On April 8th, Apple Inc. announced its decision to expand the iPhone’s NFC chip reading capabilities before the end of 2019. Eurosmart welcomes this new functionality that can enable reading of secure data stored in security chips such as the ones used in passports. This decision will definitively support the deployment of the electronic Passport and contributes to the creation of secure digital identities included biometric data and their potential derivatives.
For more than 25 years, Europe has been leading the way for innovative solution and deployment of secure electronic communication, contactless interface e.g. NFC, GSM-products, such as SIM-Cards, Smart Card for a broad range of applications, Secure Element and Secure Hardware e.g. for embedded security and secure infrastructure. Apple remains one of the stable users of all these technologies and products that have contributed to enhanced trust for both governments and citizens.
Electronic Passport and contactless electronic ID-cards and residence permits cards are now deployed in more than 130 states round the globe and are the “root of trust” for digital identity. By enabling the reading of official documents on any devices such as Android and now IOS, private sector will be able to benefit from this “root of trust” for strong end user identification and authentication as well as for creating trusted digital companions, and thus rely on enhanced data reliability and increased confidence in digital transactions for their own usage.
Eurosmart and its members are at the leading edge of these European technologies by developing and providing even more secure digital identity solutions. The recent European Commission’s proposal to include secure NFC technologies to store data into all the European Citizen’s national identity documents is contributing to the general trend to enhance secure Digital Identities and is contributing to the success of eIDAS regulation for the highest level.
Digital transformation, increasing of mobility, privacy and convenience are key pillars in the future society, now supported by Apple´s decision.
Eurosmart, the Voice of the Digital Security Industry, is an international non-profit association located in Brussels, representing the Digital Security Industry for multisector applications. Founded in 1995, the association is committed to expanding the world’s Digital secure devices market, developing smart security standards and continuously improving the quality of security applications.
Members are manufacturers of secure element, semiconductors, smart cards, secure software, High Security Hardware and terminals, biometric technology providers, system integrators, application developers and issuers.
EUROSMART members are companies (BCA, Fingerprint Cards, Gemalto, Giesecke+Devrient, GS TAG, IDEMIA, IN GROUPE, Infineon Technologies, Inside Secure, Internet of Trust, Linxens, Nedcard, NXP Semiconductors, +ID, Real Casa de la Moneda, Samsung, Sanoïa, STMicroelectronics, Toshiba, Trusted Objects, WISekey, Winbond), testing, inspection and certification (TIC) companies (SGS, Bureau Veritas, Trust CB), laboratories (Brightsight, Cabinet Louis Reynaud, CEA-LETI, Keolabs, SERMA), research organisations (Fraunhofer AISEC, ISEN), associations (SCS Innovation cluster, Smart Payment Association, Mobismart, Danish Biometrics).
EUROSMART and its members are also active in many other security initiatives and umbrella organisations on EU-level, like CEN, ECIL, ETSI, ECSO, ESIA, ETSI, GP, ISO, SIA, TCG and others.Read more
Eurosmart – the voice of the Digital Security – welcomes the adoption of the Cybersecurity Act by the Council of the European Union on the 9th of April 2019. On this occasion Eurosmart warmly commends the courageous proposal from the European Commission (DG CONNECT) as well as the in-depth involvement of both co-legislators.
Eurosmart is convinced that the permanent mandate given to the EU Agency for Cybersecurity (ENISA) will be of benefit to the necessary increased EU-wide cooperation amongst the national cybersecurity agencies to identify, prevent and tackle cyber-attacks and threats.
Over the last 15 years ENISA has been demonstrating its relevance as a center of excellence in Cybersecurity by strengthening the cyber-resilience of the European continent.
The new shape of the agency will be able to better support and reinforce the work of the EU’s national security agencies by enabling enhanced European cybersecurity capacity. The setting-up of the European Cybersecurity Certification framework is also a great breakthrough for security and privacy by design principles for ICT products, services and processes.
“On the occasion of the new ENISA’s mandate, we want to reiterate our message to all the community: Cybersecurity is above all a matter of human know-how, we have created in Europe a unique knowledge on hardware and software pentesting that make ICT products resistant to potential attacks” explained Stefane Mouille, President of Eurosmart “The increasing and never ending stream of cyber-attacks that Europe has been experiencing over the last 20 years, demonstrates the need to pool the European knowledge in Cybersecurity and increase the capacities of the European response. This is a real question of digital sovereignty.”
