Arm: Security Isn’t Just a Technological Imperative, It’s a Social Responsibility

by Steve Hoffenberg | 10/31/2017

As the world’s leading provider of semiconductor intellectual property, Arm is in a unique position to help secure the tens of billions of devices that will be coming to the Internet of Things. And in light of the numerous high profile security breaches that have occurred over the past year, it should come as no surprise that security was the major focus of the 2017 Arm TechCon conference in Santa Clara, CA.

PSA
At the TechCon event, Arm unveiled two significant security initiatives. The first was a cluster of security technologies, dubbed Platform Security Architecture (PSA), a framework and reference implementation for designing and building secure connected devices. PSA brings together Arm’s hardware security features, open source reference firmware, and support of IoT ecosystem participants from chipmakers to cloud service providers. The main principles of PSA include:

  • Secure device identity
  • Trusted boot sequence
  • Secure over-the-air firmware updating
  • Certificate-based authentication

(Details of PSA can be found here: https://developer.arm.com/products/architecture/platform-security-architecture.)
Secure device identity can be a double-edge sword, as Intel learned back in the late 1990s when it encountered backlash after it added unique identifiers to its CPUs, as users were concerned about being tracked. Intel later devised a solution to this issue with its Enhanced Privacy ID (EPID) technology that enables devices to anonymously attest that they authorized devices. Intel has since made EPID open source and royalty-free, and VDC believes that, ironically, Arm and its partners could benefit from offering Intel’s EPID as an element of the PSA.

The Security Manifesto
Arm’s second initiative at TechCom was its “Security Manifesto,” which was the centerpiece of CEO Simon Segars’ keynote presentation. The Security Manifesto is a broad conceptual attempt to get the IoT industry to accept its responsibility (a “Social Contract”) to provide users with secure products and services.
The Security Manifesto lists these guiding principles:

  • We must inspire trust as we scale the connected world
  • No company is exempt from the Social Contract with users
  • Security is a collective industry responsibility and is both an opportunity and challenge
  • Advanced security intelligence should be distributed throughout the IoT
  • Security must be a primary design consideration and be focused on lifetime protection
  • We must build security systems that deal with potential human error

(Download of Arm’s Security Manifesto document is available at http://pages.arm.com/iot-security-manifesto.html.)

VDC’s Take
Failure to secure connected devices and digital services could inhibit the growth of the entire IoT, and thus have tremendous negative impact on Arm’s potential future business. Therefore, Platform Security Architecture and the Security Manifesto are in Arm’s best interests. But beyond that, these initiatives appear to be sincere attempts by Arm to help the IoT industry get its act together addressing security.

However, Arm’s TrustZone security hardware has been included in Cortex-A processors for more than 10 years, yet actual usage of TrustZone is relatively low outside of the mobile phone market and content delivery devices (such as set top boxes, where the security is to protect the content, not the user). Arm’s greatest challenge isn’t to provide the technological underpinnings of a secure system, it’s convincing device makers (particularly OEMs of low-cost consumer products) that they need to design effective security measures into their products. The effort will fail unless the business interests at those OEMs are willing to include security in their product specifications to their engineers. All it takes is one or two OEMs with lax security in their devices to enable another botnet attack like Mirai.

Arm’s Platform Security Architecture should help OEM engineers design secure products with little or no impact on either bill-of-materials costs or time-to-market. And the Security Manifesto should give them reason to do so. We commend Arm for taking a strong stance on the importance of security and hope that device makers will get on board.

View the 2017 IoT & Embedded Technology Research Outline to learn more.


ADDRESS


TWITTER FEED