Security

We at Bittium have dedicated ourselves to keeping up with the latest security requirements, standards, protocols, and legislation.

Information Security

The world is increasingly dependent on software. And the software we depend upon is increasingly complex. It changes too, at a fast pace: monthly, weekly, and sometimes even daily.

Complex software products and networked business infrastructures make up a labyrinthian environment wherein to mitigate vulnerabilities. The overall attack surface – the many points at which an attacker could enter a software environment – are numerous. They create an enormous challenge for security.

While considering the user, extra security hoops can seem an imposition. Bittium exists to make sure that you do not have to compromise security while striving for a seamless user experience. We know the ins and outs of the security and regulatory requirements, and carry this expertise over to our own and our customers software or hardware products.

We exist to make sure that you don't have to compromise security while striving for a seamless user experience

Securing Hardware

There are numerous different standards and requirements for hardware and security, such as Tempest, common criteria and FIPS-140-2. At Bittium, we have developed a process and implementation for secure hardware. It is to fulfill and go beyond these common requirements, at the present and in the future.

Bittium's secure and systematic hardware design process includes:

  • Threat/mitigation vector analysis
  • Security requirement analysis and mapping to hardware architecture/design
  • Hardware security element integration
  • PCB layout design for security
  • Mechanics design for tamper protection
  • Tamper detection and prevention system design
  • Security system testing

Bittium Tough Mobile product family, used by governmental agencies and enterprises, is a showcase example of our expertise in secure hardware design.

We fulfill and go beyond the common requirements of secure hardware, at the present and in the future

Securing Software

We employ the Defense in Depth (DiD) approach. This means defenses are implemented, over different layers of the software and at all phases of the product development, to eliminate single points of failure.

Software Design Phase

Software design starts with threat-modeling. Early on, security flaw analyses are run to spot security risks in the software architecture to avoid expensive re-designs later. At the system level design phase we concentrate on high-level mitigations to generic threats, such as anti-tampering features. And at the component level, our focus is on input validation practices.

  • Thread modeling relies on going through important checklists that can be used at all abstraction levels CIA (Confidentiality, Integrity, and Availability)
  • STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of srivilege)
  • DREAD (Damage, Reproducibility, Exploitability, Affected users and Discoverability)

We also rely on Taint analysis, which marks untrusted or sensitive data and tracks its propagation and respective derivatives within the system. The usefulness of Taint is two-fold: it ensures that untrusted data do not cause malicious actions. It also guards against sensitive data not getting leaked outside of the system and making sure such data is erased when not needed.

We make sure that the security foundations are solid and neither the system nor its components are open to vulnerabilities when going forward in the software development process.

Software Implementation Phase

In the implementation phase, a hierarchical structure is applied to create secure code. At the top level of the structure, input validation is applied through whitelisting. This means that access is granted only to specifically identified entities rather than going by the principle of least privilege, which is used in blacklisting.

At lower levels, where abstraction level decreases, more detailed guidance is defined from client-server architecture considerations (e.g. communication security, authentication, and access control) down to standard coding practices (e.g. Java and C language-specific). If the system under development includes 3rd party open source software, we use open source vulnerability databases, such as CVE, and hold rigorous reviews to check against any back-doors. Legacy source codebase security is kept up to date and use-automated tools for static code analysis to help identify invalid pointer references, uninitialized variables, buffer overruns as well as other security flaws.

Software Testing Phase

The software implementation phase includes many security self-assessment methods. Primarily attention is given to the scope of the software component. Also, manual integration testing is needed to take into account interactions between the different software components – to check the networking and access control of shared resources.

Coverage analysis tools ensure that the entire source codebase gets tested. Fuzz testing goes through modified versions of valid inputs to the tested interface and finds conditions as invalid input handling, memory leak, or overload scenarios. Coverage analysis is essential for enabling efficient fuzzing because it enables the selection of a comprehensive and non-overlapping set of valid inputs that will be modified during fuzz testing.

Software Releasing and Maintenance Phase

From the security viewpoint, the software is ready for release when all its security issues are tackled. From the release on, maintenance takes the stage and protecting the software from unwanted changes is essential until the end of the software lifecycle. Secure building, integrity protection, secure signing, and rollback prevention are the main measures to be taken. All of these protections are included also in the swift over-the-air (OTA) updates, which can be run to patch e.g. third-party software vulnerabilities.

We make sure that the security foundations are solid and neither the system nor its components are open to vulnerabilities when going forward in the software development process

Secure Mobile Communication

With the rise of connected mobile devices it becomes harder and harder for organizations to ensure security. The security of services can potentially be threatened whenever the device enters a new network, especially in public places – such as airports, trains etc. Both the hardware and the software are at risk to be tampered with and applications or updates can cause additional threats.

While the big smartphone manufacturers and key operating system providers try to enhance their security measurements, they are no comparison to specifically designed secure phones.

The use of LTE technology, smartphones, and applications continue to increase in special verticals, creating demand for secure LTE smartphones such as Bittium´s own product platform and complementary security solutions.

As a world leading technology provider for secure mobile communications, we are mastering the Android ecosystem with our Bittium Tough Mobile 2 product portfolio.

While the big smartphone manufacturers and key operating system providers try to enhance their security measurements, they are no comparison to specifically designed secure phones

Secure Communications & Connectivity