SANTA CLARA, Calif.—According to security experts, the cyberattack that shut down large portions of the Internet in the US last week was extremely easy to predict. But if you ask ARM, the company that makes the chips inside many of the devices involved in the attack, defending against another one like it is not so simple.
ARM's microprocessors are present in the vast majority of smartphones and devices that make up the Internet of Things (IoT). Its executives and partners convened this week in Silicon Valley for an annual conference that could not have been better timed: after last week's attack, everyone who owns an Internet-connected baby monitor is probably wondering what they can do to protect themselves from hackers.
The most obvious solution, as it is for most things in the tech industry these days, lies in the cloud. Consumers who own webcams, thermostats, Wi-Fi routers, smart lightbulbs, and the like can't possibly expect to keep their software and firmware all up to date—it's hard enough to keep up with Windows 10 updates.
So ARM is now proposing a cloud solution that will enable device manufacturers to push software and firmware updates over the air without consumers doing anything.
"If you're a device maker building some IoT product, you really ought to be worrying about constantly updating the firmware that's in it," ARM CEO Simon Segars said. His solution, called Mbed Cloud, is part open-source operating system and part Salesforce-like platform: manufacturers will pay a nominal fee every time they use it to push an update to one of their devices, but they can customize the OS and install it on the device for free.
Mbed Cloud is not unique: there are dozens of remote device management solutions currently on the market, and nearly all of them claim to offer some sort of protection against hackers. So its principal advantage is that it comes from ARM, which means it will automatically work with the chips in 99 percent of the world's smartphones and tablets and millions of more mundane devices, from traffic lights to refrigerators.
"Any ARM licensee building a device based around our technology can do so in a way where the software that's on the chip can talk to Mbed Cloud," Segars said. "Those basic security features that any IoT device is going to need can be provided for."
But asked how effective it would be at preventing an attack like the one that crippled US Internet infrastructure last week, ARM's experts still hedged their bets. A lot will depend on whether or not the cloud is able to detect abnormal network activity, explained Michael Horne, who's in charge of marketing for ARM's IoT unit.
Theoretically, the cloud would flag a massive increase as the result of a cyberattack—say, if a camera is designed to upload data once an hour but starts uploading multiple times per second. But because much of Mbed Cloud will be open source, its capability to detect such an increase depends on what type of data the device manufacturer allows it to access.
"Our customers own their data," Horne said. "We don't."
ARM's challenge, then, is the same one that faces IoT security experts like Michael Krebs, who tells anyone who will listen about how putting billions of devices on the Internet without a careful plan to protect them against hackers is a bad idea. Segars agrees.
"Just yesterday we were looking at a product that somebody had built using an ARM-based chip," he said. "The security is non-existent. I mean, scarily bad. You can see the Wi-Fi password going by in clear text. Lots of people are building products like that."
Before last week, though, even people who are early adopters of IoT devices likely didn't lose sleep over how they're secured. Now that consumer awareness has perked up, Segars hopes that companies making light bulbs baby monitors now will pay more attention to security.
"Are people worrying today about constantly updating the firmware?" Segars wondered. "Probably not, but they ought to, and the hacks of the last couple weeks should tell people that you need to worry about this."