After hackers linked to China reportedly gained access to the IT networks  of hundreds of small and medium-sized water and power utilities in the U.S, alarm bells are ringing for utilities and critical infrastructure (CI) operations across the world. In an attack that some observers suggest is pre-positioning for sabotage of water and power supplies should the U.S. look to intervene in any potential conflict with Taiwan, China has demonstrated the inherent weaknesses in operational technology (OT) systems that many have been calling out for the last decade. The Ongoing Volt Typhoon Case This type of threat is something that CISA (the U.S. Government’s Cybersecurity and Infrastructure Security Agency) first warned about over two years ago after detecting the tactics, techniques, and procedures (TTPs) linked to the Chinese hacking group ‘Volt Typhoon' were discovered affecting networks across U.S. critical infrastructure, which led to the warning being issued to CI operators of the potential threat. The Real-World Impact of Infrastructure Attacks The consequences of a successful attack on CI can be severe – for example, a hospital without water supply would be forced to evacuate within hours. A shut down in electricity generation could affect entire cities, bring transport to a halt and disrupt manufacturing facilities. Even when not directly targeting CI, cyberattacks can have far reaching effects. We don’t need to look far to see how a single intrusion can reach when industrial systems are subjected to a cyberattack. The recent Jaguar Land Rover (JLR) hack which forced the complete shutdown of production lines globally and reportedly affected over 5,000  related organisations. This incident is being described as the most expensive cyberattack ever in the UK with estimated economic losses of £1.9 billion (US$2.55 billion), and JLR losing £50 million per week from the shutdown. Costs to business are one measure, but the cost to society could be far greater given the potential turmoil a successful attack on a city’s infrastructure could generate. It is no surprise then, that government cyber agencies would issue directives such as CISA 23-02 which required all US Gov Agencies to immediately implement controls to block access to web interfaces on appliances – but while important these seemingly small changes have wide ranging impacts to operational actions and costs of running utility companies. Persistent Vulnerabilities in Utility Networks According to Dark Reading ’s review of attacks on US water utility companies there remains significant issues with network and system security such as: Inadequate identity and access controls for devices and users. Poor segmentation of IT/OT networks. Legacy OT equipment, often with weak authentication (some reportedly still using default credentials) and remote connectivity. Under-resourced utilities: little staffing, small budgets, less mature cyber practices. Insufficient monitoring and incident detection in OT/ICS domains. Default credentials / insecure configurations of ICS/SCADA devices. While PLC vendors are increasingly building security features  into their devices, the vast majority of operations don't typically run this next-generation gear. Strategic Priorities for CI Operators To mitigate risk, CI operators should prioritise: Strong identity & device authentication  across both IT and OT domains. Network and device segmentation , especially isolating OT from general IT. Reducing attack surfaces by disabling insecure remote access, default credentials, open ports. Continuous Monitoring  for unusual activity or lateral movement within networks.   The Role of VeroGuard in Securing CI The VeroGuard Platform offers a scalable and effective solution for protecting access to systems and technology assets. Role of VeroGuard / VeroMod Hardware-based identity for OT devices : VeroMod reduces the risk of rogue devices and lateral exploitation. User identity verification : VeroCard ensures secure authentication for personnel. Virtual air gap and segmentation : VeroMod allows OT devices to communicate only with authorised endpoints, maintaining isolation while enabling remote access. Legacy infrastructure protection : Utilities can retrofit VeroMod onto existing OT systems, enhancing security without costly replacements. Scalable for resource-constrained utilities : The platform reduces reliance on large in-house cyber teams, addressing the “target rich but cyber poor” challenge.   VeroGuard offers the next generation of platform that secures connected systems, machines and data. The VeroGuard Platform ELIMINATES credential and identity compromise on open networks to act as the foundation of any zero-trust deployment. With our ecosystem partners VeroGuard’s modern end-to-end ICAM solution provides Next Generation MFA^ and advanced Attribute Based Access Control (ABAC) for powerful granular access management to systems and assets. Any critical infrastructure operator migrating to the Cloud, connecting OT and IT networks, wanting to exploit open networks for machine communications, or looking to secure their supply chain should assess the VeroGuard Platform. ^Next Generation MFA:  Secure hardware bound cryptographic authenticator ( NIST AAL3 ) with identity verification . Phish-resistant, Tamper-resistant, Verifier impersonation-resistant, Compromise-resistant.

