Microsoft is expanding a certification program to improve the security of Internet of Things (IoT) devices.
Microsoft’s secured-core concept first aimed to improve the security of software interfaces for Windows 10 hardware in 2019 and two years later brought it to firmware for servers running Windows Server and Azure Stack HCI.
Secured-core is not focussed on consumer devices but aims to assure enterprise customers that Windows running on non-Microsoft hardware has been certified as secure by Microsoft. The concept was carried across from Microsoft’s Xbox division, which has a more vertically controlled hardware and software stack than the Windows ecosystem.
SEE: Don’t let your cloud cybersecurity choices leave the door open for hackers
Beyond desktops and servers, Microsoft also has the “Edge Secured-core” program – a security certification for IoT devices that operate on the edge of networks called the Azure Certified Device program. It’s for devices connected to Microsoft’s Azure cloud service.
Microsoft says devices certified under this program will get updates for at least 60 months from the date that vendors submit their devices to its program. That’s as long as Google’s commitment to patch its own Android Pixel phones for five years.
Microsoft says its program assures that devices have hardware-backed identity when connecting to Azure IoT Hub and using the IoT Hub device-provisioning service. Devices are also certified for system integrity covering the processor, firmware and OS, and certified as encrypting data on the device and while data is in transit.
“IoT devices such as gateways, which are often used to connect downstream devices to the cloud, need inherent support for protecting data in transit. Edge Secured-core devices help support up-to-date protocols and algorithms that are used for data-in-transit encryption,” says Deepak Manohar, principal PM manager, Azure Edge and Platform security.
Devices that Microsoft has certified so far include the ASUS PE200, Lenovo ThinkEdge SE30, Intel’s NUC 11 Pro Mini PC, and Asus’s AAEON SRG-TG01. They’re now listed in the Azure certified device catalog and, while they are large vendors, the devices represent a fraction of the thousands of IoT device models on the internet.
“We have added this new device certification for our Edge Secured-core platform so customers can more easily select IoT devices that meet this advanced security designation,” says Manohar.
IoT devices are low-hanging fruit for hackers. The US last week announced it had dismantled a massive Russian-operated botnet that had operated for several years as a proxy IP address service and was used by cyber criminals for credential attacks on website login pages.
The botnet was built by its operators using software that automated password-guessing for a range of internet-facing devices, like routers and smart TVs, which often ship with default passwords that are documented in publicly available support manuals.