Dec 13, 2018 8:00:00 AM
Code Signing: Did Someone Hijack Your Software?

This article originally appeared on the Forbes Technology Technology Council blog. Click the link below for the full version.

Imagine that, for whatever reason, you hear you’re the target of an elite cyber-mafia. You don’t take it seriously until you’re driving down the freeway and suspect someone has tampered with your vehicle. Spotting traffic quickly building ahead, you slam on the brakes, and nothing happens. You attempt to steer to the shoulder, but the steering wheel moves in the opposite direction. The only choice is to brace for the ensuing impact.

Such a scenario may sound like science fiction, but in recent years, cybersecurity researchers have proven the feasibility of such attacks. In the automotive realm, this problem led security researchers to gain a degree of remote control over a number of vehicle models, like the Jeep Cherokee in 2015 and the Tesla Model S in 2016. Researchers have also demonstrated similar stunts on medical devices, industrial equipment and police body cameras.

One of the things many of these attacks have in common is the manufacturer of the device in question either didn’t have a process in place for code signing or didn't bother to sign the code running on those devices at all. When you sign a piece of code, you make a statement that the software came from your organization and that you stand behind it. You send a message that the code meets your quality assurance guidelines, security standards and so forth. That’s why tech giants like Microsoft and Apple digitally sign their patches and updates. It allows them to say, “I'm only going to install an update if it came from the corporate mothership and not from an attacker.”

Continue Reading