Eurosmart particularly appreciates the recent European initiatives to boost its cybersecurity industry in order to compete on global security market.
The Cybersecurity Act sets up a Cybersecurity certification framework for ICT products, services and processes, such an initiative will definitively contribute to the completion of the European Digital Market for Cybersecurity. At the same time, this framework shall enhance the European Cybersecurity competitiveness by fully exploiting its assets and unique know-how such as penetration testing while evaluating critical products. Eurosmart and its members pay particular attention to the level of resistance to potential attacks for products placing on the European Market. The European cybersecurity framework is a unique tool to promote the European values in terms of data privacy, security by design and security by default for all digital goods.
“Digital is like gravity, its everywhere in our life” said Stefane Mouille “interconnexion of devices, networks and infrastructures is a real benefit for our societies, social life and economy but widen at the same time the surface for potential attacks. From malicious script kiddies to criminal and terrorist organisations, a wide range of new threats are emerging with the IoT deployment and the future 5G decentralised infrastructures. The European Digital market and our interconnected infrastructures shall be well prepared and become even more resilient by using European certified ICT products, services and processes”.
By referring future trustworthy European cybersecurity certification schemes in its future legislation, the European Union could impose a certain level of security alongside current safety requirements, and thus to address sectorial cybersecurity issues to the benefit of the European citizens.
Eurosmart holds a long track records in promoting Cybersecurity Certification methodologies through a 24-year-old sound collaboration with SOGIS (Senior Official Group Information System Security) that set out a mutual recognition of security certificates for the highest levels. By operating two of the SOGIS technical working group on Hardware attacks and Evaluation methodology, Eurosmart welcomes the fact that the Commission and the Member States have been working on the transposal of these unique asset at the European level through a dedicated European certification scheme. Eurosmart, as a pool of digital security experts remains committed in the technical achievement of an ambitious European Cybersecurity Certification Framework which could become a world-wide reference in terms of reliability, and at the same time promote the European values.
On the 19th of February ETSI’s TC Cyber issued new technical specification entitled: “Cyber Security for Consumer Internet of Things”. Eurosmart welcomes this publication that makes provisions for an increase in the security level of connected consumer devices, network infrastructure, home network and associated services.
This new TC Cyber technical specification intends to tackle a wide range of IoT devices, such as connected children’s toys, wearable health trackers, smart home appliances, smart home assistant which all deserve high security standards to ensure a high level of security, data protection and privacy to the consumer.
Eurosmart supports the valuable works of the European Standardisation organisations (ESOs) in the development of qualitative European standards. These European standards are in the best position to ensure Europe’s digital autonomy and to raise consumers’ confidence in the Digital Single Market.
This approach shall foster the upcoming development of European cybersecurity certificates. As stated by the European Commission in its communication on 13th September 2017: a key aspect is the lack of cybersecurity certification schemes recognized across the EU to build higher standards of resilience into products and to underpin EU-wide market confidence.
The development of European standards by ESOs will help both the European legislator and manufacturers to improve the temper resistance of connected devices, the protection of user’s data and privacy. Eurosmart strongly encourages the European regulatory and standarisation trend which helps people trust the devices they use every day because they can choose between products, which are cyber secure.
The new technical specification from the TC Cyber provides a common-sense guidance for the development of connected devices.
Eurosmart considers the technical specification’s requirements from the TC Cyber, as the good practices’ summary for IoT devices’ security hygiene. These requirements may perfectly be used to performed Corporate Binding Rules.
Moreover, the new technical specification is a good first step to avoid the basic security mistakes which could be made by IoT manufacturers. The provisions laid down in the technical specification set out far-sighted recommendations.
However, these introductory recommendations which aim to make systems resilient to outages but cannot be considered as a comprehensive secure approach. Interactions of the device and its environment (network and infrastructure) are regrettably missing. Moreover, borders between critical infrastructures and consumer’s personal network are more and more blurred. This is particularly true for smart home environment where a smart appliance can connect to a network operator (phone, TV, Web etc.) which is considered as critical infrastructures in Europe. When it comes to wearables health trackers, they can be connected to hospitals infrastructures, that fall under the NIS directive.
A reference architecture of smart home, the identification of possible risks in this architecture and the definition of minimum IT-security function of connected devices in smart homes are key pillars to sustain “security by design” for the producer of connected smart home devices. These building blocks are needing to protect more than 500 million consumers in EEA in the future.
