Why counterfeit components in IoT hugely impact market and reputation

And how secure authentication can help address the issue

Consumer brands have long had issues with counterfeit goods and cloning. But in the world of connected devices, the consequence of grey market components has the potential to create much more damage to the market, to a brand’s reputation and to safety.

The internet of things (IoT) is clearly beneficial to many aspects of business process improvements, driving efficiency, reducing downtime, and much more, in almost every industry vertical. However, the fact that devices are connected via the internet means there are multiple points within the network that could also be affected.

This is of major concern when manufacturers may not have fully visibility of the authenticity of devices and products within the supply chain. In a 2018 Deloitte survey of 500 procurement leaders from 39 countries, it found that supply chain transparency is poor, with 65% of them having limited or no visibility beyond their tier one suppliers.

The lack of visibility means counterfeit – or grey market – products can potentially enter the connected network if not properly authenticated. If a cloned component is introduced and does not meet the original component’s specifications, the equipment it is monitoring may end up not meeting the necessary operating requirements, especially if the newly introduced counterfeit components have poorer characteristics that the original device.

Depending on the system or application which relies on these components, there could be many different outcomes which can have significant unintended consequences. For example, in a factory, it could result in faulty products due to incorrect monitoring of the appropriate parameters and tolerances that may be necessary to maintain high quality production.

Another scenario is in a food or pharmaceutical supply chain which relies on accurate or precise temperature or humidity monitoring of food and medicines; consumers could end up becoming ill or products going to waste because they are made ineffective as a result of transgressing stringent parameters during transport. And in industrial plants, there could be consequences of ineffective environmental monitoring if harmful by products or emissions are not properly controlled.

All these cases affect many of the links in the chain – from the manufacturer of the original components, all the way to the end customer, whether it is a business or the end-consumer. For the original component manufacturer there could be a huge reputational impact, which in turn results in loss of business and market share. In addition, if cloned devices have entered the supply chain, there are also potential liability issues, especially when the proof of origin of the cloned component is not clear.

This is why a robust and unique device identity is vital – new components that enter the connected network must prove that they are genuine with a cryptographic authentication. The necessary cryptographic keys for this authentication have to be personalized in a secure manner during production. This personalization of cryptographic keys in different kinds of IoT endpoints can be performed by Secure Deploy, a technology developed by Secure Thingz / IAR Systems for seeding a device identity during device manufacturing itself in a controlled manner.

For example, Secure Deploy allows full control of the number of produced devices with a specific firmware and ensures a backtracking capability to the manufacturing line. Different hardware security mechanisms to protect the device identity, cryptographic keys and production counters can be configured during the development of the device firmware with help of the IAR Systems/Secure Thingz toolchain, especially Embedded Trust.

Both technologies, Secure Deploy and Embedded Trust, together allow together complete control of IoT endpoints throughout the supply chain and efficiently prevent grey-market devices, which are likely to have their origin outside the controlled supply chain. This not only protects the OEM, but also ensures robustness of IoT infrastructures, which are based on reliable endpoints with a proven origin and unique identity.