Iftah Bratspiess, CEO of Sepio Systems, on Hardware Security

November 22, 2019

Story

Iftah Bratspiess, CEO of Sepio Systems, on Hardware Security

Once upon a time, making electronics secure involved physically bolting a computer to a table, or locking it in a room.

Security is a critical issue today. Once upon a time, making electronics secure involved physically bolting a computer to a table, or locking it in a room. Real access security started as an information science, involving encryption, authentication, and such. It is now migrating to a combined hardware/software solution, but the systems and processes are still in development. We recently reached out to Iftah Bratspiess, CEO of Sepio Systems, and asked his take on the matter.

ECD: How do you see the current situation in the market for security?

Iftah: I would say there is a fake or false belief that the foundations of the hardware layer itself is secured by nature. Meaning that if you are able to correctly encrypt your data, for example, you're totally secured, which is not exactly the case these days. If you're building something on top of a foundation, or on top of layers, which are insecure by nature or by design, your total solution is not secured. It's getting not only everywhere in terms of applications and in domain, but it's also getting closer and closer to the world of physical devices and other devices.

ECD: Would say that it would be analogous to making sure that you've got to really secure vault door, and that the combination is only known to a very few people. And then the burglars break in through the roof.

Iftah: I think that's not a bad analogy, and yes, that's absolutely the case. Because you can build something, which is very secured by the points it secures or it is designed to be, but at the same time all the other directions are entirely open. So, I think that's a very good analogy.

ECD: Thank you. So you can have phenomenal software, but if the hardware is a fallible, then anyone can sneak in through the back door.

Iftah: That's correct. And even software is not one monolithic bunch like it used to be. By education and by experience, professional experience, I'm originally a hardware developer, board level developer. And then I did a lot of embedded software development and design. So, in the old days the software was just one bulk, one piece of software, which was running on your usually dedicated hardware and doing the purposive tasks. 

But these days, even the software itself is layered on and built of so many independent pieces and libraries and operating return, operating systems and other software modules that even if you develop theoretically your own application code, still a lot of software is running as part of your product or as part of your design without you really knowing what's inside that. And that very naturally can contain lots of vulnerabilities. And on top of that, of course comes the layer of hardware.

ECD: Can you give us an example of an application where you've got those levels of risk at multiple points?

Iftah: Yes. Let's take for example a simple office or enterprise printer. Let's just dive in the time tunnel and jump back some 20 years ago. A printer was mostly electromechanical device, with all the drivers and ink processing and there was a very simple port in most cases, the long known LPT port, which was mostly bit-banging the characters or the pictures or whatever.

And that was about it. So, the guy developing the software part of the printer, had a good understanding and a good visibility from the time the guy at the PC sends something to print, and until the time the ink dries on the page. Now, if you look at printers these days, every printer is connected to a network. At least one network, but in most cases it will also have an internet spot. It will also have WIFi or Bluetooth or other wireless interfaces. And that's just to begin with. Then there is a layer of very complex drivers and there is the layer of maintenance, that the printer can call home to the suppliers to say, "Well I need more ink."

Developing a printer now is now about the system, network protocols, remote access, and of course with the complexity of the software, it became necessary to integrate a software upgrade mechanism that is embedded in the printer itself. So not only it could have many vulnerabilities, it also allows a threat actor or the bad guy as we call it, to upgrade the firmware of the printer to do bad things other than printing. 

So, logging everything that you're printing, or even as it is connected to the network, even attacking your PCs or attacking your networking infrastructure from within the printer. Now, most chances are the guy that's the expert of the printer design are not experts at networking, are not experts at securing a boot loader and are not experts on networking protocols. That brings the mood of risks and vulnerabilities, which face the end user.

ECD: In fact, speaking of peripherals, there was a famous case of a casino that was broken into because they managed to get through the smart thermostat in an aquarium. I know that sounds a little oxymoronic but there are cases where the hardware is a soft point in the system.

Iftah: Naturally, the hardware guys and the embedded guys and the low level guys are very good at what they do. But they lack the experience and even the mindset of security professionals. So when they build and design the software or the hardware, they don't think security from the ground up. They think functionality. What should my product do? What should the specs be? They hardly think and integrate and take into consideration security restricts, security considerations. 

The other thing is that, the bad guys are not only looking for a box or as you say, open doors or windows in devices that exist. They, in many cases will mimic or spoof to be a legitimate device, which is very simple because let's say, for example, someone is using an innocent and real keyboard, computer keyboard from Dell or from Lenovo, from HP, or from whichever. Anyone today could very simply bring a very small microcontroller with USB port and then spoof or mimic itself to be just another keyboard. So he can actually type or emulate keystrokes if this user is doing things. 

