When I first started writing software for a living (ahem, almost 30 years ago), I specialized in writing embedded software for military systems, aircraft and medical devices. A bug in this type of software has the ability to bring down an aircraft, accidentally fire a missile, or misdiagnose a terminal disease. So, serious stuff.
Back then, our software update process was laborious and time-consuming but very secure. We would pull out an EEPROM from the device, erase it with a UV light source, reprogram it, and then reinsert into the device. We used a simple checksum to ensure that the software was saved correctly to the EEPROM and to also verify the checksum during bootup to confirm that the software hadn’t been corrupted by a cosmic ray.
To update software that was already in production required bringing the device back into the factory and physically swapping out its PROM memory with a new PROM with the updated software.
Back then, it was very difficult for a third party to manipulate (e.g. add malware to) embedded software because the device needed to be physically accessible to be updated.
Internet of Things (IoT)
Things have changed a lot in 30 years, haven’t they? Today, IoT (Internet of Things) devices can be found anywhere and everywhere. From front door locks, thermostats, wearable health monitors, smart factory equipment, autonomous farm equipment to even your refrigerator. These devices, and the software that runs them, are involved in almost all aspects of our lives. And perhaps most impressively, software for these devices is updated frequently, “automagically” over the Internet. Because of this, we no longer use simple checksums to protect the software. Instead, we use code signing.
Learn more about Device Authority on the Venafi Marketplace.
What is code signing?
Code signing is a software development process of digitally signing executable code to prove the identity of the software author AND guarantees that the code has not altered or corrupted since it was published. Both these points are extremely important for building trust from your customers and safely distributing your software.
Why is this important for IoT?
As the number of Internet of Things devices and applications continues to grow in 2020, unauthorized software and firmware updates are a major threat vector for IoT cyber-attacks. IoT breaches can have physical consequences that result in loss can also introduce substantial legal liability and erode brand reputation and trust, with immense costs due to certificate recall, breach response, as well as loss of overall revenue.
In short, your software is your product and your product is your brand. If cybercriminals or a rogue employee push out a malicious software update to your customers, they will blame you for failure to protect them rather than the individuals responsible for the malicious update.
With attacks becoming increasingly sophisticated and hard to defend against, they can cost organizations a lot of money each year. According to an Accenture report, the average cost of cybercrime grew by more than $1 million in 2018 to $13 million (about £9.9 million) per organization. Due to the implications of these costs, people are extremely cautious when it comes to downloading executable files from the internet. It’s worth doing whatever it takes to gain the trust of your customers and potential customers. Online distribution means you can distribute software updates faster. This broadens your potential customer base and there can be considerable savings since there is no software media, packaging or postage costs.
Why should businesses take action?
Enterprise organizations need a method to trust and verify IoT device updates as these unverified devices are an easy entry point for attackers. Any unsigned updates can be tampered with in transit, so there is a need to prevent malicious updates from being applied to devices.
However, code signing software alone may no longer be enough to prevent cybercriminals from their work as they now target the theft or misuse of private code signing keys. They use these rogue keys to either code sign malware or tamper with your software. It’s been reported that over 22M code signing keys have been stolen or forged from legitimate businesses. This should be a concern to ALL software-oriented businesses.
To protect against theft and misuse, companies need to implement a secure code signing process to protect their private code signing keys. Enforcing cryptographic and other certificate policies, limiting access to code signing keys, requiring approvals for each use of private code signing keys, and never allowing a code signing key to leave secured storage, even for a code signing operation, are a few steps that should be taken.
But these crucial security steps may have an unanticipated side effect—interfering with the develop/build/release/deliver software process. This risk is especially prevalent in situations where a code signing system isn’t integrated with the development teams’ tools and if it can’t be automated. What’s the result? Development teams bypass security measures, or try to handle it on their own, often incorrectly. This is especially true for IoT.
Today there is a severe lack of integration with existing enterprise systems. Existing code-signing solutions are not integrated with the enterprise IoT workflows and existing IoT code-delivery processes not readily integrated with code-signing workflows. As new IoT Project are created, new solutions are built from scratch for each use case, which inevitably means expensive bespoke development work.
An easy and secure way to code sign IoT applications
To address the challenges for an effective code signing solution for IoT Enterprise projects, Venafi has teamed up with Device Authority. Venafi’s CodeSign Protect solution is now integrated with Device Authority’s KeyScaler platform.
KeyScaler provides an automated solution to manage the lifecycle of updates that are delivered to a device. Provisioning unique certificates, establishing trust between a device and server, signing code using a pre-configured Certificate Authority with policy-based authorization, and delivering encrypted assets to IoT devices—without requiring any human intervention.
This solution closes the gaps open to exploitation by integrating and using Venafi CodeSign Protect to secure the code signing process throughout the secure update lifecycle.
The Code Signing part can be done in 4 simple steps:
- The Data or Code Owner uploads their unsigned Data to the KeyScaler Platform, which get stored in the Platform database.
- Provided that the Code Signing Policies are all configured in KeyScaler, the unsigned hash of the code is automatically sent to Venafi CodeSign Protect to get Signed
- Venafi CodeSign Protect determines if the request is authorized based on policies that were previously defined for the project. This can include who has access to use the private key, if approvals are needed in order to access the key and if there are restrictions on which computers (build servers, developer’s laptop, etc.) can access the key. If authorized, then Venafi CodeSign Protect signs the hash and returns the signed hash back to KeyScaler Platform.
- The Signed software is then automatically uploaded to Azure Blog Storage repository by KeyScaler
For the Secure Update Delivery mechanism KeyScaler has integrated with Microsoft Azure Blog Storage to provide a download link to the devices.
This can be accomplished in 3 simple steps:
- Next time the device checks in to KeyScaler platform, it will Authenticate and check to see if there are any new assets
- The KeyScaler platform will have the new data/code, ‘the asset’ ready to be dispatched, based on policy, to all devices which require the new code/Data it will send this in the form of a URL to the device
- Once the device receives the URL, it will automatically execute on it and fetch the new Venafi ‘Signed’ code/data from Azure Blob storage to be deployed on the device.
Through seamless integration between VenafiCodeSign Protect and Device Authority KeyScaler solution you to secure your code signing, update delivery process for IoT devices and deliver critical requirements for IoT environments:
- Access to secure updates is restricted to authorized devices
- Updates are also specifically encrypted for target devices and are not exposed as unprotected software or firmware downloads
- Secure updates ensure that both the update source and the integrity of the updates themselves are verified, delivering end-to-end protection for device updates
- Policy driven processes deliver scaler through automation
- Native integration rapidly reduces time needed to implement a secure update process for IoT
Want to learn more? Join Venafi at the Device Authority IoT Summit on February 23, 2021, where we discuss Protecting Your IoT Software Delivery Against Malware Insertion
This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Technology Network is evolving above and beyond just technical integrations.