« November 2013 | Main | January 2014 »

4 posts from December 2013

12/19/2013

Target’s Data Breach: A Wake Up Call For Retail POS Systems Vendors and Customers

By now, everyone has seen the news that Target Stores suffered a massive credit and debit card data breach, as acknowledged by the retailer. The company says that more than 40 million card accounts may have been affected through card swipes at its brick-and-mortar stores between November 27 and December 15. [Target later revised the number of affected customers upward to 110 million.]

In a letter posted today to its customers, Target says that, “information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).” Target hasn't stated whether the CVV data is CVV1 (which is stored on the magnetic stripe) or CVV2 (which is printed on the physical card). Some have speculated that the data (with CVV1) may have been intercepted in transit between the card swipe readers and the point-of-sale (POS) terminals, at which point it may not have been encrypted.

In VDC’s opinion, it is far too early to conduct a post-mortem on what went wrong and who’s to blame. It is not too early, however, to raise the alarm about the possibility of future breaches of this type. VDC estimates that worldwide POS device shipments in 2012 totaled 1.9 million units of terminals/workstations and 11.6 million units of transaction card readers (including magnetic stripe and contactless chip-and-pin). With a market that size, the retailer with the bull’s-eye logo surely won’t be the last target of POS hackers.

In addition, millions more small sled type card readers are being sold for direct attachment to mobile phones and tablets, which presents another security risk. The mobile devices to which those card readers attach have even less controlled security than dedicated POS terminals.

This Target breach will spark an immediate wave of retailers and POS systems vendors reevaluating their security protocols on every level. In the short term, this event likely will stall some of the business deals in process for the retail embedded systems vendors, while customers and vendors pay extra attention to credit card security, such as compliance with the PCI Data Security Standards, before proceeding further. In the long term, it will make clear the need for more end-to-end security in retail systems, and ultimately boost the business for many vendors in the embedded security ecosystem. Vendors will raise the profile of credit card security in their product offerings and their marketing. And retailers will increase their engagement with independent security consultants and/or vendor security services to protect their consumers’ data from compromise.

By Steve Hoffenberg, Director M2M Embedded Software & Tools, with Richa Gupta, Senior Analyst AutoID & Data Capture

12/12/2013

Cross-domain integration: the new look of engineering

The benefits of enhanced integration and collaboration between different engineering disciplines are undeniable. A cross-domain integration approach is becoming more important and beneficial as products become more complex. To ensure that products function properly, it is imperative that developers understand how the software, electrical, and mechanical components work together. Using cross-domain integration, product developers are more efficient while also addressing the concerns of both managers and end users, helping ensure that the product is the best it can be.

In VDC’s 2013 Software and System Development Survey, 45% of the respondents indicate the biggest advantage of cross-domain integration is an improved overall design, followed by improvement in the overall product management at 38%. Increased communication and collaboration among different engineering disciplines leads to organizations better connecting the separate silos of knowledge from each domain. This leads to better coordination of the software, electrical, and mechanical components, as well as a greater awareness of the impact changes in one domain will have in another. As a result, organizations are able to see improved product quality and less product failure. Another main advantage is improved traceability (35%), which is becoming more prominent as the number of process standards increases in industries such as automotive and medical.

Despite the benefits and increasing use of cross-domain integration, universal adoption is not right around the corner. Overcoming companies’ current organizational structures is extremely challenging. Many organizations have been working in separated engineering teams for years, with each team having formed distinct policies and procedures.  However, the possibility of greater engineering synergies and improved product quality is enough for most organizations to realize the potentials of cross-domain integration.

By Sarah Foreman

Research Assistant, M2M & Embedded Technology

12/10/2013

The AllJoyn Protocol: Does Its Openness Compromise Security?

On December 10, the Linux Foundation announced the formation of the AllSeen Alliance, an industry consortium that seeks to expand the Internet of Things in home and industry. Premier members include: Haier, LG Electronics, Panasonic, Qualcomm, Sharp, Silicon Image and TP-LINK, with more than a dozen additional community member companies.

The members plan to adopt an open-source peer-to-peer communications framework called AllJoyn, originally developed by Qualcomm Innovation Center and launched back in 2011. Qualcomm has now contributed AllJoyn to the Alliance. AllJoyn is hardware agnostic and can run on multiple popular OSs including Linux, Android, iOS, and various Windows desktop and embedded versions (despite the Alliance being announced by the Linux Foundation). You can find technical details of AllJoyn at www.alljoyn.org, so we won’t describe the protocol at length here.

AllJoyn enables devices to interact at the app-to-app level. The protocol handles much of the communication over ad hoc proximity networks, such as Bluetooth and Wi-Fi, with the ability to mix and match devices with different communications protocols, so that apps don’t have to deal with the lower level functions. Qualcomm’s early emphasis was to enable multi-player gaming across a variety of unlike devices, but the AllSeen Alliance seeks to foster adoption across a much broader range of devices in “the Internet of Everything.”

AllJoyn facilitates authentication and encrypted data transactions between devices. But how will AllJoyn prevent unintended devices from joining a group of devices given that the protocol was designed to make device discovery and connectivity as easy as possible?

In the case of Wi-Fi, assuming that the network is set up with proper Wi-Fi Protected Access (WPA), AllJoyn doesn’t make it any easier to gain access to the network without the security key, particularly if the network is set up to allow only whitelisted devices. For Bluetooth, a hacker within range (about 10 meters) conceivably could spoof the identity of a known device, to trick a user into accepting it into the network. In conventional Bluetooth communications, once devices are paired and connected, they could have free reign over numerous applications on each other. With AllJoyn, the protocol can be used to limit which apps can talk to each other on which device. In that sense, AllJoyn should actually increase the security of Bluetooth devices. When combined with encrypted communications, no security holes are obvious (although it’s best to assume that hackers will discover some).

In addition, AllJoyn devices are able to communicate with each other in the absence of any Internet connection, which in certain scenarios will eliminate entire realms of security risk.

VDC expects that the AllSeen Alliance will succeed in gaining acceptance of AllJoyn for consumer electronics and home control applications. But the very names AllSeen and AllJoyn imply a degree of openness that won’t inspire confidence among industrial and critical infrastructure users. The convenience advantages of AllJoyn probably won’t outweigh security concerns for those users.

Secure Your Software Supply Chain

The rapid growth in software-driven content for embedded devices is not new - nor is the recognition that connectivity and the Internet of Things are fundamentally changing the ways that OEMs deliver value to end clients.

The ways in which OEMs are responding to these new content and feature creation requirements, however, are adding new layers of complexity to the SDLC - and vulnerabilities - to their products. While many engineering organizations are scaling internal software development efforts and receiving a increasing percentage of their code bases from third-party sources, they are often not placing proportional investments into their security and quality assurance processes and tools.

Code Sources

 

While there is no silver bullet to eliminate code defects and vulnerabilities, the best practices to develop high-integrity software are no secret either. Solutions like static analysis tools and premium requirements and variant management tools can help OEMs limit the introduction of some defects and identify many others in advance of product deployment. In an industry where connectivity and security risks are increasing dramatically with each product generation, engineering organizations must recalibrate their risk assessment calculus and prioritize software defect and security vulnerability mitigation.

Tomorrow, Wednesday December 11th, I will be digging more into these trends and challenges facing our industry during a webcast at 2pm ET, sponsored by Klocwork.

 

Register herehttp://bit.ly/1hZoaGs