Enabling embedded security for the Internet of Things

3 | © 2014 Wind River. All Rights Reserved.

ENABLING EMBEDDED SECURITY FOR THE INTERNET OF THINGS

Michel Chabroux, Senior Product Manager, Wind River

Marco Blume, Product Manager, WIBU Systems


Agenda

VxWorks Overview

A Story…

Who needs security and why?

Security Profile for VxWorks Overview

Key Benefits

Key Features

Enhancement Options

Sample Applications

CodeMeter Security


World’s most widely used commercial RTOS

Unrivaled technology partner ecosystem

Best-in-class foundation for creating differentiated, IoT-ready intelligent devices

VxWorksThe RTOS for the Internet of Things

Unrivaled Performance

Modular, Scalable Design

Safety and Security

Virtualization


WHAT DO AIR CONDITIONERS HAVE TO DO WITH IDENTITY THEFT?

A Story…


A well known retailer has experienced a

security breach resulting in identity theft

for millions of consumers.

The breach actually began when the

retailer’s HVAC maintenance vendor was

broken into.

Network passwords the vendor used to

monitor the retailer’s HVAC systems

were stolen.

These same passwords gave hackers

network access to the retailers Point-of-

Sale machines.

With this access, hackers installed

malicious software that captured Credit

Card data the time of transactions.

Taking place over the holiday season,

the attack captured the identity data from

millions of unsuspecting shoppers.

Everything connected must be secure!


From Islands to Networked ConstructionsNew Attack Vectors for Cyber Physical Systems

A Cyber Physical System (CPS) is a system of collaborating computational elements controlling physical entities*

* Wikipedia


Security Threats

Operator

Manipulation

– Sabotage

– Human mistakes

– Intelligence services / Displeased employees

Intellectual property

– Recipes

– Configuration data

Production data

– Machine log

– Produced amounts

Manufacturer

Cloning of a machine

Imitation of a machine

– Extraction of intellectual property (reverse engineering)

Manipulation (warranty)

– Not authorized updates

– Manipulation of counters

– Manipulation of flight records

Not authorized access to source code


Copy protection

IP protection

Integrity

Authenticity

Security Objectives


A collection of software-based security features to effectively safeguard devices and data

Compatible with VxWorks 7 Core Platform and all industry-specific profiles for VxWorks 7

Can be reinforced with a hardware-based solution from Wibu-Systems for high security applications and flexible licensing

Security Profile for VxWorksComprehensive Security for Your IoT-Ready Devices


Solid foundation for security-sensitive applications

Flexible, configurable, readily expandable security suite

Upgradeable, future-proof solution

Protection for your intellectual property

Security Profile for VxWorksKey Benefits


Security Profile for VxWorksKey Features

Protect from tampering with code and unauthorized access.

Safeguard data even when the device is powered down.

Secure network communications and prevent attacks.

Prevent execution of non-authentic code.

Boot-up OperationData

TransmissionRest/

Shutdown

Secure Boot

Digital signature verification

Decryption*

Secure Run-Time Loader

Digital signature verification

Decryption*

Advanced User Management

Prevention of unauthorized access

Help for creating and enforcing user-based policies

Network Security

OpenSSL

SSH

Cryptography Libraries

IPsec and IKE

Encrypted Containers

TrueCrypt-compatible AES-encrypted file containers

Ability for data in containers to remain encrypted even when the device is idle or powered off

Passkey protection using customizable functions

* Can be enabled or disabled


Security Profile for VxWorksKey Features – Secure Loader

UEFI

VxWorks Image

Trusted by UEFI

Signer‘s certificate

Signed by Wind River Workbench user

Signer‘s certificate in Bootloader

Applications(LKMs/DKMs, RTPs)

Signed by Wind River Workbench user

Signer‘s certificate in VxWorks image

Proprietary Wind River EFI loader


Security Profile for VxWorksKey Features – Digital Signature

Wibu CaTool

Based on elliptic curve cryptography (ECC)

Lead generates the root key and certificate

Lead signs certificates for other developers– Signs requests from other developers

– Creates signer’s keys and signs certificates

Lead sends signed certificates to individual developers


Security Profile for VxWorksKey Features – Encryption

AES encryption

Configured from VxWorks Source Build


Security Profile for VxWorksKey Features – Advanced User Management

User database– No default user

– Dynamic definition of users

– Customizable encryption keys

If enabled, all access to target will require a login


Security Profile for VxWorksKey Features – Encrypted Containers

Protect data at rest– Files are encrypted at all times using

AES encryption

TrueCrypt-compatible containers

Can be created on any host platform

Can be configured to mount automatically

Passphrase encryption can be customized


Security Profile for VxWorksEnhancement for Security-Critical Applications

Software-based security delivered by Security Profile can be reinforced with CodeMeter® hardware-based security by Wibu-Systems.

CodeMeter Security adds flexible licensing and hardware binding

CodeMeterLicense Central

VxWorks 7 Core Platform

Security Profile for VxWorks

Wibu-Systems Basic Security

IP Protection Integrity Protection

Wibu-Systems CodeMeter

Hardware Protection License Management


Prevention of operation disruptions, public security risks, and industrial espionage – Hacking, tampering, and unauthorized access

to power grid and plant control systems

– Piracy, illegal cloning, and code reverse-engineering

Protection via:– Encryption

– Digital signatures

– Advanced user management

– Secure remote access

– Hardware-based security

Security Profile for VxWorksUse Case – Industrial Systems and Energy


Protection of sensitive data in transit and at rest – Safeguarding patient data (HIPAA)

Encryption and user management

– Protection of manufacturer-proprietary information stored onboard

Encrypted containers

Protection from tampering with medical device software– Digital signatures

Prevention of piracy and reverse-engineering– Encryption and hardware-based security

Security Profile for VxWorksUse Case – Medical Devices


Hardware-based key store

License management

New business models

Business process integration of license and rights deployment using CodeMeter License Central

Upgrading to CodeMeter SecurityAdditional Opportunities


Wibu-Systems CodeMeter Dongle Overview

ASIC µSDSD

CardCF

CardUSB

Dongle

Smart card based hardware security

Industry compliant hardware

Optional SLC flash memory

Communication as HID device for USB possible

Many Form Factors – One Technology


Wibu-Systems CmActLicense

Software based license

Same features as CodeMeter dongles

Bound to target system fingerprint


Wibu-Systems CodeMeter License Central

CodeMeter License Central– Design of license models

– Creation, delivery and management of licenses

Benefits– Cost and time reduction thanks to integration and automation into

business processes

– Additional revenue streams through flexible licensing models

– New customers and new markets

Support for CmDongles and CmActLicenses


Process IntegrationWibu-Systems CodeMeter License Central

Integration in ERP, CRM, e-shop and customers’ portals

Man

ufa

ctu

rer

Us

er

Cloud

Ticket /

Fingerprint

4

Ticket:

ABCDE-FGHIJ-KLMNO-PQRST-UVWXY3

Update

file(License)5

Ticket

2

SKU1


Where to Buy

VxWorks Security Profile is distributed by Wind River

License Central, CmDongles and CmActLicenses are distributed by Wibu-Systems


More Information

Toll-free: 800-545-WIND (800-545-9463)

Toll-free (EMEA): +00-800-4988-4988

www.vxworks.com

Wibu-Systems

Germany: +49-721-93172-0

USA: +1-425-775-6900

China: +86-21-5566-1790

www.wibu.com

http://www.vxworks.com/

http://www.wibu.com/
