA problem as well,” he said.
Dunlap’s advice to consumers is to learn how to update the firmware of their IoT devices and check for updates as he does with his home router.
“I have to constantly go to the company website, log in to the admin page of my browser, and pray that it doesn’t break the router in the process,” he said.
He doesn’t anticipate a total blackout of service from these IoT devices but that there will be a significant disruption that will overwhelm customer support centers.
For device manufacturers, sometimes the problem with expired certificates comes from firmware written by third-party suppliers.
“If you rely on any outside component for your device, such as a Wi-Fi chip, the supplier will give you the hardware component and a blog of code,” he said. “You don’t have access to the source code that goes into the firmware image that gets burned to your device.”
ReFirm’s Centrifuge Platform analyzes firmware before a device hits the market to reverse engineer the code and look for weaknesses and security risks, including expired security certificates.
“We can identify the code that has the highest risk of being exploited by an attacker,” he said.
Dunlap described how ReFirm worked with an automotive manufacturer to analyze firmware from a supplier. The wireless device under review was a diagnostic device used by service technicians that plugged into a car’s dashboard to read engine codes.
“We found that the tier 1 supplier had left its private signing key in the firmware,” he said. “We modified the firmware, and the car accepted it so that when a driver turned on the right turn signal, the left one came on.”
Dunlap said that his company is seeing more interest from security consultants and inquires about penetration testing.
“Either the consulting firms are being proactive and offering IoT assessments or their clients are bringing it up as a concern,” he said.
ReFirm Labs has a significant number of customers in the telecom sector, including companies that produce equipment for first responder networks.
Cybersecurity Insider Newsletter
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays
While the global consumer 5G market is still in the early stages of development, operator commitment to network rollouts in 2019, in tandem with highly competitive pricing approaches, has secured a solid foundation for subscription growth acceleration in 2020.
The report identifies a number of important security challenges that are likely to become more prominent in 5G networks; for example, the role of suppliers in building and operating 5G networks that results in greater access of third-party suppliers to networks and to interlinkages between 5G networks and third-party systems, as well as the degree of dependency on individual suppliers that increases the exposure to a potential supply interruption. Read to know the other challenges being faced by the 5G technology.