NanoLock Launches Platform to Protect IoT Devices From Production Through End-of-Life
21.6.2018 securityweek IoT
Cybersecurity start-up NanoLock Security today announced a new lightweight security platform designed to add security into the small connected devices better known as the internet of things, rather than to overlay security around those devices.
This is security designed to safeguard small devices from the production line through to the end of life and beyond; to allow secure updates but to prevent hacking and tampering; and to ensure the integrity of data from the device outwards.
"The challenge for connected devices," co-founder and CEO Eran Fine told SecurityWeek, "is that about 90% have very low computing power -- and they are becoming the most vulnerable part of the ecosystem. How do you protect those low power, and low compute power devices where an attacker may have network or physical access? The attacker may come from the device-side, or the cloud-side, on the production line, or even at the end of life of the device. How do you protect the very low computing power device within a cost and performance structure that satisfies the connected device marketplace?"
He needed a solution or architecture that is CPU agnostic. "CPUs are hackable -- as Intel, ARM and AMD have recently demonstrated," he continued. "So we work on the assumption that CPUs are untrustworthy. Instead of developing security that uses the device's own CPU, we've created something that sits between the bus of the device and the non-volatile memory. This acts as a governing entity, and very aggressively allows or disallows other entities to read from or write to the non-volatile memory that holds the firmware, the boot image, and the critical applications."
This approach works by preventing overwriting, modification, manipulation, erasure and ransomware attacks on firmware, boot images, system parameters and critical applications in connected and IoT devices. Without any possible access to the firmware, hackers cannot gain access to the firmware and cannot, for example, recruit the device into the next big Mirai-style IoT botnet.
Three technologies lie at the heart of the architecture. OREN device-side embedded protection safeguards against attacks from the network and cloud, and even an attacker that has physical access to the device. FOTALock technology ensures the safe and trusted delivery of firmware-over-the-air (FOTA) updates, applications and critical parameters. Management of Things (MoT) controls and manages devices and includes features for monitoring device security, version management, attacks and alerts. MoT is deployed as a stand-alone solution or integrated into a customer's own security management platform.
Since NanoLock sits on the only data route into the device, and is placed there during manufacture or assembly, connected devices cannot be hacked. "Even if you are the device owner, even if you have all the highest privileges, even if you are on the production line and have access to the device -- the security camera or the router, or the ECU in a car -- you cannot write any malicious code into the firmware, into the memory holding the firmware. The only entity that can do this is someone who has created a root of trust and a root of integrity between the protected memory and the entity," explains Fine.
"The protected memory will always continue to protect because it has autonomous decision-making power -- it has its own tiny CPU, its own non-volatile memory, its own cryptographic engine. Even if you are hacking the CPU or hacking the cloud, this device will continue to protect itself and the cloud-to-device integrity." Furthermore, he continued, "Every device, on inception, registers itself, provisions itself, and protects itself in front of the cloud -- and once it does this, it is unbreakable and unclonable."
The result is device security from the production line through distribution, installation and use, to beyond end of life. NanoLock provides physical protection from rogue or corrupt employees on the production line or in the business, and from hackers during use. "I like that NanoLock is combining a cyber and cyber-physical approach to protect and manage devices from the production line through end of life," comments Chris Wilder, senior analyst at Moor Insights & Strategy.
Such an architecture cannot be sold to the end user for installation since it is an integral part of the connected device itself. "We don't sell to device users like Citibank or Bank of America," said Fine; "but we will sell to a car maker or a big manufacturer of security cameras, or very large cloud providers offering management of devices as a service. Our customers are the automotive OEMs, operators and device makers and to some extent the large systems integrators."
It's a top down, not a bottom up approach to distribution. "We have strategic relationships with the memory makers," he said. "We work with one in Taiwan, one in the US and one in Japan. This provides an early access to the device makers who spec us in to the manufacture."
"Connected cars, part of the IoT ecosystem, are an area where security vulnerabilities are life-critical," comments Takayuki Maruhashi, assistant director at Japan-based Techno Systems Research. "A solution like NanoLock's ensures the network of ECUs are fully protected and managed during operation and during the component update process. CPU protection is proven to be vulnerable and NanoLock's approach is the solution to this problem."
And it's not just business to business critical infrastructure scenarios, added Fine. "The unbreakable nature of the system also makes it attractive for military and intelligence purposes where the device needs to be protected even if it falls into the wrong hands."
Based in both Nitzanei Oz, Israel and New York, NanoLock Security was founded in 2016 by Eran Fine, Shlomo Oren and Erez Kreiner; and is another start-up ultimately born from the Israeli intelligence services conveyor belt. Kreiner was director of Israel's National Cyber Security Authority for more five years, and was responsible for preventing cyber-attacks on Israel's critical infrastructures and assets.