As previously reported, we first learned of Irdeto’s ambitious plans to develop an Internet-of-Things security framework in a visit with Stuart Rosove, the firm’s vice president of advanced solutions, at IBC in the fall.
It was a revealing discussion that made us more aware of how vulnerable service providers would be in taking on IoT services without such a framework.
IoT is a wide-open opportunity for the hacking community going beyond anything that has happened up to now with respect to creating various paths to cracking through to personal information.
This is not an inviting environment for service providers as long as those vulnerabilities are intact.
But the details of Irdeto’s emerging strategy weren’t clear to us at the time. Now, several months later, Irdeto has made considerable progress on the first stage of developing an IoT services security framework, with trials planned for the year ahead.
Recently, Rosove fleshed out some of the details in an interview with ScreenPlays editor Fred Dawson. An edited transcript of that exchange follows.
ScreenPlays – Security risks posed by the Internet of Things environment and what to do about that have not been a big topic amid all the hype around IoT services. I understand Irdeto is working on a solution that will address that issue.
However, Irdeto is known primarily as a company that is focused on paying for TV and protecting all the licensed material out there.
This sounds like a reach to another level. Tell us a little bit about why you guys feel equipped to do that.
Stuart Rosove – The first thing to understand is the first thing, as it were, online that foreshadowed an Internet of Things was media.
As the broadcasters and content distributors took their content over the top for delivery directly to the consumer, they used a number of different IP-based devices which really were things in the Internet of Things, although we didn’t talk about them that way back then. We thought of them as multiscreen, multi-service, and over the top.
Irdeto, which has a 40-year plus history in conditional access, has been continually evolving along with its customers, going from smartcard-based, hardware-based security through to software-based security.
Today, we’re actually the number one software security company for the number of deployments in the pay media industry worldwide.
To take a look at another statistic, we’ve already secured over two billion devices. We have over 300 million consumers using and interacting with our technology transparently each and every day.
So what does that mean? It means we understand scale; we understand device complexity; we understand an ever-expanding universe of devices that are all wed to media.
As we started to analyze around security in the Internet of Things, we found a lot of commonality. Simply put a lot of the attacks against the media and entertainment industry are virtually the same, although there are some innovative twists in the IoT space.
SP – How would you describe the vulnerabilities that are on the horizon as IoT services takes off?
Rosove – Once upon a time the Internet was simply a collection of various robust computing devices with the sole purpose of data exchange and information exchange. And each one of those devices had a pretty robust operating system.
Today with IoT services – and all the analysts are predicting that by the year 2020 we’ll have 50 to 60 billion things online – these things are no longer full computing platforms but embedded systems with different types of operating systems: Linux-based systems, real-time operating systems, etc. And the issue is a lot of these devices are about getting them into consumers’ hands very quickly.
So the manufacturers don’t necessarily pay attention to security – I want you to have my wearable now; I’d like to have that IP camera installed today; I’d like to have a motion detector put into that environment yesterday.
So, because of the fractured nature and because of that rush to get to the consumer, a lot of the manufacturers are not focused on security.
And should they be focused on security, they tend to look at security with respect to one aspect of that device. They can’t step back and look at the systemic number of vulnerabilities.
A couple of studies have happened in the last couple of months showing that 75 percent of all devices online, and these range from smart TVs to smart refrigerators, to washers and dryers, to pet collars and other wearables, have known vulnerabilities – between 20 to 25 vulnerabilities per device. When you add all that up, it has created a hacker’s playground.
SP – As you look at how to turn that hacker’s playground into a minefield, what are you thinking of as the key steps you have to take that need to be addressed most immediately?
Rosove – The IoT services is something that has been evolving for the last five or ten years under names like ubiquitous computing, pervasive computing, machine-to-machine.
We’re going to see a large uptake because of a number of factors, which we won’t get into today, but the most immediate thing is to start securing the few most vulnerable points.
While I’m somewhat reticent to say that there is a hierarchy of things that are more vulnerable than others, because we want everybody to be secure carte blanche, the fact is there are going to be devices that require security a little bit sooner.
Things like IP cameras. You really don’t want somebody hacking in watching you and your things along with the security company you’ve hired.
Or the do-it-yourself installation where you think you’re the only person watching your things. You don’t want somebody else to control your thermostat.
You don’t want somebody else to be able to liberate personal identifying information off of, say, a smart refrigerator.
So any of the devices that have a more robust computing platform, which are mostly the ones I just spoke about, along with the residential gateways and the hubs that are controlling all of the central intelligence for that smart home, smart enterprise, smart municipality, are really the first devices or the first pieces of the infrastructure that we need to button down. But we don’t stop there. That’s really just the first key of the puzzle.
SP – Even in that first piece of the puzzle you’re looking at many moving parts. For a service provider, more and more of the solutions that integrate and run and serve as the operating platforms are in the cloud.
The idea is to allow as much flexibility in the development of applications as possible in a managed service environment where everything consumers want to do doesn’t have to be one off requiring integration procedures that are beyond the technical skills of most people. It just all works as it’s plugged in.
