If you produce or are developing a connected product and you have not performed a security risk assessment, then you may be at risk of:
- Brand damage
- Legal liability
- Financial damage
- Being unable to sell your product into certain countries or regions
Legislation is increasingly being applied to the security and privacy of connected products and getting it wrong could result in significant damage to your company. Although security and privacy are not the same thing, poor security can also result in privacy issues.
How we can help
We can help you by:
- Auditing your products or pre-production product designs for security risks - saving expensive respins, liabilities or even expensive product recalls
- Developing security hardware, software and communications
- Testing your products for security flaws against real-world attack tools and methods
We ensure that your security is at the right level for your product and market area and make sure that you comply with all the relevant security regulations. We work with your engineers to ensure that they develop the skills required to be able to maintain and improve the security of your products.
Security auditing
To get you started, we have a Connected Product Security Audit that will perform a top-level review of your product security to identify potential problems.
We can provide expert advice right from the start of a project on:
- Hardware (including electronic component selection and PCB layout)
- Software
- Communications and networks
We can then perform follow-on work such as a detailed Security Vulerability Risk Assessment, if required, that is customised for your particular product and market.
Components in your product may require a more specialised approach and we are capable of reviewing:
- Silicon designs (to the RTL level)
- Hardware (e.g. board designs, processor selection)
- Firmware / software (including high-assurance software with reverse engineering, side channel and fault attack countermeasures)
- Communications (including use of wireless networks such as BLE, WiFi, 5G, NB-IoT, LoRa, etc.)
- Cryptography and key storage and management (including side channel and fault attack countermeasures)
Depending on the product and market area, we can review compliancy with security and privacy standards and prospective standards such as:
- EU ETSI EN 303 645 consumer IoT security standard
- EU Medical Device Regulation 2017/745 (MDR) / in vitro Diagnostic Medical Device Regulations 2017/746 (IVDR)
- US Internet of Things Cybersecurity Improvement Act of 2020
- US California Information privacy: connected devices SB-327
- US Oregan Bill 2395
- ISO/SAE 21434 Automotive Cybersecurity (Under development)
- UK Consumer IoT Security law (Proposed)
- EU General Data Protection Regulation (GDPR)
and with common security guidelines such as those issued by the IoT Security Foundation
Security testing
We can test your product for vulnerability to real-world security attacks including advanced attacks such as interface intrusion (e.g. network, USB, PCI), fault attacks (e.g. power-supply glitching) or side-channel attacks (power or EM). We can also perform industry-standard ISO/IEC 17825:2016 Test Vector Leakage Assessments and enhanced leakage testing (please see this paper for why the ISO standard is inadequate).
We have access to both low-cost attack hardware and tools that can easily be bought by anyone from the internet, all the way up to expensive professional security attack tools that could only be obtained by a well-funded and organised attacker.
We also develop our own attack hardware and tools, trying wherever possible to keep these low cost but based on the latest research to try and predict what the next generation of hacks will be.