Tackling a Trillion Points of Weakness

ARM Unveils Security Framework for IoT Devices

In 2016, at ARM’s annual developer conference, ARM and SoftBank chairman, Masayoshi Son, predicted that there would be 1 trillion connected devices by 2035. That’s an incredibly large number, but one that’s not easy to refute. As connected locks and light bulbs fill the market, things are certainly headed in that direction.

If Mr Son is correct, there will be about 125 connected devices for every person on the planet. But given the spotty security track record at this early stage of the Internet of things (IoT), security has often been an afterthought, as companies rushed to get connected products on the market or adapted from old-school hardware markets. For IoT to reach its potential, these devices will need to win the confidence of consumers and industrial customers. Trading convenience for security, or designing security down to a budget, isn’t a business model that will work in the long run.

On Monday, ARM announced its first attempt at a common industry framework for building secure connected devices. The move supports the major IoT investments it has made in its Mbed OS, Mbed Cloud and Mbed Edge solutions — the latter of which is designed to help manage and scale the abundance of devices that will connect through an intermediary, such as a gateway, rather than directly to the cloud.

ARM unveiled the Platform Security Architecture (PSA) at its TechCon event in Santa Clara, California, which CCS Insight attended. ARM expects the service to change how security is perceived and implemented in devices. Many important industry players are already endorsing or supporting PSA and the principles it’s based on. They include BT, Cisco, EE, Google, NXP, Silicon Labs, Symantec and Vodafone.

The framework signals a fundamental shift in IoT security. It enables ecosystems to build on a common set of ground rules to reduce costs, time and risk associated with security development in the industry. PSA is a set of free, open-source code and instructions that define how a device’s software and firmware should be designed to make it secure. It’s essentially a checklist and corresponding set of tools that should, in theory, help device makers build products that are harder to hack.

Like Intel’s open-source Enhanced Privacy ID service, which is also deployed in IoT, PSA will encourage companies to use security certificates instead of passwords on connected hardware, so that hackers can’t exploit default passwords to take control of a large number of devices. More than that, it will suggest that all hardware receive software updates, to allow security flaws to be patched easily. The framework will also urge manufacturers to use better forms of hardware identification, so that a device’s credentials can’t be compromised.

ARM hopes the industry will adopt its new set of rules to hit the magic number of 1 trillion connected products. To achieve this, security has to be heightened throughout the value chain from device to the cloud. The company is hoping that by providing checklists and source code to the industry, it will prompt device makers to lock down their devices.

PSA’s role as a deeply integrated part of the Mbed portfolio puts it in a strong position. Broad early support is encouraging, but ARM will have to establish its solution as a de facto standard. There’s also a strong need for a system-wide IoT security framework, beyond protecting the devices themselves. There’s a long way to go to a trillion and airtight security will be a principal enabler.