· As regards the privacy of personal data, nothing is said about the way the consumers should be informed about the manner their personal data are processed. Such a technical specification would have benefit from a more consistency approach with GDPR requirements. When it comes to the removal of personal data, the technical specification foresees a simple recommendation and targets data stored in the device, nothing is specified for data or meta-data that could embedder personal information and which could have been processed by a service outside the device. As a complement to the first technical specification, Eurosmart encourages a more comprehensive approach including clear mandatory requirements.
· Vulnerability reports and software updated is an entry point to ensure basic secure IoT, however the standard make simple recommendation for a “timely manner” for acting on vulnerability and the that coordinated vulnerability disclosure should be implemented.
· End-to-End encryption for communication and anonymisation of personal (privacy) and telemetry data should be mandatory principles. The new technical specification should enhance the recommendations of the GDPR and ePrivacy Directive. All these principles are only optional but are the only way to guarantee a suitable data protection for the users.
· Software and Hardware resistance to potential attacks is missing. The technical specification points out optional provisions to minimize the exposed attack surface for software only. Eurosmart has been advocating for years to identify the vulnerability for hardware and software. Penetration testing is key to limit risks and narrow exposures to potential attacks.
Euromsart and its members believe that such an initiative along the digital transformation and the cybersecurity topics in the European Economic Area (EEA) (i.e. NISD, eIDAS, CSA, PSD-2 etc.) requires a more consistent and comprehensive approach.
As a conclusion, Eurosmart welcomes the general trend that makes Europe’s cyber resilience stronger, and the first efforts of ETSI - TC Cyber to provide an overview of good practices for security requirement. However, Eurosmart enjoins ESOs and specifically CEN CENELECT JT13 to work on even safer standards which may be referenced by the upcoming European cybersecurity certification schemes. The certification framework built upon the Cybersecurity Act, is expected to quickly raise the security requirements for consumer IoT devices from assurance levels Substantial to High.Read more
This white paper outlines risks involved in several implementations of external non-volatile storage for integrated secure functions in larger Systems on Chip (SoC).
The external storage function must include in SoC evaluation and should have a certification level that matches or exceeds the claimed level for the integrated secure function.
The integration trend in modern Systems on Chip (SoC) has reached secure functions. In order to reduce costs and provide more user functionality, functions such as Secure Element and UICC (e.g. SIM functionality) are integrated into the main processor or secondary communication processor dies.
Legacy secure controllers have been using embedded non-volatile memory for many generations. A practical, secure and obvious choice for stand-alone controllers, embedded non-volatile memory is a rare and expensive option for larger SoC. Limitations imposed by fabrication process and production costs limit the options to implement embedded non-volatile storage to one-time-programmable (OTP) memory only. Since secure functions require substantial amount of changes to the stored information, such OTP cannot be used to hold that information and external off-die storage must be used.
The off-die storage holds secure information, and as such, must provide security at a level matching that of a stand-alone secure element.
When implementing external secure storage, designers face one major obstacle. The exposed interface to external storage provides means for attackers to access any stored information, read erase or modify it. Software based solutions such as secure kernels have not proven to be robust enough to prevent replacement and attacks. Stronger mechanisms have to be provided.
A notable case is the FDP_SDC family of IC Protection Profile document [ICPP], which defines the required level of storage security for secure SoC designs. This family provides requirements for protection of data confidentiality and access to the data in the memory. Every design targeting security certification SHALL meet the FDP_SDC family requirements for data confidentiality.
In order to use standard NVM such as Flash to hold secure information, three security objectives must be reached – confidentiality, authenticity and freshness. Confidentiality is achieved by using strong encryption of the information before it is stored in the external nonvolatile storage (NVM). Such encryption scheme must use unique, non-obvious keys to minimize potential attack vectors.
Authenticity is achieved by signing the information stored in the NVM using a strong signature algorithm and validating this signature every time the information is retrieved from the flash. The signature must use a unique, non-obvious key to minimize attack vectors.
Freshness needs to be guaranteed using secure monotonic counter. This counter is implemented either in to SoC die using OTP storage, or using an external device implementing a secure authenticated monotonic counter.
RPMB has been implemented as part of eMMC specifications from version 4.5 and on. Details on usage of this type of storage can be found in [CoCoNet].
Certified Secure Flash can be used for external storage. The security target and certification guarantee information confidentiality, authenticity and freshness.
A Secure Element [ICPP] can be used to store and protect information externally to the SoC. The communication channel between the Secure Element and SoC is encrypted, authenticated and monotonic. The Secure Element maintains information Confidentiality, authenticity and freshness.
