Bernd Hantsche, Managing Director Embedded & Wireless and initiator of the GDPR campaign at Rutronik
May 25, 2018 is the deadline for implementing the European General Data Protection Regulation (EU-GDPR) and the derived data protection legislation, which is the strictest seen to date. By this time, practically all companies processing personal data are required to implement extensive measures to protect this data.
“This confronts businesses with immense challenges,” explained Bernd Hantsche, Head of Division Embedded & Wireless at Rutronik. “Not only do they have to understand the regulation and its impact on their business, processes and products, they also have to establish suitable measures and implement them – a process that is anything but trivial with such a diverse and complex topic as security.”
For hardware and software developers, and for product managers, Article 25 “Data Protection by Design and by Default” and Article 32 “Security of Processing” are of primary importance.
“These text sections leave a lot of questions unanswered, which is why we have established an inter-departmental team of experts with which we can help our customers find answers to questions such as these and develop extensive system concepts that are compliant with the GDPR,” said Hantsche.
One of the requirements of the regulation is for personal data to be encrypted in line with modern technical standards and implementation costs and in consideration of the nature, scope, circumstances and purposes of processing, as well as the probability of occurrence and severity of the risk.
“But which data is directly or indirectly personal? And what does ‘in line with modern technical standards’ even mean for individual components and systems? Is asymmetrical encryption with RSA always necessary everywhere, or is AES encryption, ECC or the hybrid SSL/TLS encryption adequate in some cases?” said Hantsche, giving food for thought. There are similar ambiguities with the other regulations.
“If you look around in various online forums on this topic, you’re more likely to find people worried about not being able to satisfy the requirements rather than answers. Many of them anticipate a rush of cease-and-desist orders. With our team, we are able to not only provide our customers with relevant answers, but also offer adequate solutions.”
Rutronik’s GDPR Expertise Team includes specialists from the Storage Media, Wireless Communication, Embedded Boards, Embedded Systems, Security Modules, Microcontrollers, Displays and Sensors product segments. It advises developers and portfolio managers on how they can design their data transfer, data storage and data processing systems securely.
Click image to enlarge
“We discuss with the customer to find out which critical security aspects there are in their specific application, what the nature of the potential risks is, and how severe each risk is,” said Team Leader Hantsche, describing the process. “Once these points have been clarified, our team can develop a suitable GDPR-compliant system concept.”
This concept includes all components and systems that are in some way essential to security for the application. These must be precisely adapted to one another, as many of them are dependent on one another and can influence each other, which is why the various experts work closely together. As a broadline distributor, Rutronik has not only the components and systems but also the expertise needed to develop such concepts in full and offer its customers complete solutions – “the all-in-one carefree package”, so to speak.
In addition to personal advice, the team of experts is also working with the relevant manufacturers to prepare a comprehensive reference book containing all the fundamental knowledge and practical information needed for components, technologies and complete applications.
Concentrating on the traditional aspects of data transfer, data storage and data processing isn't enough. For instance, social engineering is becoming an increasingly critical topic – and device manufacturers are expressly advised to take this seriously.” Social engineering involves criminals sneaking a look at PIN codes or passwords simply with a pair of binoculars or stealing keys or RFID transponders to open doors or authorize the use of devices. This enables them to circumvent any PIN protection and any difficult-to-crack password.
“But even against social engineering, there are remedies, for instance biometric retinal scanners and fingerprint sensors, 3D camera systems for facial recognition, or at least special displays with a particularly small viewing angle,” said Hantsche. “Even choosing the right wireless protocol and mechanisms that detect malware as early as when booting the system make a criminal’s work harder.”
Speakers – another privacy risk
Whether it’s the “ding ding bah” in fruit machines, background music in the elevator or supermarket or the cigarette dispenser that informs you that “your choice is currently not available” – speakers are being used in an increasing number of different devices. And fruit machine users or shoppers usually have their smartphones with them. This combination of factors can be exploited like a spy – some apps require access to the microphone during installation, which many users barely notice. But in spring 2017, the Braunschweig University of Technology discovered 234 apps in the Google Play store alone with Silverpush’s Ultrasonic Tracking Beacon function. Even if GPS localization is deactivated, this enables a smartphone to detect where its user currently is. Here, loudspeakers send high-frequency codes of between 18kHz and 20kHz – barely perceptible to the human ear, but easily receivable by the microphone in the smartphone – a clear violation of data protection legislation!
A security concept might include the following components in this situation: a TPM (Trusted Platform Module) that detects malware during the boot process, secure and encrypted communication with valid certificates and asymmetrical or hybrid key exchange, and a range of other security measures on all vertical software and communication layers. Outside of digital communication, it may also be advisable to employ a low-pass filter that filters higher frequencies and a loudspeaker that is optimized for frequencies beneath 18kHz, such as the AS09208AR-R from PUI Audio.