There is no denying the recent boom in the use of video identification solutions as a method to enable the management of all kinds of procedures, thus eliminating the need to be present in person. Sectors such as banking, insurance or legal are gradually increasing the use of video identification software in their day-to-day business.
For this reason, the Spanish Ministry of Economic Affairs and Digital Transformation, in BOE núm. 115, of 14 May 2021, regulated remote video identification methods for the issuance of qualified electronic certificates. This forces the providers of this type of services to validate their solutions in the terms established in Anexo F11 de la Guía de Seguridad de las TIC CCN-STIC 140 of the National Cryptologic Centre, by means of product certification, with a deadline of 1 July 2022 for obtaining this certification, a period that was extended to 1st of January 2023.
The CRA is an initiative that aims to ensure that vendors establish appropriate cybersecurity safeguards in the digital products they sell. By establishing cybersecurity requirements before and after a product is marketed, the CRA will strengthen the security and resilience of the entire supply chain for the benefit of businesses and end consumers.
The main mission of the Cybersecurity Resilience Act is to fill existing gaps in legislation by creating horizontal legislation defining European cybersecurity standards for digital products and services, as currently EU product-specific legislation mostly covers security aspects and addresses cybersecurity only partially.
Evaluating a pioneering product in a CPSTIC/CCN-STIC 105 taxonomy is both a great motivation and a challenge. Therefore, we are pleased to be the first laboratory that has successfully evaluated a product in the category of Videoconferencing tools, being included in the Qualified Products section of the Spanish Catalogue of Information and Communication Technology Security Products (CPSTIC) published by the CCN. From here we would like to congratulate PEXIP for this reason and for the great work done.
In this article we will discuss how we could apply fuzzing to software developed for embedded systems and IoT using techniques such as emulation and dynamic instrumentation, with the main goal of learning a new way of evaluating the security of devices like routers, smart lightbulbs, industrial IoT, etc.
While performing a STIC evaluation of a product, the evaluation team at jtsec thought that it would be interesting to analyze the communications between two embedded devices that were part of the product. The main objective was to determine whether those communications were properly secured with encryption and other important security measures when it comes to devices that communicate using radio frequencies such as protection against jamming, GPS spoofing or replay attacks.