ARM Launches IoT Security Framework
ARM is launching a "secure core" approach to bulletproofing the Internet of Things that addresses network security at the microcontroller level.
The approach introduced at a company event this week seeks to provide a framework for embedding security into the next wave of connected IoT devices that must be "born secure," the chip specialist asserted. The U.K. company also announced it would release its platform security specifications and Cortex M-series firmware source code.
"Rising [IoT] device diversity requires common principles" for security, ARM's Alex Harrod noted.
Along with it framework for scaling IoT security, ARM is releasing new silicon designs for secure devices, including the first in a new line of "security enclaves" dubbed CryptoIsland 300. The proposed "trust zone" also includes ARM's Cortex-M33 line of processor cores.
The IoT security approach initially targets ARM v8-M devices.
Early examples of stepped up "on-die security" within the framework include replacing vulnerable default passwords on IoT devices with certificate-based authentication. That vulnerability was exploited last year by hackers using malware that turned breached devices into an IoT botnet that was used to launch denial-of-service attacks.
The malware dubbed "Mirai" searched for IoT devices secured only with factory default usernames and passwords. Certificate-based authentication uses digital credentials as a kind of "handshake" to verify the identity of a user or device before granting access to a network.
ARM's hardware-based security approach also includes over-the-air update capability used to fix vulnerabilities in deployed IoT devices, explained Rob Coombs, ARM's security marketing manager. The IoT security framework also includes a "smartcard-level" security platform that targets storage and other applications requiring high-end security and isolation.
Also released this week is a debugging function that allows secure access to IoT devices after they have been deployed.
Ultimately, ARM said it hopes to drive the security framework deeper into IoT deployments at the microcontroller level as more devices are connected. It also argues that its focus on microcontrollers will reduce overall security costs.
In announcing its acquisition of ARM last year, SoftBank Chairman Masayoshi Son projected 1 trillion devices by 2035.
Hence, the company maintains that networking deployments are in a transition period where microcontroller-based embedded devices are moving to "IoT scale," Harrod said. As networks scale to include any device with a microcontroller, the company is focusing on securing those connections then managing those devices.
"This means that security cannot be an afterthought across all parts of the value chain from device to cloud," the company noted.
The hardware-based security architecture also is based on "immutable" devise identity along with a trusted system boot sequence along with certificate-based authentication and secure software updates. The security framework provides hardware and firmware specifications, implementation of firmware source code and security analysis.
Among ARM's early cloud partners are China's Alibaba (NYSE: BABA), Google (NASDAQ: GOOGL) and Microsoft Azure (NASDAQ: MSFT).