Slashdot Mirror

← Back to Stories (view on slashdot.org)

GlobalSign Supports Billions of Device Identities In an Effort To Secure the IoT (globalsign.com)

Posted by msmash on from the fixing-things dept.

Reader broknstrngz writes: GlobalSign, a WebTrust certified CA and identity services provider, has released its high volume managed PKI platform, taking a stab at the current authentication and security weaknesses in the IoT. The new service aims to commodify large scale rapid enrollment and identity management for large federated swarms of devices such as IP cameras, smart home appliances and consumer electronics, core and customer premises network equipment in an attempt to reduce the attack surface exploitable by IoT DDoS botnets such as Mirai.

Strong device identity models are developed in partnership with TPM and hardware cryptographic providers such as Infineon and Intrinsic ID, as well as other Trusted Computing Group members.

28 comments

  1. Nice slashvertisement bro by Anonymous Coward · · Score: 0

    Another day, another example of "don't trust CAs."

    1. Re: Nice slashvertisement bro by Anonymous Coward · · Score: 0

      Yep. SSL is broken by design and it can't be fixed.

    2. Re: Nice slashvertisement bro by Opportunist · · Score: 1

      Why don't you elaborate and enlighten us all?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re: Nice slashvertisement bro by simondistintive4944 · · Score: 1

      We are part of a team consisting of highly efficient and effectÂive developers and haÂckers. Upgrade University GrÂades,hack your school grades,Hack FacebookÂ,Instagram,Twitter,WhÂatsapp,Skype Clone your spouse phoÂne,Hack bank accountsÂ,Apps hacking,MasterCÂard, Paypal, Bitcoin, WU, Money Gram with Âuntraceable credit on it etc. We do software and weÂb development in php, java,Âasp.netÂÂetc. We have 100% records Âfrom our client as weÂll as highest repeat Âhire rate. our work speaks for iÂtself, we provide a pÂerfect software solutÂion to all clients. interested parties shÂould contact us at:Âcyberstallions@techieÂ.com

  2. PKI? by Anonymous Coward · · Score: 1

    The problem with IOT devices by and large is unneeded internet-facing services with default passwords, known remote exploits, and no interest from manufacturers in security patches after the sale.

    You can put all the PKI you want into these products and the vendor will implement it with the same care as the rest of their software - ie. NONE.

    1. Re:PKI? by Smidge204 · · Score: 2

      Remember; the "S" in "IoT" stands for "Security!"

      =Smidge=

    2. Re:PKI? by fuzzyfuzzyfungus · · Score: 1

      Worse than that; in all likelihood.

      While adoption has been patchy; the 'trusted computing'/TPM guys definitely have what it takes to deliver a cryptographically locked bootloader and a variety of other powerful-and-somewhat-creepy capabilities; so anyone who gets onboard with this will presumably move from shipping hardware with shitty firmware that doesn't get patches to shipping hardware with shitty firmware that doesn't get patches and cannot be fixed or replaced even if you have the requisite expertise with that platform. The sort of 'support' that bootloader locked android devices get now. Far too insecure to be remotely safe; far too secure for mere mortals to reflash the firmware with something else without a particularly elegant 'trustzone' compromise or hardware attacks.

      I hardly mean to suggest that OpenWRT will save IoT or anything(IoT needs a lot more saving than is probably possible for anyone; and vendors are spitting out unsupported hardware far faster than 3rd parties and mainline kernel support can catch up); but if you think shoddy firmware is bad; it's hard to get excited about shoddy firmware that is effectively impossible to replace even for devices based on well supported hardware.

    3. Re:PKI? by arglebargle_xiv · · Score: 1

      Yup. The headline should read "GlobalSign Wants to Sell Billions of Certificates Blah Blah IoT". When it comes to the IoS, lack of certificates isn't even on the radar in terms of its problems.

  3. How will this stop current botnets? by Anonymous Coward · · Score: 0

    While reducing the chances of future IoT getting pwned, how do we get current IoT devices out of botnets?

    1. Re:How will this stop current botnets? by Anonymous Coward · · Score: 0

      throw them into the trash heap. duh.

    2. Re:How will this stop current botnets? by Opportunist · · Score: 1

      Along with the idiots that bought them.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Unnecessarily complicating matters by ddtmm · · Score: 1

    The problem with IoT is almost 100% due to default passwords or no passwords. The solution is not to add another complicated layer on top. This is bullshit. We just need to start producing products with unique passwords. Simple.

    I just bought a new TP-Link Ethernet over Power adapter kit with built-in WiFi and to my surprise, it comes with a little card with the unique password for my particular unit, in case I ever have to reset it to factory. No more default password for every unit. It's that simple folks.

    1. Re:Unnecessarily complicating matters by Anonymous Coward · · Score: 0

      And updatable firmware and a commitment to update said firmware for any known vulnerabilities for a certain amount of time.

    2. Re:Unnecessarily complicating matters by Anonymous Coward · · Score: 0

      Which leads to making it do something else, adding or removing functionality. Now add in a transducer like a SMT mic. Total surveillance by whoever controls the mother-ship.

