As a sponsor of Black Hat USA 2015, our own Thorsten Held had the privilege of being interviewed as part of the Sponsored Workshop Interviews. He answered questions about protecting IoT devices such as connected cars and in-flight entertainment systems, to helping app developers improve tamper resistance and self-defense. You can read the full set of sponsor interviews here, but here are some excerpts from Thorsten:
The number of connected devices is growing rapidly and many industry pundits expect these devices to be targets of attack, motivated by the desire to do harm, potential financial gain, or just the recognition. Security should be designed into connected devices from the beginning, and code protection can provide a useful and affordable layer of security in these designs.
It’s not just the devices, though, that need protecting. Much of the personal data generated by the IoT will end up on users’ mobile devices and in cloud servers. These mobile applications, which provide a rich UI to visualize and act on this data, are often extremely vulnerable to attack. The cloud-based databases, with large amounts of personal information, will also become increasingly attractive targets of attacks. Mobile applications and cloud servers will likely be more attractive targets than the devices because the amount of data and the potential for reward is much greater. Still, the weakest link in the IoT will get the attention of hackers, and each element of the system should be protected with an appropriate amount of anti-tamper technology. Our code and key protection products are effective tools to protect connected devices and the mobile applications they communicate with.
Software, hardware, and content industries lose millions every year because of piracy, intellectual property theft, cracked copyright mechanisms, tampered software, malware, and so on. We’ve seen retailers experiencing loss of customer data which destroyed brand equity and burned cash. We’ve seen CEOs apologizing in public after data breaches and coffee chains reading their company name in the news because “hackers are stealing money via the company’s mobile app.” This is not good news. The basic problem lies in the openness of the underlying architecture of today’s computing systems. With the right expertise and tools, anyone can gain control over software running on their devices. There will always be users who will attempt to analyze and break software protection mechanisms, out of personal gain or pure curiosity. Therefore, a robust and efficient software protection scheme is an absolute must for all modern software applications in virtually all business areas. It is a fundamental factor in ensuring long-term profitability in today’s distributed software markets.
The war zone between software applications and adversaries who want to crack them is very broad and diverse. An application can be attacked at various layers, on different hardware, and with very different goals in mind, creating a very complex problem for companies who want to protect their intellectual property.
Cryptanium allows developers to protect the entire application code and all sensitive data processed by that code. This integrated security is achieved by applying the following main features to the application: integrity protection, code obfuscation, anti-debug, root- or jailbreak-detection, and cryptographic key protection.
The following list highlights some of the most common applications of Cryptanium:
- Hardening DRM systems and licensing modules.
- Protecting personal data on mobile devices.
- Protecting intellectual property by obfuscating on source code level.
- Securing proprietary algorithms against analysis and reverse engineering.
- Hardening firmware and OS.
- Protecting cryptographic keys.
- Protecting the client side of encrypted communication; the server side is secure.
- Preventing malware intrusion.
A recent NBC Nightly News feature showcased the recent DEF CON Hacking Convention, where hackers demonstrated the ease at which they’re able to commandeer IoT devices. While there have been no reported malicious hacks, the coverage that these hacks have received have put these types of IoT and connected car hacks on a pedestal. Is it just a matter of time? Are your connected devices hardened?
Photo credit to Steve Johnson.