In a bizarre twist that sounds more like satire than cybersecurity research, it was recently demonstrated that a spring onion  (yes the vegetable!) could be used to bypass security on Dell devices by exploiting firmware vulnerabilities. This isn’t just a quirky headline – it’s a serious wake-up call for anyone relying on built-in device security like TPMs or biometrics. What Happened? The vulnerability, as reported by Computer Weekly,  involves flaws in Dell’s firmware that could allow an attacker to bypass secure boot mechanisms. The researchers showed that even with a Trusted Platform Module (TPM) present, the system could be compromised using physical access and “clever manipulation” - like using a vegetable to trigger capacitive sensors  – highlighting how superficial some security implementations can be. The Problem: Trusting the Wrong Hardware The Dell vulnerability highlights that fundamental flaws in modern device security can occur even when a PC has a secure element like a TPM, it’s not truly secure if the firmware can be tampered with. In general, these devices lack tamper-resistance, meaning attackers can gain physical access to probe secure circuits and manipulate them to reveal their secrets. And then there’s biometrics. The “Spring Onion Hack” shows how biometric authentication can be spoofed or bypassed. Once considered cutting-edge, biometrics are now continually proving to be inherently insecure when used as the sole method of authentication. The Limitations of TPM and Biometrics TPM: Not a Silver Bullet TPMs are embedded in general-purpose devices and rely on firmware integrity. If the firmware is compromised, the TPM can be rendered ineffective. TPMs lack physical tamper resistance in most consumer devices. Biometrics: Convenient but Insecure Biometric data is not secret. Can be spoofed and bypassed. The “Spring Onion Hack” shows how easily sensors can be tricked. The VeroGuard Solution: Security by Design At VeroGuard, we believe security should be purpose-built , not patched together from consumer-grade components. Here’s how our solution addresses the issues exposed by the Dell incident: Purpose-Built Hardware Authenticator VeroGuard uses a dedicated hardware authenticator that is designed from the ground up for secure identity verification. The VeroCard is dedicated solely to identity-based functions. It has no physical ports for external connections and cannot be remotely activated, ensuring it remains isolated and secure from unauthorised access.   Tamper Resistance Is Non-Negotiable   Security that can be physically bypassed isn’t security at all. VeroGuard’s authenticator is engineered with true tamper resistance   and certified to payment industry specifications, ensuring that even if an attacker has physical access, they can’t compromise the device or the credentials it protects. No Biometrics, No Guesswork We don’t rely on biometrics. Why? Because; 1)        they’re not secret, and 2)        they’re probabilistic and not deterministic. Biometric authentication systems are intentionally designed to tolerate slight variations in input, because no two biometric scans – even from the same person – are ever exactly identical. Ironically, a 100% match is often treated as suspicious, since it may indicate a replay attack using a previously captured biometric sample. VeroGuard uses cryptographic keys stored in secure hardware. Out-of-Band Authentication Most importantly, VeroGuard’s authentication process occurs outside the target device. This out-of-band approach means that even if the PC or phone is compromised, the authentication remains secure. The device never sees your credentials, making phishing and malware attacks highly ineffective.   Final Thoughts: Don’t Let Your Security Be a Joke The spring onion hack is amusing—until you realise it could happen to your business. It’s time to stop trusting consumer-grade security and start demanding real protection . VeroGuard offers a solution that is not just secure in theory, but secure by design . Dedicated hardware designed specifically for secure identity verification. Purpose built for authentication – NOT general-purpose use Out of Band – Authentication occurs outside the target device. Hardware Security Modules – Credentials are never exposed to the device, reducing phishing and malware risks. Engineered with true tamper-resistance – keys are wiped if tamper is detected

