Cesare Garlati | BringYourOwnIT.com

When IoT Attacks – The End of the World as We Know It?

October 20, 2017 Leave a comment

Excerpts of my interview with Phil Muncaster @philmuncaster

InfoSecurity Magazine Q4/2017, 4 October 2017

https://www.infosecurity-magazine.com/digital-editions/digital-edition-q4-2017/

Focus on the Firmware

A cursory look at OWASP’s IoT Security Guidance will highlight just how many elements in the IoT ecosystem could be exploited. Among others, these include the web interface, network, transport encryption layer, mobile app and device firmware. The latter is a key area of focus for the prpl Foundation, a non-profit which is trying to coral the industry into taking a new hardware-based approach to IoT security. Cesare Garlati, chief security strategist, claims that hackers could exploit IoT chip firmware to re-flash the image, allowing them to reboot and execute arbitrary code. “The issue with this kind of attack is that it gives the hackers complete control of the device and it is persistent; it can’t be undone via a system reboot, for example”, he tells Infosecurity. The answer is to ensure IoT systems will only boot up if the first piece of software to execute is cryptographically signed by a trusted entity. “It needs to match on the other side with a public key or certificate which is hard-coded into the device, anchoring the ‘Root of Trust’ into the hardware to make it tamper proof ”, says Garlati.

Read more of this post

Filed under IoT Security, Top Posts Tagged with Cesare Garlati, critical infrastructure, firmware, hypervisor, infosecurity magazine, IoT Security, root of trust, scada, secure boot, virtualization

Interview: Cesare Garlati, Chief Security Strategist, Prpl Foundation

January 12, 2017 2 Comments

by Dan Raywood Contributing Editor, Infosecurity Magazine

3 Jan 2017

http://www.infosecurity-magazine.com/interviews/interview-cesare-garlati-security/

In 2016, the danger posed by the Internet of Things (IoT) became a reality. Add in factors such as the Mirai botnet and industrial control systems, and the problem becomes more than just Fitbits being connected to the network.

The problem was countered with the first industry guidance in November 2016, when both the Department of Homeland Security and NIST issued documents on IoT: with the DHS advising manufacturers, services providers, developers and business-level consumers; while NIST went for more detail for manufacturers/developers with guidance on how to engineer safer products.

Read more of this post

Filed under IoT Security, Top Posts Tagged with Cesare Garlati, Dan Raywood, infosecurity, interview, IoT Security

RSA Conference 2016 – A New Hardware-Based Approach to Secure the Internet of Things

November 8, 2016 2 Comments

Live Demo: A New Hardware-Based Approach to Secure the Internet of Things
RSA Conference 2016 – Abu Dhabi
November 16, 2016 | 11.20 – 12.10 hrs | Level 1 | Room: Etihad Ballroom 2

Quick look – This session will address four key elements that have introduced serious weaknesses into the IoT: proprietary systems, connectivity, unsigned firmware and lateral movement. Discussion will showcase a new approach to IoT security demonstrating how SoC virtualization and security through separation can address these vulnerabilities, which have already been shown to have potentially life-threatening consequences.

Read more of this post

Filed under IoT Security, Top Posts Tagged with Cesare Garlati, IoT Security, prpl Foundation, RSA Conference

Virtualization, silicon, and open source are conspiring to secure the Internet of Things

January 28, 2016 1 Comment

My chat with Brandon Lewis, Technology Editor at IoT Design, highlighting prpl’s push around roots-of-trust, virtualization, open source, and interoperability in order to secure the Internet of Things (IoT).

Credits: Brandon Lewis, IoT Design, January 28, 2016 @TechieLew

The prpl Foundation is known for open source tools and frameworks like OpenWrt and QEMU, but has recently ventured into the security domain with a new Security prpl Engineering Group (PEG) and the “Security Guidance for Critical Areas of Embedded Computing” document, not to mention wooing you away from your role at security giant Trend Micro. What can you tell us about the drivers behind these moves?

