IoT security companies take on device discovery, authentication

#News(Security) [ via IoTForIndiaGroup ]

Pwnie Express’ software-as-a-service device detection platform, Pulse, provides enterprises with a complete picture of networked devices, said Dimitri Vlachos, Pwnie’s vice president of marketing.
“We allow you to come in and discover every device that is on your network and your airspace; we look in wireless, we look in Bluetooth, we look in cellular,” he said. “We’re able to see all the devices that are on your network or in your environment and have the potential to interact with your network.”
Pwnie continually tracks all the devices, scanning them to see if they have vulnerabilities, according to Vlachos. Then the company’s threat detection analytics determine whether there are connections that shouldn’t be happening between trusted devices and non-trusted devices.

IoT security companies take on IoT authentication
Where Pwnie specializes in device discovery, Pescatore said, other IoT security companies, such as Rubicon Labs Inc. and Device Authority Ltd., focus on an identification and authentication approach to internet of things security.
“The strategy of Device Authority and Rubicon Labs is more focused on making sure things aren’t vulnerable, and the authentication side of things to make sure that the only things that connect to you are ones you’ve authorized,” he said.
Pescatore admitted this is a tougher task than the discovery part.
San Francisco-based Rubicon Labs offers a cloud-based key provisioning and key protection platform for securing IoT devices and the data they generate. Its approach relies on a system of provisioning a “vault” in device memory. The key used to secure this vault is the result of a one-way hash such that the key never appears in memory. The keys are thus effectively “invisible” while still protecting secrets for authorized users. The use of these “zero-knowledge keys” is thus unseen by senders, receivers and hackers alike, according to the company.
“The company has developed a novel way to use cryptography to strongly authenticate IoT devices and encrypt the data they generate, all within the bounds of the technical limitations of most IoT devices,” read a report by 451 Research.
Rubicon Labs allows each device to be uniquely identified and authorized, down to the smallest microcontroller, so no other device can get on a company’s network claiming to be that device, said Rod Schultz, vice president of product at Rubicon Labs, adding one of the use cases for Rubicon Labs’ technology is in healthcare.

Other IoT security companies have other methods for IoT authentication. London-based Device Authority’s KeyScaler platform lets customers securely register, provision and update their devices through active, policy-based security controls designed to protect IoT applications and services.
The KeyScaler platform includes the ability to create dynamic keys on the fly without having to store the keys anywhere, said Robert Dobson, director of presales at Device Authority.
“That’s quite a powerful thing,” he said. “You’re not storing any keys; you’re basically reducing your attack surface. You’re trying to narrow down the possibility that someone will get access to your data. What it means is that we can generate keys dynamically on the device. And it’s a session-based key. So for the duration of the session, we have a unique key and as soon as the session is torn down and you want to build up another session, you generate another key.”
Device Authority is looking at securing the internet of things from a holistic point of view and trying to secure data all the way from the endpoint to the cloud where it is consumed, Dobson said.
“What’s also key is how you onboard your devices securely to your back-office server platform so you know that the device that’s connected to the platform is what it says it is and somebody hasn’t spoofed the device and is trying do some damage to your system,” he said.

Read More..