It’s not enough that US DRM specialist Verimatrix has branched out into analytics, but at this year’s IBC and other, more relevant shows, it plans to convince us all that it can carve out a place for itself protecting the Internet of Things. It will introduce Vtegrity, a security product that reaches from the chips on the tiniest sensor in the IoT, all the way to the cloud applications that it speaks to.
It is both a mechanism for inserting keys at the lowest key ladder level when a chip is manufactured, to make all communication encrypted, but also a set of tool for identifying all communication sources through a trust model of certificates.
The aim is to protect revenue streams and maintain consumer confidence and Steve Christian, SVP marketing told us, “We see this as a very similar problem to solve, to conditional access and DRM. Most security players are looking at this problem from the point of view of protecting a data center, and sometimes their ideas don’t scale. We already protect 100s of millions of set top boxes and this requires a similar architecture.” There are efforts from companies like Symantec, which claims to already protect 1 billion devices, from PCs to industrial devices to oil rigs, and a perusal of its IoT security product brochure uses the same buzzwords as those we bandied with Verimatrix. The key difference perhaps is the length of relationships that the smaller DRM firm has had with its chip vendors.
The Verimatrix system focuses first and foremost on device integrity – it is a way of checking that each device in terms of its software and memory footprint have not changed at any stage in their lifecycle, unless that change came over a secure communication channel from an authorized source. This includes use of a hardware based root of trust built into the chip and a secure boot process.
After this the integrity of communications is paramount, so that unauthorized users cannot look for vulnerabilities – only devices which are explicitly identifiable are allowed to join any IoT network, through use of a series of secure certificates and device authentications.
Finally there is a layer of proactive threat monitoring and so that any emerging threats can be stymied by rapid device updates.
So is Christian right about DRM being a similar process? We suspect he is, and that the set top is little more than a special case within IoT. That should mean that everyone in DRM will be coming out with an IoT security service – and all of them are up against larger Data Center security specialists. Both Nagra and Irdeto have set up specialist teams around IoT. At the beginning of 2017 Nagra’s parent Kudelski launched its IoT Security Center of Excellence, to provide guidance and technology to help companies across all industries in IoT, which sounds more of a services move than a product or architectural approach; and Irdeto has built a strategy arounds it Cloakware product.
Christian believes that Verimatrix is slightly ahead of its two DRM rivals, and says that its route to market is through its existing chip partners, many of whom are being asked to provide transport level security on their chips. They are aware that while they can open up a key ladder to secure software like that from partners like Verimatrix, they don’t want to be looking after every chip throughout its lifetime. DRM firms in particular take the long view and offer constant monitoring and secure over the air updates to fix vulnerabilities in set tops.
Companies like Broadcom and ST Micro inserted Trusted Execution Environments into their chips for multiple partners more than a decade ago, and have pioneered hardware based security on devices. And Cryptography Research Inc, part of Rambus, has designed its own Crypto Media version which is open to players like Verimatrix to use. Rambus already does something very similar to this, inserting the first key into a remote chip made in China through a secure online process, for customers like Qualcomm. Irdeto’s key and credentials service again does something similar, wresting control of the initial keys from partners like set top makers and giving them over to operators to control.
Vtegrity is also supposed to leverage the cloud-based analytics components of Verspective, to give both secure data collection and behavioral insight into networks.
Christian used the example of the connected car, which has a huge number of vulnerabilities, mostly associated with the CAN bus and the OBD port used for diagnostics. Both provide a simple way to get a security exploit into a car. “We believe that the automobile industry will be subject to legislative control here, and forced to bring in a way to update cars over the air, in a secure fashion.”