Keys & Credentials for Routers

Ensure recoverability and improve resilience for both CPE and ISP infrastructure to protect your brand, customers, and bottom line

Consumers need an ISP they can count on

As the average home gets more connected devices, consumers are putting more of their sensitive data in the hands of their Internet Service Provider. From banking credentials to smart locks and medical monitoring, they rely on broadband that’s fast, secure and always on. They won’t hesitate to switch suppliers if security breaches impact reliability or put their personal data at risk.

Insecure routers put ISPs at massive risk

An estimated 75% of all IoT attacks can be traced back to infected routers (Symantec 2019). A catastrophic loss of revenue and reputation can result when breaches interrupt connectivity, expose subscriber data, or leave the ISP’s own infrastructure open to attack. Threats will only increase as ISPs roll-out smarter CPE to act as an application layer and deliver new revenue-generating cloud services. Forthcoming IoT legislation in many markets could soon force operators to demonstrate measures to mitigate this risk and ensure recoverability from attacks.

Keys & Credentials for Routers is a fully managed service that provides enhanced security to any broadband CPE. It ensures recoverability and improves resilience for both CPE and ISP infrastructure. Unique keys are provisioned securely in each router, gateway or Wi-Fi extender to improve device authentication and prevent spoofing. Secure code signing prevents routers being hijacked using advanced malware.

wireless_modem__

Protect your brand. Protect subscribers. Protect your bottom line.

Protect subscriber data‏‏‎‏‏

 

family_Icons_new-1

Weak CPE authentication leaves the ISP’s core network vulnerable to attack. Compromised routers can allow hackers to snoop on or hijack subscriber web traffic. In each case, confidential data may be exposed. Irdeto Keys & Credentials for Routers enhances authentication and prevents CPE spoofing to insulate ISPs from the enormous reputational damage and regulatory fines related to a backend server breach.

Limit interruptions and support costs

 

wifi_Icons_new

CPE malware and software vulnerabilities can be exploited to throttle or interrupt broadband services, creating huge frustration for subscribers. Persistent malware or bogus firmware can lock ISPs out of their own CPE, forcing a device swap or engineer visit. Irdeto’s managed code signing can prevent this damage to subscriber satisfaction and support budgets.

Lead the field in compliance, resilience and recoverability

security_library__

IoT cybersecurity security legislation is being considered by the EU, US government and many national regulators. It’s likely ISPs will soon be asked to provide additional protection for the CPE they supply, as well as to demonstrate the ability to recover from security breaches. Adding code signing and a hardware root of trust into CPE today is a sensible future-proofing step towards compliance with future regulations.

A hassle-free route to protecting all ISP devices in the consumer home

handshake-1024x1024

Irdeto securely provisions unique and unclonable Trusted Identities into the chipset in every router, creating a hardware root of trust. The CPE then provides strong credentials with each API call, allowing the ISP’s servers to instantly identify requests from spoofed CPE.

key_intelligence_Icons_new-300x300

Irdeto’s expert team takes care of the full lifecycle for all key materials, from production and provisioning to renewal and revocation. Managed blacklists are used to block access from any CPE that’s known to have been compromised.

code-1024x1024

Unique Trust Anchors are embedded in the chipset of each CPE to fully utilize the secure boot functionality. Irdeto securely stores the operator’s keys and works with all authorized software developers to sign future code releases.

bank-1024x1024-1

Our dedicated, secure production facilities provide high-capacity, scalable keying services to leading operators and have generated 1bn+ individual security assets to date. They are staffed by a team of security experts and have full disaster recovery.

network_cloud-1024x1024-1

Trusted Identities are provisioned into the CPE in the factory. Updates and new credentials are remotely provisioned via Irdeto’s cloud servers to devices in the field, taking advantage of the hardware root of trust. This future-proofs CPE against new business and security needs.

factory__-1024x1024

Keys & Credentials for Routers is a vendor and technology agnostic service. We deal directly with the ISP’s choice of ODMs, ensuring a consistent security posture across all CPE. ISPs gain full control of their router security, without the cost and hassle of managing it in-house.

How does it work?

Managed code signing for malware resistance

  1. Irdeto’s Secure Keying Center generates Code Signing Keys (CSKs) and Trust Anchors (TAs). TAs are securely delivered to CPE vendors. CSKs are stored securely in the Irdeto Keying Center.
  2. A TA is added to the secure boot feature in each CPE hardware during manufacture.
  3. Authorized developers submit their code to Irdeto for signature on behalf of the operator prior to distribution to the CPE.
  4. The TA in each CPE identifies legitimate software authorized by the operator because it is signed using the correct CSK.
  5. Any software that is not signed with the operator’s CSK will be rejected by the CPE secure boot and will not run on the device.
control_routers_1
control_routers_2

Trusted Identities protect core networks from birth to death

  1. Irdeto’s Secure Keying Center generates and issues a Trusted Identity key for each CPE.
  2. The key is added to the CPE hardware during manufacture creating a Root of Trust.
  3. During the CPE lifetime, the operator can instruct Irdeto to issue new/updated Trusted Identity via Remote Provisioning.
  4. On behalf of the operator, Irdeto publishes a blacklist of compromised identities for real-time authorization queries.
  5. API calls are accepted by the operator or their partner’s servers if they contain a non-blacklisted Trusted Identity.
  6. API calls are rejected if made without a Trusted Identity or with blacklisted identities.

Trusted Identities for legacy CPE already in the field

  1. Irdeto’s Secure Keying Center generates a Trusted Identity key for each CPE. The Trusted Identity key is remotely provisioning to each CPE. No Hardware Root of Trust is established, but the key is obfuscated with software protection to protect it from compromise during transit and once on the CPE. During the CPE lifetime, the operator can instruct Irdeto to issue new/updated Trusted Identity via the same router.
  2. On behalf of the operator, Irdeto publishes a blacklist of compromised identities for real-time authorization queries.
  3. API calls are accepted by operator/partner servers if they contain non-blacklisted Trusted Identities.
  4. API calls are rejected if made without a Trusted Identity or with blacklisted identities.
control_routers_3

Awards

cybersecurity_excellence_2021_gold-2

Best Cybersecurity for Connected Home

Want to learn more about how Keys & Credentials for Routers boosts ISP cybersecurity?

Contact us

Learn more about Keys & Credentials for Routers

E-BOOK

Broadband CPE: an ISP's Biggest Asset or its Weakest Link?

SOLUTION OVERVIEW

Irdeto Keys & Credentials for Routers

Better together

Do you offer a video service? Learn more about Irdeto’s solutions for pay-TV and OTT security.

pre_paid_tv_Icons_new-2

Video Entertainment