But in reality, this is a piece of software running on hardware, which is being abused or used to attack or to hit or infect the organizations. Everything is really simple these days with all the improvements, and the way that it's easier these days to develop embedded software, or developed and embedded product because there are lots of building blocks, at the very same time it's much easier now for attackers to do things.

ECD: So what are some of the things you can do to mitigate attacks of that nature?

Iftah: Basically there are two facets to that. The first is, to be aware and scan and analyze and know about vulnerabilities either in complete end product, or in the components that are used to build the end product. This is one thing. The other thing, which is very unique and interesting and we're experts on is, our ability to build a list of, or a database of physical fingerprints. Now, every device these days has a logical footprint in the network. So if you take a surveillance camera, if you take a printer, if you take a credit card reader, every device has its own logical footprint in the network. It has a Mac address, it has the Bluetooth address, it has an iPad if it's connected to the network and so on and so forth.

But at the same time everything has its own physical fingerprint. It's an analogy to a fingerprint of the human being. If for example, you're using a Dell laptop, when it's connected to the network, other than the Mac address of Dell and the IP address that was assigned to this device, it has a physical behavior, timing characteristics, impudence, voltages, the way it negotiates the communication and establishes the link. 

So there is a lot of variation in the physical behavior, not to the packets that run on the wire, but on the way this is built. So if someone is trying to mimic or spoof or impersonate himself, let's say that an attacker is getting into your office, he knows you have an HP printer, he will configure in the program, his laptop to act or to impersonate as this legitimate HP printer.

So, had there not been any fingerprints for devices, no one is ever able to catch that, because he will act exactly the very same way the printer does. But if you take it into consideration, the physical fingerprints and as we know and expect a certain model of a certain vendor to have a certain physical fingerprint and you'll see based on anomaly detection and list of databases and we're seeing a mismatch or an anomaly that the physical fingerprint does not suit or comply with the logic of fingerprints we're seeing. This allows us to know that this is a spoofing attack. Someone is trying to act as easy as someone legitimate at the time he is not.

ECD: Got it. So now, put this into perspective as it applies to Sepio Systems, where do you place your value in that defense chain to benefit the customer?

Iftah: Sepio mostly addresses the financial sector, but we do have some telecom customers and critical infrastructure customers. Everyone that wants or needs to make sure he does not have any alien or ghost devices in the network, is coming to Sepio to benefit from our rogue device mitigation technology. 

We are running completely transparent and independent to the network, we never ask you to change anything in the way you deploy your network. We never ask you to reconfigure anything. We're just sitting in parallel to your entire infrastructure. And we're continuously collecting and analyzing all the physical and logic fingerprints in your environment.

When we say devices, as in rogue devices, it could be PC peripherals, your keyboard, your mouse, your printer, your barcode scanner, everything that is connected to a PC or if you know, a PC is not always a PC that belongs to an employee, sometimes it's an ATM, which is based on the PC. So every peripheral device that is connected to these PCs, is monitored by Sepio. At the same time, every device that is attached to a network port, is also monitored and classified and profiled by us. 

We provide the security teams of those organizations early indication that they have either vulnerable devices in the network they should control or mitigate, or if they have devices that are rogue by nature, meaning that someone just stepped in and edited something, replaced something, shipped something, connected something to your infrastructure, and from that point on, someone external and unknown has continuous access or foothold in your infrastructure. 

Because we are based on anomaly detection, the more installations we have, the larger our database of devices and fingerprints is. So we're getting more and more accurate or precise in our detection as we grow. Whenever we detect something that is beyond or outside the approved policy, or defined policy, we immediately block it. 

ECD: It’s been good to talk to you. Before I let you go though, do you have a final comment for our audience? Do you have any tips or something about yourself? 

Iftah: Yeah. I have two things I could say. The first is from my long years of perspective in the industry starting from a developer, then manager, then entrepreneur. I can say stick to your passion, try to do and work in things you like and enjoy and you're passionate about. This makes chances much, much higher of being successful. This is about the personal angle of things. 

The other thing is about people trying or wanting their environmental infrastructure to be as secure as possible, is that, you should think security from the first moment. From the first block diagram, you should think security, and if you're a user or administrator, you should trust nothing. You should build a layered infrastructure, a layered set of security solutions, that together will allow you to have good visibility for the asset you're having. And then what is the policy that you define? What you allow, what you disallow, and then enforce that policy. Unless you know the assets you have, and unless you have a strict policy that you enforce, you're never secure.