No, but could this be a sign of what's ahead? Researchers recently reported encountering a phishing attack in the wild that bypasses a multifactor authentication using passkeys, the industry-wide standard being adopted by thousands of sites and enterprises. Further review of the attack path has shown that the bad actor did not bypass the passkey authentication but was successful in using a downgrade path to achieve their goal of accessing the user’s account. While this review emphasises that passkeys remain a strong and secure method for MFA , it also highlights that not all authenticator types should be considered equal, and that software bound credentials and implementations (in this case the implementation of the passkey authentication standard) should never be completely trusted. TL; DR While smartphone-based passkeys improve user convenience, they compromise FIDO2’s foundational hardware-bound security model. In high-risk environments, only dedicated hardware authenticators like VeroCard   can maintain cryptographic integrity, attestation trust, and robust phishing resistance. What Happened in the Recent "Downgrade" Phishing Attack Using FIDO2 Cross-Device Sign-In? In a recent report (mid‑2025), researchers at Expel observed a real-world phishing campaign by the group known as PoisonSeed, which exploited the cross-device sign-in feature in a clever adversary-in-the-middle attack: Victims received a phishing email directing them to a counterfeit enterprise login portal. After entering credentials, the phishing site relayed them in real-time to the legitimate site and triggered a cross-device sign-in request. The legitimate site generated a QR code for authentication, which the phishing page immediately captured and displayed. When the victim scanned the QR code with their phone, they unknowingly authenticated the attacker to the legitimate site. While this manoeuvre downgrades FIDO2 authentication to a weaker flow and is not a breach of the Fido2 protocol, it uses the weakness of the downgraded process, facilitated using a smartphone based passkey, to obfuscate reality from the victim. Why Using a Smartphone as a FIDO2 Authenticator Is Insecure Using a smartphone as a FIDO2 authenticator introduces fundamental security trade-offs that break key FIDO2 security assumptions, fracture passkey provenance and can enable bad actors to run a downgrade attack on passkey authentication. Passkeys created and stored on smartphones provides a convenience-security compromise that may be acceptable for consumers, but remains unsuitable for enterprise, critical infrastructure, or regulated environments. For these use cases, dedicated hardware authenticators like a VeroCard are the only way to maintain the original security promise of Fido2. Breaking FIDO2’s Original Core Security Premise Fido2 was designed with the principle that the private keys never left the security of the hardware authenticator. Driven by the consumer desire for convenience the Fido2 specification was revised to allow synchronisation of passkeys across cloud ecosystems so that users could easily access systems and sites using a single passkey. When users sync passkeys across devices using cloud services (like iCloud Keychain or Google Password Manager), the baseline security of passkeys is violated: The private credential is copied to multiple devices. Security of passkeys is now dependent on cloud account protections, not local hardware. If a cloud account is compromised, all passkeys are accessible remotely. In some environments users can share passkeys with others – fracturing any assertion of passkey  attestation . This turns a local, hardware-bound credential  into a cloud-distributed secret , significantly weakening the trust model.   How VeroCard Solves These Issues VeroCard restores the original FIDO2 security promise by: Hardware-Enforced Isolation Private keys remain protected in hardware at all times. Each key is device-bound  and tied to the physical VeroCard hardware. No Cloud Syncing Eliminates risks from iCloud, Google account, or password manager compromise. No cross-device duplication or migration of credentials. Downgraded flows are not allowed: VeroCard does not allow the user of QR code downgrades A single user gesture, PIN entry, and subsequent passkey login provide a full MFA without the need for any other factors. VeroGuard  further enhances security by: Requiring User Verification VeroCard enforces user presence  through PIN verification for every login. PIN verification is completed by the VeroGuard Platform prior to allowing the passkey to be used Requires explicit user interaction  resulting in identity verification and impersonation resistance. Origin Binding Enforced in Platform VeroGuard verifies the relying party (domain) has been permitted for the user, and ensures credentials are domain-specific . Centrally managing VeroCards: Tracking and managing devices Block use of and remove credentials Block VeroCard if lost Offering certified end to end process Common criteria PCI-PTS   Summary Risk Area Smartphone Passkeys VeroCard Private key leaves device ❌ Yes (via cloud sync) ✅ No Cloud account attack risk ❌ High ✅ None Cross-device phishing exposure ❌ Possible ✅ Prevented True hardware-based isolation ❌ Weak ✅ Strong Enterprise-grade assurance ❌ Lacks ✅ Delivers Verified user presence ❌ Optional or implicit ✅ Required (and verified) every time Phishing/aitm resistance ⚠️ Can be bypassed with cross-device flows ✅ Guaranteed Hardware certification & standards ⚠️ Some component level ✅ EAL2+/PCI-PTS VeroGuard is Common Criteria EAL 2+ certified  and VeroCard also holds PCI-PTS certification (standards for PIN security), along with FIDO2.

