Wednesday, April 13, 2016

Why software signing matters

Color me disturbed but not shocked: at least some home-security cameras ship with malware links.

This is one of those problems about which the consumer can do nothing: you can't fix the software or firmware running on these devices. However, there is a long-term fix that we must pressure vendors to adopt: software signing. Code signing (another term for this process) ensures that the software running on a system is exactly and only what the vendor shipped. Any unsanctioned alteration is detectable and at the least will trigger a warning to the user. (On Apple products, if Apple-originated software is altered, other than by Apple in a software update, the software flat-out won't run.)

Digitally signing software isn't foolproof and it takes a lot of thought to get it right, but if properly implemented it can prevent the kind of absurdly simple malware injection that happened to these cameras. If a company that makes security cameras isn't interested enough in the security of those cameras to make this investment, do you want to trust that company with your security?

No comments:

Post a Comment