Arm isn't saying IoT firmware sucks but it's writing a free secure BIOS for device makers

Take the hint, manufacturers of weak kit


TechCon Arm hopes to release open-source code early next year that will help secure Internet-of-Things devices – by encrypting their communications and installing over-the-air security fixes.

The firmware will be a reference implementation of what processor core designer Arm calls its Platform Security Architecture, details of which were published today.

The architecture sets out essentially a recipe for creating a device – such as a home security camera or a smart electricity meter – with these key features enabled by default, each relying on strong cryptography:

  • The ability to identify a device, authenticate with it, and encrypt its communications using certificates. This means software and users connecting to the gadget can ensure they're talking to the correct box, avoid using hardcoded and guessable passwords, and secure data flowing to and from the gizmo using encryption.
  • The ability to automatically download, verify and install legit software updates, and thus automatically patch device for security holes.
  • Provide a trusted boot sequence so that the OS running on the machine hasn't been tampered with by malware or hackers.

This recipe includes a shopping list of hardware requirements – such as a suitable cryptographically secure random-number generator – and a specification defining how software can access the above security features. Manufacturers of IoT products and other gadgets that use Arm-designed processors will be strongly encouraged to adhere to the architecture in future gizmos.

The blueprints were designed after Arm engineers studied various embedded devices out there powered by its processor cores, including the webcams and routers hijacked by the Mirai botnet used to wage war on the internet last year, and developed a threat model – basically, a description of typical miscreants commandeering internet-connected devices and the vulnerabilities exploited to achieve this. With this model in mind, the blueprint to tackle the flaws could be produced.

There are three main problems with many IoT devices today. They cannot be easily, or are rarely, updated with new software to patch over security holes, leaving them open to hijacking by hackers. They have hardcoded credentials – such as "admin" for the username and password – allowing miscreants and malware to login to their control panels and take over the device. They also send private information over the web in plaintext, allowing eavesdroppers to snoop on people's daily lives or tamper with the data in transit.

A puppeteer holding up some strings

Do fear the Reaper: Huge army of webcams, routers raised from 'one million' hacked orgs

READ MORE

Not all IoT devices are this bad; the latest smart home kit from big names, for example, take the above seriously. However, there are umpteen network-connected webcams, storage boxes, smart meters and TVs, infotainment systems, home routers, and other gadgets that bungle it one way or another, such as failing to automatically patch gear in the field or hardwiring in obvious passwords.

Rather than see a fragmentation of solutions to the above – basically, manufacturers each trying to solve these problems to varying degrees of failure – Arm decided to go ahead and develop an industry-wide architecture, in which security is non-optional, that it can press upon hardware makers that rely on its technology.

It was also, we suspect, driven by a pang of responsibility for the monster it inadvertently helped create. Arm's lightweight but capable processor cores are used in system-on-chips and microcontrollers that have fueled billions of internet-connected devices around the world, from whizzbang smartphones to crappy hacked webcams that get press-ganged into botnets. Terrible software running on Arm's cores is hardly Arm's fault. However, the chip designer is bent on getting a trillion connected devices online by 2035 – and if that's going to happen, then for fsck's sake, someone needs to secure it or it's going to be a frustrating and fractured future when our web-facing fridges and freezers are turned against us by internet fiends.

So, Arm has drawn up this Platform Security Architecture to lay the ground rules, and hopefully steer manufacturers toward not palming poorly secured Wi-Fi-connected tat onto us. And to get the ball rolling, a freely available open-source firmware implementing this platform architecture will be developed and released by Arm for its ARMv8-M 32-bit microcontrollers, which feature TrustZone among other security features.

This reference firmware, dubbed Trusted Firmware-M, is kinda like a secure BIOS: it's a thin layer of code that runs first thing on the processor, sets up services like automatic over-the-air updates and device identity, and then boots a verified and cryptographically signed operating system, such as your favorite real-time OS or Arm's own mbed OS. The software running on top of Trusted Firmware-M is expected to use the underlying security services so that secure over-the-air updates can be fetched and installed, and authentication using weak passwords will be a thing of the past. Well, we can all dream.

Déjà vu

If this seems familiar, it is. Arm touted very similar low-level technology in 2014: the aforementioned mbed OS. This was supposed to provide a consistent software interface across all the various and wildly different Arm-powered system-on-chips on the market, as well provide things like trusted boot and communications secured using TLS encryption.

We're told, though, that mbed OS is focused on ARMv7-M and older microcontrollers, whereas Trusted Firmware-M is strictly ARMv8-M, and the mbed team is still working on a reference Platform Security Architecture firmware for all Cortex-M cores. The idea is to run mbed OS on the ARMv7-M trusted firmware.