External Secure Storage should be considered part of the target of evaluation and as such must be regarded as a secure function. A secure function must undergo full assessment as part of the certification and pass with at least the same level of evaluation as the level claimed for the integrated secure function. E.g., if the integrated function claims EAL4+, the external storage function must also be certified to at least EAL4+ level. Since a protection profile for external secure storage does not exist yet, a detailed security target covering all the relevant aspects of the certification must be prepared. At a minimum, this security target must assure confidentiality, authenticity and freshness of the stored information.
The concept of using standard storage with freshness counter requires that every update of the information in the external storage is encrypted and signed using a unique value known to the SoC. To facilitate this, the monotonic counter is incremented for every information block write. The value of the counter must be authenticated. This requires that every time the counter is incremented, the value of the counter is either signed or a redundancy check code (CRC) is written along with its current value.
The monotonic counter implementation must be protected according to the protection profile applicable to the integrated secure function, e.g. [ICPP]. In such case, the implementation, using OTP to implement the monotonic counter must be subjected to AVA.VAN5 according to JIL/JHAS guidelines.
The concept of secure monotonic counter can be implemented by an external secure element (SE). In such case, the SoC-SE establish a secure link to authentically read and increment the counter value. A unique, non-obvious key should be used to secure and authenticate this link. The underlying assumption is that the secure element is certified according to ICPP.
When the implementation of external secure storage relies on RPMB implementation, countermeasures must be implemented in either the SoC (such as monotonic counter) or the RPMB implementation must be certified as outlined above. Existing RPMB implementations have been found to be vulnerable to a wide range of attacks. [eMMC] outlines hacking of the eMMC controller chip that amongst other functions implements the security functions associated with the RPMB. [HMAC] outlines Differential Power Analysis attack on SHA-256 HMAC which is the basis of RPMB operation.
An integrated security function must use an RPMB device certified to at least the same level claimed for that function.
1. TOE evaluation must include (i) the external non-secure storage device and any other device or function used in conjunction with the storage function e.g. Secure Element or (ii) the secure external storage
2. The external storage function must have a certification level that matches or exceeds the claimed level for the integrated secure function.
[CoCoNet] “Mobile secure data protection using eMMC RPMB partition” published in 2015 International Conference on Computing and Network Communications (CoCoNet)
[ICPP] EuroSmart Security IC Platform Protection Profile with Augmentation Packages https://www.commoncriteriaportal.org/files/ppfiles/pp0084b_pdf.pdf
[HMAC] Differential Power Analysis of HMAC SHA-2 in the Hamming Weight Model https://www.di.ens.fr/~belaid/articleHMAC.pdf
Eurosmart, the voice of the digital security industry welcomes the European Commission (DG GROW) proposal to strengthen the security approach of internet-connected radio equipment and wearable radio equipment.
Reaching a trustworthy and secure IoT market is paramount for the achievement of the European Digital Single Market. By 2025, the projected IoT connections are expected to exceed the 25 billion of units’ threshold. In the meantime, consumer IoT devices will account for over half of these connections. However, Europe will only represent the 3rd IoT market with 4.9 billion units, far behind the Asia-Pacific (10.9 billion units) and the U.S.-Canada ones (5.8 billion units). In this context the challenge for Europe is to place on the market consumer IoT devices which has not been specifically designed for its own market, but which respect the European philosophy and exigences in terms of security, privacy and safety. Throughout the evolution of the Digital Single Market, Eurosmart has been advocating for the strengthening of the digital security as an essential precondition for consumer confidence and the European digital industry growth in a global market where Europe doesn’t hold the balance of power.
Hence, in this context, Eurosmart and its members pay a particular attention to the security of the IoT devices placed on the European market, which must respect our fundamental values of data privacy and resistance to potential attacks (Cybersecurity).
Eurosmart highlights the fact that than an IoT device is not expected to act in an isolated manner. Due to its dynamical nature, and the way the device adapts to its environment, security should be understood in a more compressive sense. The cybersecurity of the device has an impact on its whole environment (network, other devices) and even on critical infrastructures in the meaning of the NIS directive. For instance, a smart wearable such as a cardio activity tracker, which is not a medical device, can relate to both individual’s home network and to Hospital network.