Amongst the most pressing concerns currently holding back the effective implementation of a digital economy is that of delivering a secure digital identity. For Government A unified, universal digital identity platform for Government departments accelerates the ability to bring services online for citizens, secures data and improves administrational procedure. Click below to discover how VeroGuard can help to streamline your Government department. Find Out More Find Out More For Corporate Industry leading ID management solutions, secure remote login options for staff and the ability to store your organisation’s data assets with confidence. A single, unified system to achieve all this and more. Citizen ID The transition to a digital economy requires a trusted, efficient and unified secure method for accessing government services. A VeroGuard Citizen ID seamlessly connects citizens to government services and stops access by impostors to provide trust between citizens and Government. Our platform not only switches between government and corporate applications, but is designed to certify into existing financial networks to utilise existing schemes and settlements at cardholder present level online. It automatically complies with banking identity frameworks and existing retail payment terminals. Citizen ID allows for easy and ultra-secure access to online services for any level of government. It is a universal solution that enables secure online proof of age, online voting, E-health data, E-Prescriptions, digital public transport wallets, event ticketing and so much more. For more information: VeroGuard Citizen ID Business ID Protect your supply chain with the best available security and discover the absolute surety of non-repudiable verification. VeroGuard Business ID is a unified and indisputable solution for verifying the source of all interactions between organisations in your supply chain. In addition to identity management, the solution provides unmatched protection for documents and data, reduces cycle times and prevents the need for data re-entry. It's a universal ID layer for any existing platform that enables a single user account with authentication to access any authorised system. A VeroGuard Business ID provides indisputable, non-repudiable proof of identity for all digital communications and transactions. Our solution verifies every interaction between businesses, as well as those between business and government. VeroGuard stops unauthorised access to systems and data. For more information: VeroGuard Business ID Employee ID Deliver unmatched identity and access management with black-box to black-box level security for communications and data across a single network for organisations and their eco-systems. A VeroGuard employee ID is a unique digital ID allowing for anchored identification, single sign-on, multi-purpose access and verification unified at the user with interoperability across in-house, cloud and hybrid environments. It enables simple, ultra-secure messaging and verifiable identity across the internet, interoperable and compatible with most applications and operating systems. A VeroGuard employee ID replaces ID cards, e-wallets, proximity cards for building access, credit and debit cards, tokens, loyalty cards, licences, e-signatures and more. It’s the only solution that provides indisputable, non-repudiable verification for absolute digital protection. For more information: VeroGuard Employee ID Get VeroGuard Other Solutions People Machines Data Protection Unified, Universal Digital Identity for People Amongst the most pressing concerns currently holding back the effective implementation of a digital economy is that of delivering a secure digital identity. Current identity systems are based on face-to-face interactions, and on physical documents and processes. In a world that is ever more governed by digital transactions and data, existing methods for managing security and privacy are not adequate. The number of identity dependent transactions is growing through increased use of digital channels, and the complexity of these transactions is increasing just as rapidly. Customers have come to expect seamless delivery of services across all platforms and regulators are demanding more transparency around every transaction. Meanwhile, cyber criminals are using more sophisticated technology and tools to conduct their illicit activity. This issue affects every segment of the economy, from government to corporate and even the private citizen. Discover why indisputable, non-repudiable verification of identity is critical to any response against this threat. SOLUTIONS Product: VeroCard

Safeguard your business with secure access management solutions. VeroGuard ensures the best protection and secure access management. Get VeroGuard Corporate Eliminate the threat of identity fraud in your business and across your supply chain. VeroGuard provides the highest level of protection available for your digital assets and boosts efficiency with the power of indisputable verification. Your organisation’s private internal data deserves the best protection, and nothing less than absolute surety will do. Click below to discover how VeroGuard stops unauthorised access to data and systems. For Solutions The economic impact of cybercrime on businesses is on average a multimillion-dollar concern. Data breaches can prove damaging to any brand and, in fact, for many businesses and executives, such a breach can prove terminal. Adopt a VeroGuard universal digital identity system and rest assured you have the best available protection against fraud. People Machines Data Protection Purpose VeroGuard stops unauthorised access to systems and Data. Adopting our universal digital identity platform enables a single user account to access all authorised systems with just one authentication point. While existing solutions require users to have multiple sets of credentials that must be memorised or written down, indisputable digital verification provides a single, impenetrable entry point to all systems required and eliminates fraud. Employee access isn't the only