Cesare: One way to look at it is a supply-and-demand schema. On the demand side, according to Gartner, the security market was worth $77 billion in 2015 and it’s going to grow much faster. One strong demand-side driver is the need for stronger security, because industry is not doing a very good job of it – and when I say industry I mean from silicon to software to services – and all of the spending is not resulting in better information security. Read more of this post

Filed under IoT Security Tagged with ARM, Cesare Garlati, embedded, interoperable standards, IoT, IoT Security, linux, MIPS, open source, prpl Foundation, prpl SecurityGuidance, root of trust, secure boot, Security, virtualization

The Journey to a Secure Internet of Things Starts Here

January 15, 2016 3 Comments

As the Internet of Things finds its way into ever more critical environments – from cars, to airlines to hospitals – the potentially life-threatening cyber security implications must be addressed. Over the past few months, real world examples have emerged showing how proprietary connected systems relying on outdated notions of ‘security-by-obscurity’ can in fact be reverse engineered and chip firmware modified to give hackers complete remote control. The consequences could be deadly.

A new approach is needed to secure connected devices, which is exactly what the prpl Foundation is proposing in its new document: Security Guidance for Critical Areas of Embedded Computing. It lays out a vision for a new hardware-led approach based on open source and interoperable standards. At its core is a secure boot enabled by a “root of trust” anchored in the silicon, and hardware-based virtualization to restrict lateral movement.

Read more of this post

Filed under IoT Security Tagged with ARM, Cesare Garlati, exploit, information security, infosec, Internet of Things, IoT, IoT Security, jeep hack, MIPS, pentest, threat, trustonic, virtualization, vulnerability

How to Fix the Internet of Broken Things

November 20, 2015 2 Comments

iot-security The Internet of Things is already permeating every part of our lives – from healthcare to aviation, automobiles to telecoms. But its security is fundamentally broken. In my previous blog I’ve shown how vulnerabilities found by security researchers could have catastrophic consequences for end users. This isn’t just about data breaches and reputational damage anymore – lives are quite literally on the line. The challenges are many: most vendors operate under the misapprehension that security-by-obscurity will do – and lobby for laws preventing the disclosure of vulnerabilities; a lack of security subject matter expertise creates major vulnerabilities; firmware can too easily be modified; and a lack of separation on the device opens up further avenues for attackers.

But there is something we as an industry can do about it – if we take a new hardware-led approach. This is all about creating an open security framework built on interoperable standards; one which will enable a “root of trust” thanks to secure boot capabilities, and restrict lateral movement with hardware-based virtualization.

Read more of this post

Filed under IoT Security Tagged with ARM, automotive, can bus, Cesare Garlati, embedded, exploit, firmware, hack, hacker, Internet of Things, IoT, kernel, linux, MIPS, Networking, open source, patch, prpl Foundation, root of trust, secure boot, Security, TEE, trusted execution environment, trusted zone, trustonic, virtualization, vulnerability

The Security Challenges Threatening to Tear the Internet of Things Apart

November 4, 2015 3 Comments

The Internet of Things (IoT) has the power to transform our lives, making us more productive at work, and happier and safer at home. But it’s also developing at such a rate that it threatens to outstrip our ability to adequately secure it. A piece of software hasn’t been written yet that didn’t contain mistakes – after all, we’re only human. But with non-security experts designing and building connected systems the risks grow ever greater. So what can be done?

Read more of this post

Filed under None Tagged with ARM, automotive, can bus, Cesare Garlati, embedded, exploit, firmware, hack, hacker, Internet of Things, IoT, linux, MIPS, Networking, open source, patch, Security, trustonic, virtualization, vulnerability

Securing The Internet of (broken) Things: A Matter of Life and Death

October 6, 2015 1 Comment

If you’re like me you’ll probably be getting desensitized by now to the ever-lengthening list of data breach headlines which have saturated the news for the past 24 months or more. Targeted attacks, Advanced Persistent Threats and the like usually end up in the capture of sensitive IP, customer information or trade secrets. The result? Economic damage, board level sackings and a heap of bad publicity for the breached organization. But that’s usually where it ends.