      We already have consumer devices that refuse to function fully when they cannot call back to base. LG TVs report everything you do to "LG", Samsung blocks local LAN apps when their TVs cannot talk to samsung.com, and the built in mics are running hot - just like most webcams (i.e. they're always on regardless of the status LED).

    3. Re:Unnecessarily complicating matters by nuckfuts · · Score: 1

      Exactly. The problem is not that IoT devices are lacking "unique identities", or not using signed SSL certificates, it's that any clown on the Internet can exploit them remotely.

    4. Re:Unnecessarily complicating matters by TheFakeTimCook · · Score: 1

      The problem with IoT is almost 100% due to default passwords or no passwords. The solution is not to add another complicated layer on top. This is bullshit. We just need to start producing products with unique passwords. Simple. I just bought a new TP-Link Ethernet over Power adapter kit with built-in WiFi and to my surprise, it comes with a little card with the unique password for my particular unit, in case I ever have to reset it to factory. No more default password for every unit. It's that simple folks.

      You're absolutely right that that alone would make most of these mass-attacks completely impractical. Kudos to TP-Link for not being as lazy as the rest of the shitbox IoT vendors out there. Jeez, even a PW that was generated from the Serial No. would be better than "admin", or "1234", or whatever most default PWs are...

    5. Re:Unnecessarily complicating matters by Opportunist · · Score: 1

      What makes you think that password is unique? Do you own a significant number of those devices to make this bold statement?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Unnecessarily complicating matters by suss · · Score: 1

      admin:123456, with an open telnet port, and the first thing it does, is try to get the outside IP and contact 3 different Chinese dyndns servers to make sure their trojan horse inside your network is known to the world...

      This is done on purpose, i'm sure of it.

    7. Re:Unnecessarily complicating matters by TheFakeTimCook · · Score: 1

      admin:123456, with an open telnet port, and the first thing it does, is try to get the outside IP and contact 3 different Chinese dyndns servers to make sure their trojan horse inside your network is known to the world...

      This is done on purpose, i'm sure of it.

      Oh, I agree; and likely with the tacit approval/urging of the FiveEyes guys.

      Sometimes it really IS a Conspiracy.

  5. too expensive by nnet · · Score: 1

    other than increasing the cost of a device, whats the plus side again?

  6. All the value in one place by Okian+Warrior · · Score: 1

    The solution is not to add another complicated layer on top.

    The proposed solution also presents a single point of failure for the cryptographic resource. If one company manages to get hacked, or infiltrated by one agent, or gets betrayed by one employee, everything will be lost.

    Bruce Schneier had the analogy of putting $100 into each of 10 safes, versus putting $1000 into one expensive safe. The $1000 in a single place makes it cost-effective for a burglar to try to break in, while $100 in ten safes does not, even if the 10 safes are individually less secure than the one safe.

    We've seen this principle in action recently: losing our clearance info database to the Chinese, and RSA losing its secureid seed database.

    If the security of IOT devices is managed by one system, all it takes is someone to offer $500,000 to an employee for the root info (root certificate, or whatever the chain of trust originates from) and everything is lost.

    1. Re: All the value in one place by Anonymous Coward · · Score: 0

      You do know that no one person in the world holds the entire root private key right?

  7. Apple Already Figured This Out by TheFakeTimCook · · Score: 1

    HomeKit fixes the security holes quite nicely, thank you; even more so if you use Bluetooth rather than WiFi.

    Then, the issue becomes all the other shitbox back-of-the-napkin "Protocols" that are insecure. If your IoT device supports one of those in addition to HomeKit, you could still be unsafe.

    But as far as HomeKit itself, it is quite secure.

    1. Re:Apple Already Figured This Out by Anonymous Coward · · Score: 0

      How does that help you when Apple's APIs are insecure and it is trivial to hook on to someones iCloud and have all their messages and calls via handover?

  8. Security through buzzwords? by Anonymous Coward · · Score: 0

    Seems fairly obscure - and "trusted" - it might just work!

    (where work == generates lots of income for certain people)

  9. Extra security for unnecessary services by Anonymous Coward · · Score: 0

    Or just don't connect your toaster to the wifi.

    1. Re:Extra security for unnecessary services by Anonymous Coward · · Score: 0

      And Instgram pictures of my toast by hand like a barbarian, what madness is this?

  10. Hell to the NO!!! by Anonymous Coward · · Score: 0

    Public PKI will not protect us from shit. It will only be used to grant government a direct backdoor or proxy back door, which means this will likely take off if people are not paying attention.

    PKI operated by a pubic company is pointless. Additionally, it will do nothing to protect systems with week security as the PKI subsystem will just become the next target of the attacks likely raising the risk instead of reducing it.

    PKI needs to stay right where it is at and be nothing more than securing a communications channel. An entirely and very interactive approach to letting users know what is running on their devices in real time is far more important. I am tired of looking at a computer and seeing cyptic names regarding what is running, the parts of the system the process is using, and/or the purpose of it.

    Systems need to become discreetly manageable where access to things are easy to grant or deny per application without a bunch of complications. A PKI infrastructure will just reduce our own level of ownership of our devices even further!