An announcement about an IoT security center of excellence, delivered in the early days of January from Nagra, suggested that it was one of the first conditional access/DRM suppliers to believe that it had a chance of making money in the IoT security space. This week it signed its first “route to market” deal with French LPWAN player Sigfox, that might lead to this being a serious incursion into the IoT business.
It’s still early days, but the Kudelski Group IoT Security Center of Excellence plays on the idea that security is something which is “continuous,” a catch-phrase that came into play in video CAS systems, so that it doesn’t simply involve key delivery and encryption, but also monitoring, resolution and recovery. No doubt it also includes monitoring the internet to see if a single instance of your IoT installation has been recruited to engage in a denial of service attack.
While IoT security was a watchword throughout 2015, it was perhaps the 2016 exploits of the Mirai Botnet, that made it abundantly clear what kind of danger came with the IoT. While everyone had been looking for someone taking control of your self-driving car and driving it into a tree, the Mirai botnet reset the bar – infect a large number of devices and use them to help achieve something that no single device could do on its own.
In October, last year the largest DDOS attack ever recorded at Dyn, a company which controls much of the internet’s DNS infrastructure, brought down sites such as Twitter, the Guardian, Netflix, Reddit, CNN and many others.
In simple terms the botnet is able to infect anything that runs on a recognizable minimal sub-kernel of Linux, which many IoT devices do, but also set top boxes, cameras and phones. It needs a lot of devices so that it can fool a remote webserver into believing that none of the traffic is from the same IP address and it harnessed devices as small as cameras and home routers to do its bidding, which put it in the ambit of a player like Nagra. Fundamentally the Mirai botnet relies on human stupidity, not turning on encryption, and then it infects and waits for instructions.
Nagra set up its IoT Security Center of Excellence to offer advice on hardware and software configuration, and in particular control frameworks – how devices are controlled, as well as countermeasures – what to do in the event that your IoT device is hacked. It’s not the IoT device on its own, which almost always has a viable encryption process, but what Nagra plans to add is a first up analysis for vulnerabilities followed by improving the key management of the device using a hardware root of trust which is not observable by the OS. Nagra, like many other DRM firms has its own code obfuscation and white box cryptography tools to retrofit some protection where there is no hardware root of trust, or where it is easily visible to a hacker.
Partnering with Sigfox won’t necessarily get it tons of business, but it will introduce Nagra to the world of IoT players, the chip and devices makers, and let it rub shoulders with these guys and put a price on security that makes sense at the IoT level, which can often be limited to a few dollars to buy each device and just a few more to run it for years.
The best way for a company like Nagra to pick up clients is to be the first port of call when something goes wrong, for instance proactively enter the device with countermeasure code, which will also isolate and show Nagra what software is delivering the threat. Nagra also boasts a legal team that can help if intellectual property is lost.
We would expect anyone that has grown up in protecting video to be readying themselves to enter this market – video needs to remain encrypted out of sight of operating system tools like debuggers, and to handle decryption in a hidden space in a device away from OS visibility. It’s not enough to have a hardware root of trust, it must also not be watched while it does its work.
We are in the early days of IoT security, but sometime in the next 5 to 10 years this is going to be a multi-billion industry, and those who move early are likely to make most inroads. Expect more announcements of this type from companies like Verimatrix and Irdeto through 2017.
Nagra also published its results for 2016 this week, with revenue up a creditable 12.3% to the equivalent of $1. 07 billion with net income up 51.7% to $75 million. It cited the deal at Altice in the US as a major win as well as a repeat deal at Canal+ for France, Poland, Caribbean, Africa, Vietnam, Madagascar and Mauritius and the deployment of Nagra Insight and the upgrade to Nagra Command at Dish in the US. The company gave guidance for 2017 at revenues of $1.15 to $1.2 billion