For more than 20 years Riscure has been helping chip and device vendors to improve the security of their products. We have observed the ever-changing security landscape, adjusted to the evolving attacker profile, witnessed and reacted to the appearance of well-organized adversaries. Although we have noticed the increase in security awareness, we also see that some security mistakes are still common to this day, repeated over and over in a variety of projects. For this whitepaper, we gathered the knowledge of Riscure’s security experts to advice on the five most common security errors. Below you can find the highlights. The full document with industry-specific details and mitigations is available after registration via the form below.
Know your product
One of the best-known principles followed by developers refers to the goal of ensuring the security of all elements as well as the connection between them. However, this principle is often not followed due to various reasons. These reasons could be lack of resources, risk bias, and lack of knowledge.
Moreover, the integrations between different parts of the system are often overlooked during development. These integrations include integrations between hardware elements, software elements, and hardware and software.
Know your enemy (and trust nobody)
Another mistake often noted by Riscure experts is the trust in third parties. It is often assumed that the only attacker is the stand-alone person with malicious intent. However, the truth is that organizations that initially deserve our trust can intentionally or unintentionally break it, leading to negative consequences for everyone involved. Some of such companies include OEMs, CAS and DRM providers, TEE elements, and even companies’ employees.
Know your secrets (manage your keys and certificates)
Although everyone knows the power of secrets, like passwords, keys, and certificates, it is still often undermined and leads to negative consequences to security. For example, one of the most common mistakes concerning passwords is sharing keys/passwords between multiple people or devices. Moreover, other mistakes can be having a poor or exposed key derivation algorithm or poor random key generation.
Know your crypto
While it is very well known that cryptography is a major resource of device secrets’ safety, often not enough attention is given to its implementation and usage. There is a wide range of errors that we see during cryptography implementation and usage, which include overconfidence in the algorithms name, use of custom-made cryptography, and incorrect use of standard crypto.
Know the attacks and protections
Over the last 20 years, Riscure’s security analysts have seen every kind of embedded system, device, and chip imaginable. We have seen vulnerabilities ranging from simple mistakes to uncovering major new issues. Ultimately, the root problem for each of these issues is often the lack of knowledge or information. In the full document, we present the most common issues mentioned above in full detail and offer recommendations that can help mitigate these issues. Although the collected issues and recommendations are focused on the chip and embedded systems market, most of them are applicable to any other industry.
Download the whitepaper by completing the form below
Do you want to learn how Riscure can help you advance your security knowledge and skills? Check out our Riscure Academy page or contact us at inforequest@riscure.com.