Symbian ransom shows risk in internet of things

The news that Nokia was held to ransom over a digital certificate should raise alarm bells in organisations with aspirations to digitise their business

The news that Nokia was held to ransom over a digital certificate should raise alarm bells in organisations with aspirations to digitise their business.

MTV in Finland reported that in 2007 a blackmailer gained access to a Symbian encryption key used for signing Nokia certified applications. Nokia paid the blackmailer millions of pounds to prevent the key being released, according to the broadcaster.

If the key had been released, hackers would have been able to create Trojan Horse applications targeted at Symbian users.

Compromised digital certificates were also largely to blame for Stuxnet, which attacked industrial Scada control systems.

But many consumer-facing companies are driving digitisation across new product development. These products are likely to have large software components that rely on digital certificates to maintain integrity.

Modern consumer electronics such as smart TVs and games consoles offer consumers a way to keep the device up-to-date, with internet-distributed firmware updates.

As companies enhance their existing and new products with internet-connected systems, such updates will become increasingly common. Manufacturers may even choose to update them automatically without any user intervention.

A digital certificate is meant to provide a level of guarantee that the software being installed is from an authorised source. If the certificate can be compromised, a hacker could install any application on the target device.

Last year Hiroshi Shinotsuka from Symantec, which owns the Verisign certificate authority, discussed the challenges in keeping digital certificates safe. In a blog, Shinotsuka recommended that developer teams protect private keys by setting up a software development network and completely segregating it from the internal company network. "Use different passwords for both networks. If malware compromises a computer on the company network, it cannot gain access to private keys," Shinotsuka wrote.

Shinotsuka also recommended that developers use test certificates until the software is ready to deploy and, rather than store certificates on a computer, put them on encrypted USB tokens and keep them in a safe.

According to analyst Gartner, businesses are increasingly looking at developing more digital services to remain competitive. However, traditional approaches to IT and business strategy are regarded as speed bumps slowing down the digitisation drive.

In May Michele Cantara, research vice president at Gartner, stated: "To deliver on the growth outcomes the C-suite expects, change agents in business and IT need to challenge long-held assumptions about management, organisational and technology best practices."

As such, there will be pressure coming from the business to release products much faster than a traditional approach dictates. Code quality will need to be kept high and keeping digital certificates secure and safe will become a priority.

Read more on Application security and coding requirements