Until now, there are no strong and mandatory cybersecurity requirements for placing a consumer IoT device on the market. The Radio Equipment Directive manly focuses on essential requirements for safety and health while ensuring electro-magnetic compatibility. As laid down in the Radio Equipment Directive, Eurosmart supports the idea of incorporating safeguards to ensure that the personal data and privacy of the user are protected, and to take measures to prevent from fraud, but on the condition that real cybersecurity measures, instead of a safety-based approach, would be incorporated into a potential delegated act.
Eurosmart acknowledges the benefits in terms of safety of the New Legislative Framework (NLF) approach, and the 2014 recast of the Radio Equipment Directive which keeps flexibility for manufacturers and set out level-playing-field between manufacturers and importers. However, Eurosmart does not support the idea that the NLF will fit in with cybersecurity requirement level. NLF was built to support safety requirements when placing a product on the market and not to assess a resilience level of a product to potential cyber-attacks.
The Inception Impact Assessment suggests the idea of baseline security requirements, to comply with the rules set out by the GDPR and the ePrivacy Directive which do not concern access market to products. Eurosmart fears that this option may lead to the sole principle of “cyber hygiene” based on a self-declaration or a check list to the manufacturer or the importer. This is not clearly enough to reach a trustfully Digital Single Market and will put Europe’s digital sovereignty at risks: how could the potential backdoors be identified? How to make sure that European citizens’ personal data and credentials are securely stored and processed?
For these reasons, Eurosmart strongly recommends a cybersecurity approach for the potential Delegated act of the Radio Equipment directive. The NLF-Safety approach is designed to assess static targets whereas cybersecurity is a matter of anticipation and moving security target. The European Cybersecurity Certification Framework as defined by the Cybersecurity act, has been designing to evaluate cybersecurity resistance level of products, it is the only viable process to fulfil this task. Due to the interconnected and sensitive nature of a consumer IoT device and as stated by the Inception Impact Assessment, Eurosmart urges the European Commission to propose a certification scheme at the level “substantial” for “Internet-connected radio equipment and wearable radio equipment”, and thus, based on trustworthy European Standards to be defined. This adopted certification scheme shall be referenced in the foreseen Delegated Act of the Radio Equipment Directive to support the intended purposes pursuant both Articles 3(3)(e) and (f).
 Source GSMA
Eurosmart, the voice of the digital security industry supports the political commitment in strengthening reliability of radio equipment placed on the Market. The growing number of internet-connected radio-equipment and more precisely IoT devices, constitute a challenge to ensure both safety and security of products placed on the market.
In terms of safety, it comes to the manufacturer, to take care of the conformity for the making available on the market of its radio equipment which may combine hardware and software. In this case, software is part of the final good. However third-party software can be uploaded on the device for the benefit of the final user such as the enabling of new features of its hardware.
On the one hand, potential misuse or modification of the behaviour of the device cannot be under the responsibility of the manufacturer whose product placed on the market has been modified did not. Indeed, this situation could lead to legal uncertainty for market players who will bear the full liability of a modified combination of software and radio-equipment.
On the other hand, it would be detrimental for the market to oblige the manufacturer to introduce features that restrict the uploading of third-party software, unless the manufacturer ensures the compliance of the combination of the radio equipment and software. This would shift the responsibility for safety, compliance, usability and maintenance of the software to the radio-equipment manufacturer.
Moreover, the Inception impact assessment for the Radio Equipment Directive related to Internet-connected radio equipment and wearable radio equipment, foresees a potential delegated act which will include requirements in terms of privacy, data protection, and prevention from fraud. Such requirements will include cybersecurity protection alongside traditional conformity against functional specifications (safety). Eurosmart fears that the radio-equipment manufacturer would carry the whole liability burden in terms of cybersecurity, should the radio-equipment be altered due to the upload of a non-secure software, or a misuse by the user.
Internet-connected radio equipment is not acting in a static environment, uploaded software may rely on external databases, algorithms, cloud servers, artificial intelligence etc. which are not under the control of the manufacturer. Breach of data, privacy concerns, vulnerabilities could be attributed to one or several actors of the software’s value chain which the manufacturer may not be responsible or aware of.
An alternate option could be the upload of party evaluated software on a standardise platform and require a third party evaluation for the product before and after the upload.
Eurosmart enjoins the TCAM and the European Commission to rely on the ongoing work of the Product liability expert group (E03592), to define clear liability for both device manufacturers and software developers and to consider a software as a good placed on the market as such. It is essential that prior envisaging a complementary approach through a potential delegated act for software upload for radio equipment, to wait until the upcoming conclusions of the Product Liability Expert Group.Read more