New evidence seems to emerge almost weekly on how failings in crypto lifecycle management are exposing IoT deployments to new risks. When VDOO recently announced the discovery of vulnerabilities in AXIS cameras, for example, they pointed to the lack of binary firmware encryption in these devices as a key contributing factor.
Let’s not forget, either, that even though Heartbleed was discovered four years ago, there are still untold numbers of unpatched ‘things’ out there. These IoT devices will remain vulnerable to Heartbleed exposing sensitive data via a flawed OpenSSL encryption library for many years to come.
To complicate matters, the pace of innovation in cryptographic research is continuing to accelerate. The investment – by both attackers and defenders – has increased markedly. Flaws in popular crypto standards are now being identified more frequently than in the past. Some older generations have already reached end of life, while others only have a few years left. The so-called “Snowden Revelations” are driving fragmentation of global encryption standards so that some countries are now mandating their own. And whenever the milestone is reached, the commercialization of quantum computers will require “quantum safe” - AKA post-quantum-cryptography (PQC) - to protect data from their phenomenal processing power.
Unfortunately, we know from experience that it is the very brilliance of cryptography that makes it a double-edged sword. Yes, it’s the critical enabler securing the vast flows of sensitive data in today’s global digital economy. Without it we would all be a lot poorer. But crypto is also a somewhat rarefied branch of mathematics. Crypto isn’t just hard for most businessmen to understand. Most computer scientists and IT professionals find it hard going as well. It is buried deep in our systems and for most of the history of the Internet, taken for granted. But times and technologies are changing quickly, and cryptography is not the safe bet it was anymore.
Replacing Cryptographic Assets Without Changing Source Code
At InfoSec Global, we’re building a portfolio of crypto-agility products that will enable enterprises to centrally manage, monitor, and update cryptographic algorithms across their infrastructure with a life cycle management solution that minimizes risk, secures data and enables inter-operability.
We recognize that even a ground-breaking crypto agility products like ours addresses a problem that some customers don’t fully understand, yet. And with evidence of IoT threats presented by crypto vulnerabilities continuing to mount, this issue needs to be tackled urgently now.
Crypto-Agility for Enterprises and the Internet of Things
Consider the security around the critical axis in any IoT deployment, namely the updates and other data exchanges between the ‘things’ in the field and the cloud infrastructure that supports them. At a business level, these “things” and their cloud need to talk to each other - or interoperate - flawlessly. Often they also need to do so in alignment with strict compliance standards.(compliance table) If there are incompatibilities - including in crypto standards - the IoT service won’t work properly. Or it won’t be compliant. Or it will work but with security vulnerabilities that are baked in.
A fundamental challenge we still haven’t fully come to grips with in IoT security is that many key players in the value chain don’t exactly know what cryptography they have in their own environment. They don’t know what types of crypto are in use across their entire estate of servers, devices, and IoT ‘things’.
I even come across this problem in some cloud-service and software-as-a-service (SaaS) providers. These companies are often outstanding global technology leaders against all kinds of metrics. But insight into exactly what cryptography is in use is sometimes in short supply. Like many enterprises, service providers are also highly multi-vendor environments with a combination of organically developed, acquired, one-off and deprecated products. Different types of crypto are added and removed by different companies, with varying auditing policies. There are variations in manual and automated inputs. Cryptography service-updates on some servers can sometimes be left out during a change window or upgrade cycle.
Given this common lack of granular insight and inventory around the installed base, it’s not surprising that some IT decision-makers have difficulty grasping the urgency of investing in crypto agility, including in the IoT context.
That’s why we recognize the critical importance of providing our customers with supporting tools and services that can shine a light on their organization’s use of encryption. By leveraging these scanning tools, organizations can understand exactly what crypto standards are in use in their organization and where. Hence they can better understand their own unique exposure to cryptographic algorithm obsolescence, supply chain risk and implementation errors.
The ability to be able to scan the whole IT infrastructure and obtain a warts-and-all baseline of what encryption standards are currently supported is a foundational starting point in any organization’s strategy for IoT security and their migration path to crypto-agility.