Protecting routers and other network equipment
April 11, 2018
Trusted Computing Group has developed a guidance document for networked equipment security. For example, how a TPM can establish device ID with private keys stored inside the tamper-resistant TPM.
While attacks and threats on PCs and servers have been well documented and addressed by a variety of solutions for many years, only recently have vulnerabilities of other parts of Internet of Things (IoT) systems been recognized – and exploited.
Protecting IoT devices, routers, and other networked systems against compromise is a serious challenge for service providers, enterprises, consumers, and others. Historically, attacks have been very difficult to mitigate. Fortunately, significant improvements are now being made.
The hacks just keep coming
Before considering the latest news, let’s look at the last two years:
- 2016 – The Mirai malware targeted online consumer devices, including home routers and IP cameras running Linux, and converted them into remotely-controlled bots as part of a botnet. This botnet was used to mount distributed denial of service (DDoS) attacks of record-breaking proportion. Popular services like Netflix and Twitter were affected.
- 2017 – Wikileaks revealed the details of CherryBlossom, a remotely-controllable, firmware-based implant for wireless networking devices. Using a man-in-the-middle (MITM) approach, the malware exploits router and other wireless access point (AP) vulnerabilities to gain unauthorized entry. It then replaces existing firmware with hacker-installed CherryBlossom firmware to monitor, control, and manipulate the Internet traffic of connected users.
The impact of these attacks is substantial, not only for those whose devices are hacked, but for the targets of DDoS attacks and device manufacturers whose reputation may be tainted, as well.
Addressing the issue
Adding to its extensive list of standards designed to protect computing and other network elements, the Trusted Computing Group (TCG) has developed a new guidance document that specifically addresses the security of connected equipment. In this and other TCG efforts, TCG’s Trusted Platform Module (TPM) provides a hardware-based foundation for security improvements. For example, the TPM can establish device identity using a difficult-to-steal private key stored inside the tamper-resistant TPM.
This cryptographic device identity has several applications in networking equipment, including:
- Access control
- OEM device identity and counterfeit protection
- Secure autoconfiguration
- Remote device management
Network security now
By applying the processes explained in “TCG Guidance for Securing Network Equipment,” developed by TCG experts, network equipment suppliers have begun to demonstrate how common weaknesses in network equipment can be prevented. TCG members have recently demonstrated products showing how the TPM can be used to ensure that router configuration cannot be modified without detection.
The network equipment security problem has key attributes that should put it at or near the top of the list of enterprise issues that must be addressed. It is compelling, relatable, relevant, extremely timely, and increasingly preventable. With the Trusted Computing Group’s network equipment specification, products have been introduced that demonstrate a best practice use of TPMs in securing network equipment. Routers, firewalls, and other network equipment are starting to implement this guidance to resist increasingly sophisticated attacks and provide the security that all enterprises deserve.
More information on the network equipment specifications is found at trustedcomputinggroup.org/work-groups/network-equipment.
Steve Hanna is Chair of the Embedded Systems Working Group at the Trusted Computing Group, and Senior Principal at Infineon Technologies.
Trusted Computing Group