concern. While this critical data is stored at rest, it can easily become subject to hacking attacks. Why settle for anything less than the best available protection? Security Online security begins with identification, and nothing less than absolute surety will do. Identity systems have always been based on face-to-face interactions, physical documents and processes. The transition to a digital economy requires radically different identity systems. In a world that’s increasingly governed by digital transactions and data, existing methods for managing security and privacy are no longer adequate. The number of digital-identity dependent transactions is growing through increased use of digital channels. Customers expect seamless service delivery with the most user-friendly experience. Indisputable identity verification by VeroGuard stops unauthorised access to systems and data. Energy The VeroGuard platform offers sophisticated cyber security to meet the substantial demands of the modern energy sector. Absolute digital protection is necessary to maintain constant reliability and resilience, even in the event of a cyber-attack. This presents a unique challenge for the energy sector in that systems under attack cannot be easily disconnected from the network as this could potentially result in safety issues or blackouts. VeroGuard supports grid stability in a cross-border interconnected energy network by verifying the authenticity of machines and humans in and across networks. Developed on .net, VeroGuard is an easy platform to integrate with using API’s that will support both legacy and modern applications. Logistics/Supply Chain VeroGuard provides the complete confidence of a fully integrated, ultra-secure supply chain. As demand increases for efficient delivery of online services, so too does the complexity of supply chains for businesses of all sizes. Every additional link in the supply chain, especially those which are automated, represents another opportunity for data to be compromised. The VeroGuard platform secures each step of the process with non-repudiable identity verification and securely links IoT, business and humans. Moreover, it provides reliable and efficient digital infrastructure that converges multiple functions such as security, identity and payments. This helps to manage existing IT complexity and lower risk as well as increasing the speed of cashflow between suppliers. Defence The unique VeroGuard platform can build capability and a defence level security posture for the Industry. Deployment of VeroGuard’s solution would provide a response to the barriers faced by the defence industry’s contractors, immediately lift industry capability and position them to win and service defence business and improve security throughout the ecosystem. VeroGuard delivers an HSM based secure access platform for all industry members and Defence itself to engage and share resources. In combination with universal, unified HSM based digital identity management and the most secure cloud storage available in the world, VeroGuard can help to build a trusted defence industry ecosystem. Ready to get VeroGuard? Take control of your online and digital operations and experience the confidence of absolute protection from identity fraud. Eliminate the danger of data breaches and minimise expenditure with unique identity management solutions, remote login options and industry leading security for data at rest. A single, unified system can achieve all this and more without the need for expensive infrastructure. There's no reason to leave your assets unprotected - the time to act is now.. Prefer to keep your privacy? Call us and see how we can work together +61 (03) 9558 3090

Vero Machine Identity is a Hardware Security Module (HSM) based solution that provides unparalleled security for IoT devices and applications. VeroMod VeroMod is a non-repudiable digital identity for any internet connected device that utilises Hardware Security Module (HSM) embedded Digital ID and encryption. It enables indisputable verification of the device for online communications, providing black box grade security for any IoT application. Products Solution: Machines Get VeroGuard Banking Grade Security for Devices VeroMod utilises a unique key for every transaction and operates with no known source of encryption. The module features AS 2805/ISO 8583 messaging in order to provide true banking grade security, ensuring that no user authentication data can ever be exposed during transmissions. The data can never be retrieved from the hardware itself either, as VeroMod is completely tamper resistant, featuring multiple hardware fail-safes. These ensure that all data is erased if any attempt is made to physically manipulate the module. Absolute Online Device Protection VeroCard is your personal digital identity. A universal, unified card that enables non-repudiable authentication online for the very first time. It connects to the VeroGuard network to provide absolute protection of your identity in online transactions, communications or when accessing almost any system, as well as enabling superior privacy control. VeroCard is also the perfect tool for convenient management of digital identity access. It acts as a secure point of entry to provide non-repudiable access to websites, applications, cloud storage, physical access, scada, payment and many other systems through our secure platform, with real-time authentication utilising hardware encryption to make it the best protection for guaranteeing online identity ever created. For Government A unified, universal digital identity platform for Government departments accelerates the ability to bring services online for citizens, secures data and improves administrational procedure. Click below to discover how VeroGuard can help to streamline your Government department. Find Out More Find Out More For Corporate Industry leading ID management solutions, secure remote login options for staff and the ability to store your organisation’s data assets with confidence. A single, unified system to achieve all this and more. Other Products VeroCard VeroMod VeroVault