As a result, you have that cloud level of interaction with the local level of device controllers in the home, and you have the links to all of the attached devices that have to be secured.
So even those small examples you gave seem to me to represent a huge hurdle. Where do you stand in addressing that?
Rosove – We consider this to be not only a moving target but an extraordinarily difficult problem to solve.
You hit a couple of key points, which is both the device configuration and device management in the local environment as well as the communication between that device and the cloud where perhaps a lot of configuration management and services will come from.
The first piece of technology that we’ve innovated is something we call platform security. What this does is it takes a look at securing hybrid set-top boxes and residential gateways to address the problem you’ve just identified, and that is to make sure the communications between that device and the cloud are secure, to make sure the applications running on that platform, on that device, are authenticated by the operator themselves, and that they allow only those signed and verified applications to run on those devices.
You have to have a two-way communication channel from that device to make sure that policy can be separated such that, in the event something occurs and the operator wants to change configuration policy or a security policy, they can push that policy down dynamically to all their customers’ provisioned devices.
This platform security is ready, and we’re already working with some operators in live trials this year.
But, again, that’s just one part of the problem. Let me expand on that a little bit, because as we take a farther step out, we are now looking at other pieces to the puzzle. You have other devices that continually add on, and we’re not just talking about the residential environment.
You have to take into account the enterprise environment, the municipality, other cloud-based services.
We believe that what’s required is a holistic framework, what we are calling the Irdeto IoT services Security and Device Management Framework.
Within that framework you will have a number of different technologies to solve some of the point issues like the residential gateway, like the communications between that gateway and the cloud as well as communications by and between different devices.
We’ll also look at adding components to address things like identity management. How do we know that device is authenticated and supposed to be part of that domain of devices?
How do we know that Fred is Fred and is actually authenticated or that Fred’s devices that come into that environment are authenticated to work within that environment?
We’ll take a look at things such as network intrusion and detecting bad behavior; integrating things like malware anti-virus protection.
And at the end of the day, we believe it’s the orchestration of all these technologies in a meaningful fashion, a simplified fashion, that will enable the operator to provide a safe, secure and – here’s the most important thing – reliable implementation of IoT services applications.
SP – Okay. So you guys are a big company, you have a lot of experience, but this is a huge undertaking. How are you going to work with the ecosystem out there that can provide some of the expertise and technology that’s essential to doing this?
Rosove – That’s a great question. We believe we have some of the key components. We have world-class software security; we have world-class conditional access and platform security, as well as a host of other emerging intellectual property that, frankly, I’m not at liberty to share with you.
However, at the same time, this framework has an open API nature in which we’re actually engaged with third parties – SoC (system-on-a-chip) providers, malware protection providers, other security providers that bring a lot more to the party.
We recognize there are specialists, and there have been specialists in certain fields for years and decades that will leverage their expertise in this area.
The IoT services space is a far more complex battleground than anything we’ve ever seen, and it’s expanding each and every day.
Look at the Consumer Electronics Show. You walk through the halls and see hoards of new devices coming on line and soon at a house near you.
So we need to work with third parties and are actively reaching out to see who’s interested in working with us to be part of this framework and solve these problems.
SP – This is a very cautionary tale when it comes to efforts on the part of some vendors and on the part of the general weal out there where people are saying, okay, it’s arrived, it’s time to get ready, it’s time to start doing things.
It sounds to me like a better approach for large service providers who want to get into this in a serious way, beyond the sort of proprietary closed systems that have been launched for smart-home applications so far, is to really make this a priority and gate their entry into this marketplace around their absolute assurance that the security needs are going to be met. Or the whole thing will crash and burn.
Rosove – I don’t want to be Mr. Doomsday, but to touch on a couple points, we think operators should look at a framework as an architecture they can work with into the future. You’re not just going to add water, mix and, boom, you’re ready to go with each and every device.
At the same time, if you don’t have that type of a plan with an architecture that’s extensible and dynamic to change as things change – crash and burn, maybe not – but it will challenge your infrastructure. You will have denial of service attacks that will impact your brand.
What we’re trying to bring to the market is something that not only reduces that risk but allows you to continually innovate with confidence and to re-use some of that infrastructure that you’ve been afraid to re-use.
Who wants to run a home monitoring system over a video delivery system? If that video delivery system goes down you’re going to lose your bread and butter.
We’d like to bring the security and reliability that allow you to leverage that infrastructure, because, at the end of the day, your ROI is going to go up and your profitability will go up.
SP – So this really comes down to a period of time where you will be working with ecosystem partners as well as potential customers in fashioning that framework so that people can confidently move ahead with aggressive participation in this marketplace.
Rosove – Absolutely.
SP – We very much want to find out how it goes over the next year and, certainly, what the buy-in is as far as the support you get from both the ecosystem and the customer base. But it sounds to me like this absolutely essential.
Rosove – Thanks, Fred. Appreciate it.