Select Page

Ensure recoverability and improve resilience for both CPE and ISP infrastructure to protect your brand, customers, and bottom line

Parks Associates & Irdeto webinar: Value-added services for the SMB segment

Irdeto launches Keys & Credentials for ISP Routers

Consumers need an ISP they can count on

As the average home gets more connected devices, consumers are putting more of their sensitive data in the hands of their Internet Service Provider. From banking credentials to smart locks and medical monitoring, they rely on broadband that’s fast, secure and always on. They won’t hesitate to switch suppliers if security breaches impact reliability or put their personal data at risk.

Insecure routers put ISPs at massive risk

An estimated 75% of all IoT attacks can be traced back to infected routers (Symantec 2019). A catastrophic loss of revenue and reputation can result when breaches interrupt connectivity, expose subscriber data, or leave the ISP’s own infrastructure open to attack. Threats will only increase as ISPs roll-out smarter CPE to act as an application layer and deliver new revenue-generating cloud services. Forthcoming IoT legislation in many markets could soon force operators to demonstrate measures to mitigate this risk and ensure recoverability from attacks.

Keys & Credentials for Routers is a fully managed service that provides enhanced security to any broadband CPE. It ensures recoverability and improves resilience for both CPE and ISP infrastructure.  Unique keys are provisioned securely in each router, gateway or Wi-Fi extender to improve device authentication and prevent spoofing. Secure code signing prevents routers being hijacked using advanced malware.

Protect your brand. Protect subscribers. Protect your bottom line.

Protect subscriber data‏‏‎ ‎‏‏

Weak CPE authentication leaves the ISP’s core network vulnerable to attack. Compromised routers can allow hackers to snoop on or hijack subscriber web traffic.

Read more…

In each case, confidential data may be exposed. Irdeto Keys & Credentials for Routers enhances authentication and prevents CPE spoofing to insulate ISPs from the enormous reputational damage and regulatory fines related to a backend server breach.

Limit interruptions and support costs

CPE malware and software vulnerabilities can be exploited to throttle or interrupt broadband services, creating huge frustration for subscribers.

Read more…

Persistent malware or bogus firmware can lock ISPs out of their own CPE, forcing a device swap or engineer visit. Irdeto’s managed code signing can prevent this damage to subscriber satisfaction and support budgets.

Lead the field in compliance, resilience and recoverability

IoT cybersecurity security legislation is being considered by the EU, US government and many national regulators.

Read more…

It’s likely ISPs will soon be asked to provide additional protection for the CPE they supply, as well as to demonstrate the ability to recover from security breaches. Adding code signing and a hardware root of trust into CPE today is a sensible future-proofing step towards compliance with future regulations.

Want to learn more about the security risks associated with broadband CPE?

A hassle-free route to protecting all ISP devices in the consumer home

Trusted identities

Irdeto securely provisions unique and unclonable Trusted Identities into the chipset in every router, creating a hardware root of trust.

Read more…

The CPE then provides strong credentials with each API call, allowing the ISP’s servers to instantly identify requests from spoofed CPE.

Secure key management

Irdeto’s expert team takes care of the full lifecycle for all key materials, from production and provisioning to renewal and revocation.

Read more…

Managed blacklists are used to block access from any CPE that’s known to have been compromised.

Managed code signing

Unique Trust Anchors are embedded in the chipset of each CPE to fully utilize the secure boot functionality.

Read more…

Irdeto securely stores the operator’s keys and works with all authorized software developers to sign future code releases.

Secure keying facilities

Our dedicated, secure production facilities provide high-capacity, scalable keying services to leading operators and have generated 1bn+ individual security assets to date.

Read more…

They are staffed by a team of security experts and have full disaster recovery.

Flexible provisioning options

Trusted Identities are provisioned into the CPE in the factory. Updates and new credentials are remotely provisioned via Irdeto’s cloud servers to devices in the field, taking advantage of the hardware root of trust.

Read more…

This future-proofs CPE against new business and security needs.

Multi-vendor management

Keys & Credentials for Routers is a vendor and technology agnostic service. We deal directly with the ISP’s choice of ODMs, ensuring a consistent security posture across all CPE.

Read more…

ISPs gain full control of their router security, without the cost and hassle of managing it in-house.

How it works?

Managed code signing for malware resistance

  1. Irdeto’s Secure Keying Center generates Code Signing Keys (CSKs) and Trust Anchors (TAs). TAs are securely delivered to CPE vendors. CSKs are stored securely in the Irdeto Keying Center.
  2. A TA is added to the secure boot feature in each CPE hardware during manufacture.
  3. Authorized developers submit their code to Irdeto for signature on behalf of the operator prior to distribution to the CPE.
  4. The TA in each CPE identifies legitimate software authorized by the operator because it is signed using the correct CSK.
  5. Any software that is not signed with the operator’s CSK will be rejected by the CPE secure boot and will not run on the device.
trusted home
trusted home

Trusted Identities protect core networks from birth to death

  1. Irdeto’s Secure Keying Center generates and issues a Trusted Identity key for each CPE.
  2. The key is added to the CPE hardware during manufacture creating a Root of Trust.
  3. During the CPE lifetime, the operator can instruct Irdeto to issue new/updated Trusted Identity via Remote Provisioning.
  4. On behalf of the operator, Irdeto publishes a blacklist of compromised identities for real-time authorization queries.
  5. API calls are accepted by the operator or their partner’s servers if they contain a non-blacklisted Trusted Identity.
  6. API calls are rejected if made without a Trusted Identity or with blacklisted identities.

Trusted Identities for legacy CPE already in the field

  1. Irdeto’s Secure Keying Center generates a Trusted Identity key for each CPE. The Trusted Identity key is remotely provisioning to each CPE. No Hardware Root of Trust is established, but the key is obfuscated with software protection to protect it from compromise during transit and once on the CPE. During the CPE lifetime, the operator can instruct Irdeto to issue new/updated Trusted Identity via the same router.
  2. On behalf of the operator, Irdeto publishes a blacklist of compromised identities for real-time authorization queries.
  3. API calls are accepted by operator/partner servers if they contain non-blacklisted Trusted Identities.
  4. API calls are rejected if made without a Trusted Identity or with blacklisted identities.
trusted home

Want to learn more about how Keys & Credentials for Routers boosts ISP cybersecurity?

Contact us


Best Cybersecurity for Connected Home

Better together

Want to know how to put subscribers in control of their home Wi-Fi? Read about Trusted Home.

Do you also offer a video service?
Learn more about Irdeto’s solutions for Pay TV and OTT security.

Learn more about Keys & Credentials for Routers