At last, a glimmer of hope that a company with industry clout might be about to impose order on flaky Internet of Things (IoT) security.
The saviour-in-waiting is ARM’s open source Platform Security Architecture (PSA), announced this week at the company’s TechCon show, a reference spec for which was promised for early 2018.
Terms like “architecture”, “framework” and “platform” can sound a bit abstract but the gist of the PSA is that it does a lot of difficult legwork for companies who fancy using ARM’s hardware to build their own IoT products and services.
Before designing anything, ARM’s engineers say they modelled likely attacks on different kinds of IoT devices before working out how to protect them.
For example, smart meters are a common IoT device vulnerable to remote attacks which, ARM reasons, can only be protected against by wrapping the meter in verified boot architecture (to stop firmware tampering), based on strong crypto, with a trust architecture to manage it.
What they’ve come up with is the open source “Trusted Firmware-M” designed to work with the company’s ARMv8-M processor architecture. This makes possible:
- A proper root of trust
- A protected crypto keystore
- Software isolation between trusted and untrusted processes
- A way of securely updating firmware
- Easy debugging down to chip level
- A reliable cryptographic random number generator
- On-chip acceleration to make crypto run smoothly
For smart meter developers, building this on their own would lie somewhere between technically complex and economically impossible, one reason why this sector has ended up riddled with security problems.
The most infamous example of where those security problems can lead was last year’s Mirai, a botnet built by hijacking appallingly-secured IoT devices such as routers and webcams.
One insecure webcam is a problem for its owner. Tens of thousands of insecure webcams, corralled into something with the power to launch disruptive DDoS attacks on well-known internet services, are a problem for all of us.
Things have become so bad that the US Congress has even roused itself to propose an Internet of Things Cybersecurity Improvement Act, as a way of enforcing basic standards on device and gateway makers before the crack of doom. Because it’s hard to make this mandatory, a labelling scheme might be needed to sort the wheat from the chaff.
Is the arrival of PSA the moment when things change?
It certainly has backing, including from Google’s Cloud, Microsoft Azure, Cisco and Vodafone, as well as a host of smaller device makers who probably already use ARM kit. Big-name endorsement is important because big names provide (or would like to provide) the platforms on which a growing number of IoT devices operate.
It will also make the security side of IoT development a lot cheaper and easier for device makers of all kinds who will be able to use it to solve myriad complex security problems they might once have ignored or under-estimated.
One slightly confusing issue is that ARM already has the Mbed OS (and Mbed Cloud), launched in 2014 to do something that sounds very similar to the PSA but running on the ARMv7-M architecture. Apparently, PSA doesn’t yet support it but will do so in the future.
Perhaps the biggest takeaway from the PSA is that fixing this sector is not going to be cheap, or quick.
It’s true that the reference architecture is open source but implementing it depends on additional layers such as certificate-based authentication which, presumably, ARM will be delighted to offer at a price.
Device makers, and their customers, have been warned – IoT can be fixed but only by radically reforming the chaotic business model that has powered its breakneck growth rates.
4 comments on “Can ARM save the Internet of Things?”
Cheers for ARM!
Agreed. It’s only a first step, but it’s a big one (cue Neil Armstrong quote here).
I’m uncertain what a digital cartwheel looks like, but I think I just accidentally did a couple.
Manufactures of IoT devices need to be held accountable for not securing the product in the first place.
I think the approach most companies have with IoT is that the vendor is responsible. Personally I disagree with that approach which is more akin with assigning blame rather than solving the problem.
Why not assume that all IoT devices are inherently insecure by default and, to be perfectly honest, not bother with security at all. Then figure out a way to make the traffic from these devices to become secure – better firewalls and traffic inspection. If you were to re-write the data layer to include authentication by default then a lot of DDoS attacks would fail.