Slashdot Mirror

← Back to Stories (view on slashdot.org)

GlobalSign Supports Billions of Device Identities In an Effort To Secure the IoT (globalsign.com)

Posted by msmash on from the fixing-things dept.

Reader broknstrngz writes: GlobalSign, a WebTrust certified CA and identity services provider, has released its high volume managed PKI platform, taking a stab at the current authentication and security weaknesses in the IoT. The new service aims to commodify large scale rapid enrollment and identity management for large federated swarms of devices such as IP cameras, smart home appliances and consumer electronics, core and customer premises network equipment in an attempt to reduce the attack surface exploitable by IoT DDoS botnets such as Mirai.

Strong device identity models are developed in partnership with TPM and hardware cryptographic providers such as Infineon and Intrinsic ID, as well as other Trusted Computing Group members.

16 of 28 comments (clear)

  1. PKI? by Anonymous Coward · · Score: 1

    The problem with IOT devices by and large is unneeded internet-facing services with default passwords, known remote exploits, and no interest from manufacturers in security patches after the sale.

    You can put all the PKI you want into these products and the vendor will implement it with the same care as the rest of their software - ie. NONE.

    1. Re:PKI? by Smidge204 · · Score: 2

      Remember; the "S" in "IoT" stands for "Security!"

      =Smidge=

    2. Re:PKI? by fuzzyfuzzyfungus · · Score: 1

      Worse than that; in all likelihood.

      While adoption has been patchy; the 'trusted computing'/TPM guys definitely have what it takes to deliver a cryptographically locked bootloader and a variety of other powerful-and-somewhat-creepy capabilities; so anyone who gets onboard with this will presumably move from shipping hardware with shitty firmware that doesn't get patches to shipping hardware with shitty firmware that doesn't get patches and cannot be fixed or replaced even if you have the requisite expertise with that platform. The sort of 'support' that bootloader locked android devices get now. Far too insecure to be remotely safe; far too secure for mere mortals to reflash the firmware with something else without a particularly elegant 'trustzone' compromise or hardware attacks.

      I hardly mean to suggest that OpenWRT will save IoT or anything(IoT needs a lot more saving than is probably possible for anyone; and vendors are spitting out unsupported hardware far faster than 3rd parties and mainline kernel support can catch up); but if you think shoddy firmware is bad; it's hard to get excited about shoddy firmware that is effectively impossible to replace even for devices based on well supported hardware.

    3. Re:PKI? by arglebargle_xiv · · Score: 1

      Yup. The headline should read "GlobalSign Wants to Sell Billions of Certificates Blah Blah IoT". When it comes to the IoS, lack of certificates isn't even on the radar in terms of its problems.

  2. Unnecessarily complicating matters by ddtmm · · Score: 1

    The problem with IoT is almost 100% due to default passwords or no passwords. The solution is not to add another complicated layer on top. This is bullshit. We just need to start producing products with unique passwords. Simple.

    I just bought a new TP-Link Ethernet over Power adapter kit with built-in WiFi and to my surprise, it comes with a little card with the unique password for my particular unit, in case I ever have to reset it to factory. No more default password for every unit. It's that simple folks.

    1. Re:Unnecessarily complicating matters by nuckfuts · · Score: 1

      Exactly. The problem is not that IoT devices are lacking "unique identities", or not using signed SSL certificates, it's that any clown on the Internet can exploit them remotely.

    2. Re:Unnecessarily complicating matters by TheFakeTimCook · · Score: 1

      The problem with IoT is almost 100% due to default passwords or no passwords. The solution is not to add another complicated layer on top. This is bullshit. We just need to start producing products with unique passwords. Simple. I just bought a new TP-Link Ethernet over Power adapter kit with built-in WiFi and to my surprise, it comes with a little card with the unique password for my particular unit, in case I ever have to reset it to factory. No more default password for every unit. It's that simple folks.

      You're absolutely right that that alone would make most of these mass-attacks completely impractical. Kudos to TP-Link for not being as lazy as the rest of the shitbox IoT vendors out there. Jeez, even a PW that was generated from the Serial No. would be better than "admin", or "1234", or whatever most default PWs are...

    3. Re:Unnecessarily complicating matters by Opportunist · · Score: 1

      What makes you think that password is unique? Do you own a significant number of those devices to make this bold statement?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Unnecessarily complicating matters by suss · · Score: 1

      admin:123456, with an open telnet port, and the first thing it does, is try to get the outside IP and contact 3 different Chinese dyndns servers to make sure their trojan horse inside your network is known to the world...

      This is done on purpose, i'm sure of it.

    5. Re:Unnecessarily complicating matters by TheFakeTimCook · · Score: 1

      admin:123456, with an open telnet port, and the first thing it does, is try to get the outside IP and contact 3 different Chinese dyndns servers to make sure their trojan horse inside your network is known to the world...

      This is done on purpose, i'm sure of it.

      Oh, I agree; and likely with the tacit approval/urging of the FiveEyes guys.

      Sometimes it really IS a Conspiracy.

  3. too expensive by nnet · · Score: 1

    other than increasing the cost of a device, whats the plus side again?

  4. All the value in one place by Okian+Warrior · · Score: 1

    The solution is not to add another complicated layer on top.

    The proposed solution also presents a single point of failure for the cryptographic resource. If one company manages to get hacked, or infiltrated by one agent, or gets betrayed by one employee, everything will be lost.

    Bruce Schneier had the analogy of putting $100 into each of 10 safes, versus putting $1000 into one expensive safe. The $1000 in a single place makes it cost-effective for a burglar to try to break in, while $100 in ten safes does not, even if the 10 safes are individually less secure than the one safe.

    We've seen this principle in action recently: losing our clearance info database to the Chinese, and RSA losing its secureid seed database.

    If the security of IOT devices is managed by one system, all it takes is someone to offer $500,000 to an employee for the root info (root certificate, or whatever the chain of trust originates from) and everything is lost.

  5. Apple Already Figured This Out by TheFakeTimCook · · Score: 1

    HomeKit fixes the security holes quite nicely, thank you; even more so if you use Bluetooth rather than WiFi.

    Then, the issue becomes all the other shitbox back-of-the-napkin "Protocols" that are insecure. If your IoT device supports one of those in addition to HomeKit, you could still be unsafe.

    But as far as HomeKit itself, it is quite secure.

  6. Re: Nice slashvertisement bro by Opportunist · · Score: 1

    Why don't you elaborate and enlighten us all?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Re:How will this stop current botnets? by Opportunist · · Score: 1

    Along with the idiots that bought them.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  8. Re: Nice slashvertisement bro by simondistintive4944 · · Score: 1

    We are part of a team consisting of highly efficient and effectÂive developers and haÂckers. Upgrade University GrÂades,hack your school grades,Hack FacebookÂ,Instagram,Twitter,WhÂatsapp,Skype Clone your spouse phoÂne,Hack bank accountsÂ,Apps hacking,MasterCÂard, Paypal, Bitcoin, WU, Money Gram with Âuntraceable credit on it etc. We do software and weÂb development in php, java,Âasp.netÂÂetc. We have 100% records Âfrom our client as weÂll as highest repeat Âhire rate. our work speaks for iÂtself, we provide a pÂerfect software solutÂion to all clients. interested parties shÂould contact us at:Âcyberstallions@techieÂ.com