Arm Launches Security Framework As IoT Devices Promise To Make Everything Less Secure

It’s no secret by now that the vast majority of (Internet of Things) IoT devices have little to no security, as well as a poor track record of support. This can and has caused many issues over the years, for both the customers who bought those devices and the companies being targeted by botnets that are powered by hacked IoT devices.

Arm, whose microcontrollers are in billions of devices, has now launched a security framework called the Platform Security Architecture (PSA) to make it easier for IoT vendors to secure their products. Arm said that “security can no longer be optional” for IoT devices and hopes that this new system will protect “trillions” of IoT devices in the future.

IoT With Built-In Security

A year ago, Arm and Softbank, now its parent company, announced their vision for a trillion IoT devices. This vision is now in danger, as more people continue to hear about all the botnets and hacks happening due to IoT devices. Therefore, Arm has started working on helping device developers build security right into the firmware of IoT devices.

Arm believes that security can’t be an afterthought at any part of the value chain, from device to cloud. This is even more true for large ecosystems, like the 100 billion devices powered by Arm’s chips. Arm expects to power another 100 billion devices by 2021, and then a trillion connected devices by 2035.

A Common Industry Framework For Secure Devices

To address the issue around the lack of security for IoT devices, Arm and many of its partners are supporting the development of a common industry security framework.

The PSA will include three main components:

Representative IoT Threat Models and Security AnalysesHardware and firmware architecture specifications, built on key security principles, defining a best practice approach for designing endpoint devicesA reference open source implementation of the firmware specification, called Trusted Firmware-M

The main idea behind the PSA is to reduce both time and the cost of development for IoT vendors, while making it easier for them to enable relatively strong security for their devices and then update them over longer periods of time.

Open Source Firmware-M

Early next year, Arm will release an open source firmware as reference implementation for IoT devices that all IoT makers can use and modify. It's called "Firmware-M," and it will conform to all PSA specifications.

Initial development of Firmware-M will target ARMv8-M systems and is operating system-agnostic. Both Arm’s RTOS and Mbed OS platforms will be supported, too.

New Secure IP Components

Arm also announced some new security-related IP, such as an additional module for TrustZone (Arm’s “secure environment” for devices), called "TrustZone CryptoIsland.” The CryptoIsland will provide smart-card level of security for applications that require high levels of isolation and security, such as storage or automotive systems.

Another new security-related IP component is the Arm CoreSight SDC-600, where "SDC" stands for "Secure Debug Channel." This solution is meant to stop a whole range of IoT vendors, such as many surveillance camera and router makers, who tend to “forget” hardcoded authentication credentials into shipping products, which are then discovered by botnet developers. The solution is a dedicated authentication mechanism that gives IoT vendors secure debug access for their devices.

It’s not clear if this will also allow IoT makers to log remotely into their shipped IoT devices. Presumably most, if not all, will disable the access before shipping the devices to customers.

A More - Or Less - Secure Future?

Assuming the PSA succeeds in achieving its goal of bringing some strong security defaults to all future IoT devices (likely for devices coming out in 2019 and beyond), it doesn’t mean IoT devices will be unhackable. Like everything else that has a processor and software, there will be ways to hack them.

Plus, if there will be hundreds of billions of IoT devices with an internet connection out there, chances are there will be plenty of criminal groups and nation-states looking for a way to control as many of them as possible.

The PSA may significantly improve on the security of existing IoT devices, and that’s a good thing, but ultimately the IoT devices that replace the existing non-IoT products will never be as secure. An internet-connected “smart” light bulb will never be as secure as a regular light bulb. The same goes for smart doors, TVs, coffee makers, thermostats, cars, and everything else that will turn “smart” and get an internet connection over the next few years.

From that we can conclude that in the future we’ll probably be more exposed to hacking than ever before.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.