ARM: Hold my beer, we'll install patches for your crappy IoT gear for you

CPU designer touts cloud to push updates securely to all devices


ARM TechCon Processor designer ARM will squirt security fixes directly into internet-connected gadgets to hopefully keep them defended from hackers.

Manufacturers of Internet-of-Things gizmos and other embedded products have complained that updating gear in the field is too much hard work. That means devices are rarely patched when security bugs are found, clearing the way for hackers to hijack vulnerable hardware to spy on people, flood websites offline, and cause other havoc.

So ARM has come up with mbed Cloud, a software-as-a-service platform that securely communicates with firmware in devices to install fixes and feature updates. Product makers pay to remotely manage all their sold kit. Crucially, they pay for what they use – whether it's pushing updates, or connecting millions of units, and so on.

It's similar to the cloud Next Thing Co has set up for its C.H.I.P. Pro: a web-based management interface for updating firmware over the internet, plus controls on the data leaving the devices.

Announced today, mbed Cloud 1.0 is due to reach general availability in the first quarter of 2017. Toshiba is already testing the system with its smart factory applications, Advantech is using it with its industrial control products, and Zebra is checking out ARM's tech with its asset-tracking and healthcare gear.

ARM designs the CPU cores at the heart of millions upon millions of smartphones, tablets, cameras, home electronics, handheld games, microcontrollers, embedded devices, pretty much anything battery powered. If anyone has the clout to form a one-cloud-to-rule-them-all, it's Blighty-based ARM.

This centralized approach has good and bad sides – let's take a look at them.

The good

Looking at the illustration below, you get the basic structure: you have your device on the left running ARM's open-source mbed OS and then your application on top. The middle layer communicates securely with ARM's cloud which distributes updates and manages data flows. These services then plug into other backend systems that process and control the devices. Manufacturers control the grey righthand side and log into the blue device services portion hosted by ARM. They tell the Softbank-owned biz how they want their devices managed which updates to push, and then the software takes over.

Here's a closer look at how the layers plug together. The top layer is running in ARM's mbed Cloud, the bottom layer is the actual device. According to Michael Horne, ARM's veep for IoT sales, mbed Cloud can work with backends running on any platform – from Amazon AWS and Microsoft Azure to IBM's Bluemix – and you can use multiple cloud providers for whatever reason. You may want to send system telemetry from gadgets to one provider, and sensor data to another, for example; there is the ability to control where data goes and limit what software and services are allowed to access it.

The bottom layer is also supposed to work on any device and with any operating system, not just ARM, so that vendors who want to stick with MIPS or x86 and Linux or some real-time operating system can do so. All communications are sent automatically encrypted via the open-source mbed TLS library which was once PolarSSL. And yes, it does have a bug bounty program. mbed also uses CoAP to package up data exchanged over the web; this is more lightweight than HTTP and less taxing for battery-powered widgets that may have constricted network access. It also supports OMA LWM2M with caching to avoid having to constantly shuttle sensor data back to base – if there's no change to a reading, the last value is cached in the cloud.

"Everything is built around the idea that you have to have a trustworthy device, trustworthy communications, and the ability to manage those trust relationships," said Horne.

"When a new IoT device is put online, typically it'll have a key that will have been injected into it during manufacturing and it will reach out and phone home, if you will, to mbed Cloud to get new credentials and a new key to establish a secure channel between the device and the cloud.

"The firmware update component is an important part of that as well. Typically in the bootstrapping process you may want to load a new OS, or maybe the OS needs updating because it's out of date – that is seamlessly taken care of via a simple and easy to use interface for controlling all of that."

Horne added that the factory-set security key could be held in some kind of secure storage or in a TrustZone Cryptocell. One scenario in our mind is that the device holds a public key that is used to verify it really is talking to its legit backend servers, which hold the corresponding private key. From this trusted base, the device builds a secure channel and update mechanism.

"As table stakes, you've got to be able to update the firmware on these devices in a fail-safe, robust way to make sure that when devices need a security update or feature enhancements, you can do that," said Horne. He also said ARM is working on and investing in developing efficient ways to distribute updates across mesh networks and other forms of deployment topology, and to devices with limited memory or are bandwidth constricted.

"It's a bit new for ARM," admitted Horne on the subject of the mbed Cloud software-as-a-service approach. "In terms of a business model, it's something that's pretty well understood in the marketplace. In feedback, our customers are quite comfortable with that model, with ARM delivering device management as a service. It's very modular so you use what you want.

"We also have an API that makes it very, very easy for a manufacturer to develop an application in the cloud that will integrate with mbed Cloud to manage their devices."

mbed Cloud comes in four components: Connect, which handles secure comms; Provision, which works with built-in keys to establish trust with the backend; Update, which installs software enhancements on devices; and Client, which connects the device application to the manufacturer's backend and other trusted providers.

So far, so good. The idea is securely push patches and new features to devices over the internet from a web browser or API in a way that's so simple manufacturers will fall over themselves to jump onboard – and, bam, no more vulnerabilities for hackers to exploit to create vast armies of hijacked devices. If patch distribution is such a PITA for IoT makers, maybe mbed Cloud is the solution they're looking for, allowing them market their gear as secure, trustworthy and all that jazz. They rely on ARM for their processor cores, why not go the whole hog and use them for device management.

Regulations and laws could be about to hit the industry that makes automatic patching mandatory – and if so, this robust approach suddenly looks appealing. No manufacturer wants to end up recalling devices that have been mass hacked because there's no easy way to fix them in the field, as China's Xiongmai just had to do. Pushing firmware fixes from the cloud sounds like a great way to avoid future pain, you may think.


Other stories you might like

  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading
  • Perl Steering Council lays out a backwards compatible future for Perl 7
    Sensibly written code only, please. Plus: what all those 'heated discussions' were about

    The much-anticipated Perl 7 continues to twinkle in the distance although the final release of 5.36.0 is "just around the corner", according to the Perl Steering Council.

    Well into its fourth decade, the fortunes of Perl have ebbed and flowed over the years. Things came to a head last year, with the departure of former "pumpking" Sawyer X, following what he described as community "hostility."

    Part of the issue stemmed from the planned version 7 release, a key element of which, according to a post by the steering council "was to significantly reduce the boilerplate needed at the top of your code, by enabling a lot of widely used modules / pragmas."

    Continue reading

Biting the hand that feeds IT © 1998–2022