So, in summary, if you're using an ARMv8-M core in your product, you can use Firmware-M. If you're not, you'll have to wait for the mbed OS team to implement the security architecture in the form of a reference firmware for your Cortex-M microcontroller. Or you could write your own code by following the specifications.

This split is a little unfortunate, but it seems to us that this is due to mbed OS being a primarily ARMv7-M project, with a sizable number of chip families to support, and the security architecture team wanted to target the latest flavor of the Cortex-M range, ARMv8-M. It's also a handy way to drum up ARMv8-M licenses for future system-on-chip designers, by providing a trusted firmware layer right out the gate.

We hope the two halves, mbed OS and Firmware-M, will eventually be joined under a coherent branding.

In any case, it's not just all on Arm. Even with the trusted firmware in place, the software running above it has to make use of its services and avoid the usual pitfalls that leave systems open to attack. That means no more hardcoded passwords, no more buffer overflows that can be exploited, no more command-injection bugs in web-based control panels, no more plaintext network connections, no more programming blunders that would render the secure BIOS useless.

Unfortunately, switching to things like certificate authentication from simple passwords in applications will drive up development costs, which is unpalatable to manufacturers in razor-thin-margin embedded-hardware markets. In any secure system, every component is as strong as the weakest component. And all it takes is one bad, exploitable app-level bug to bring the house crashing down around you, hopefully not literally.

It's funny how crap third-party programmers never feature in threat models.

It's hoped market forces will play a role here, that non-security-architecture-conforming manufacturers will be called out or shunned, that shoppers will avoid gadgets that are repeatedly hacked, and that developers will regularly push out bug fixes via Firmware-M's update mechanism. Again, we can dream.

The reference firmware is due to arrive in the first quarter of 2018. Arm also said it will publish the security analyses it carried out on IoT devices during the development of the security architecture. This week, the Softbank-owned Brit chip architectures is holding its annual technology conference, Arm TechCon, in Silicon Valley. ®

Similar topics


Other stories you might like

  • Restructure at Arm focused on 'non-engineering' roles
    Meanwhile, CEO wants to vacuum up engineering talent amid return to stock market

    Updated Arm today told The Reg its restructuring ahead of its return to the stock market is focused on cutting "non-engineering" jobs.

    This is after we queried comments made this morning by Arm chief executive Rene Haas in the Financial Times, in which he indicated he was looking to use funds generated by the expected public listing to expand the company, hire more staff, and potentially pursue acquisitions. This comes as some staff face the chop.

    This afternoon we were told by an Arm spokesperson: "Rene was referring more to the fact that Arm continues to invest significantly in its engineering talent, which makes up around 75 percent of the global headcount. For example, we currently have more than 250 engineering roles available globally."

    Continue reading
  • Arm says its Cortex-X3 CPU smokes this Intel laptop silicon
    Chip design house reveals brains of what might be your next ultralight notebook

    Arm has at least one of Intel's more capable mainstream laptop processors in mind with its Cortex-X3 CPU design.

    The British outfit said the X3, revealed Tuesday alongside other CPU and GPU blueprints, is expected to provide an estimated 34 percent higher peak performance than a performance core in Intel's upper mid-range Core i7-1260P processor from this year.

    Arm came to that conclusion, mind you, after running the SPECRate2017_int_base single-threaded benchmark in a simulation of its CPU core design clocked at an equivalent to 3.6GHz with 1MB of L2 and 16MB of L3 cache.

    Continue reading
  • Intel is running rings around AMD and Arm at the edge
    What will it take to loosen the x86 giant's edge stranglehold?

    Analysis Supermicro launched a wave of edge appliances using Intel's newly refreshed Xeon-D processors last week. The launch itself was nothing to write home about, but a thought occurred: with all the hype surrounding the outer reaches of computing that we call the edge, you'd think there would be more competition from chipmakers in this arena.

    So where are all the AMD and Arm-based edge appliances?

    A glance through the catalogs of the major OEMs – Dell, HPE, Lenovo, Inspur, Supermicro – returned plenty of results for AMD servers, but few, if any, validated for edge deployments. In fact, Supermicro was the only one of the five vendors that even offered an AMD-based edge appliance – which used an ageing Epyc processor. Hardly a great showing from AMD. Meanwhile, just one appliance from Inspur used an Arm-based chip from Nvidia.

    Continue reading

Biting the hand that feeds IT © 1998–2022