Read more of this post

Filed under IoT Security, Top Posts Tagged with ARM, attack, audit, black hat, Cesare Garlati, cpu, exploit, hacker, hypervisor, information security, Internet of Things, kernel, linux, memory, micro kernel, MIPS, open source, pentest, reverse engineering, root of trust, secure boot, Security, soc, virtualization, virus, vulnerability, white hat

The Data Breach Pandemic: Information Security is Broken

June 8, 2015 Leave a comment

Have enterprises basically just given up on IT security? Global budgets fell by 4% in 2014 over the previous year and as a percentage of total IT budget they’ve remained at 4% or less for the past five years. The picture is even starker for firms with revenues of less than $100m, who claim to have reduced security budgets 20% since 2013.

Yet the threats keep on escalating. When it comes to information security, there are really only two situations out there: companies that have been breached, and companies that still don’t know it.

If 2014 was the “Year of the Data Breach” then 2015 is proving to be at least its equal. This month alone we’ve seen TV stations shunted off air by pro-jihadi cyber terrorists; the discovery of major new state-backed attack groups; and another massive data breach at a US healthcare provider.

We talk today about managing risk, rather than providing 100% security – because there’s no such thing. The conclusion I have reached is that the traditional information security model is broken. But why? And how can we fix it?

Read more of this post

Filed under Information Security, Top Posts Tagged with attack, Cesare Garlati, CSIO, CSO, cybercriminals, cybersecurity, cyberterrorists, data breach, exploit, information security, infosec, pwc, Report, statistics, verizon, vulnerability

Google Vault Makes Play for Mobile Security Hardware Space

June 2, 2015 Leave a comment

Google Project Vault Last week Google made a splash with its latest futuristic tech offering: Project Vault. In essence, this mini-computer on an SD card is designed to enable secure authentication, communications and data storage on your smartphone or laptop. So what exactly is going on here? After years experimenting with Android, has one of the world’s biggest software companies finally admitted hardware level security is the way forward? And if so, what are the implications for enterprise and consumers? Read more of this post

Filed under Mobile Security Tagged with BYOD, Cesare Garlati, CUPP Computing, data protection, Google Vault, information security, Mobile Security, Privacy, Project Vault, prpl Foundation, Vault

← Older posts

Newer posts →

About Cesare Garlati

This is my personal blog about disruptive technology trends such as cyber security, open source processors, and the Internet of Things. It's full of my reasoned opinions, some of which will turn out to be absolutely wrong. You should not rely on anything in this blog for any reason other than for amusement.

This blog occasionally quotes excerpts from other publications, in which case it is done under Fair Use. I despise copyright trolls and think the EFF is due for sainthood any day now.

I am the founder of Hex Five Security and an active member of the RISC-V Foundation: some of my writing will appear here too if it's relevant. The opinions here are mine and mine alone, and are not representative of any professional organizations I belong to.

Comments are unmoderated. Say what's on your mind, be direct, speak the truth, etc., I'll try to keep all your comments ...

Happy reading!

Twitter @CesareGarlati

RT @JosephJacks_: From another reputable source: https://t.co/IIgFci61NG posted 2 weeks ago
David Patterson: Examining the Top Five Fallacies About RISC-V @risc_v design-reuse.com/news/53202/exa… posted 3 months ago
RT @hex_five: Learn how to quickly develop high-grade security applications with built-in remote firmware updates, telemetry, and device mo… posted 8 months ago
Congrats to team and investors! twitter.com/hex_five/statu… posted 1 year ago
New release of MultiZone Security for RISC-V available! v2.2.0 includes important security updates, secure DMA tr… twitter.com/i/web/status/1… posted 1 year ago

Follow @CesareGarlati

by Dan Raywood Contributing Editor, Infosecurity Magazine

My chat with Brandon Lewis, Technology Editor at IoT Design, highlighting prpl’s push around roots-of-trust, virtualization, open source, and interoperability in order to secure the Internet of Things (IoT).

About Cesare Garlati

Recent Posts