ARM on IoT Security: 'You Need to Worry About This'


SANTA CLARA, Calif.—According to security experts, the cyberattack that shut down large portions of the Internet in the US last week was extremely easy to predict. But if you ask ARM, the company that makes the chips inside many of the devices involved in the attack, defending against another one like it is not so simple.

ARM's microprocessors are present in the vast majority of smartphones and devices that make up the Internet of Things (IoT). Its executives and partners convened this week in Silicon Valley for an annual conference that could not have been better timed: after last week's attack, everyone who owns an Internet-connected baby monitor is probably wondering what they can do to protect themselves from hackers.

The most obvious solution, as it is for most things in the tech industry these days, lies in the cloud. Consumers who own webcams, thermostats, Wi-Fi routers, smart lightbulbs, and the like can't possibly expect to keep their software and firmware all up to date—it's hard enough to keep up with Windows 10 updates.

So ARM is now proposing a cloud solution that will enable device manufacturers to push software and firmware updates over the air without consumers doing anything.

"If you're a device maker building some IoT product, you really ought to be worrying about constantly updating the firmware that's in it," ARM CEO Simon Segars said. His solution, called Mbed Cloud, is part open-source operating system and part Salesforce-like platform: manufacturers will pay a nominal fee every time they use it to push an update to one of their devices, but they can customize the OS and install it on the device for free.

Mbed Cloud is not unique: there are dozens of remote device management solutions currently on the market, and nearly all of them claim to offer some sort of protection against hackers. So its principal advantage is that it comes from ARM, which means it will automatically work with the chips in 99 percent of the world's smartphones and tablets and millions of more mundane devices, from traffic lights to refrigerators.

"Any ARM licensee building a device based around our technology can do so in a way where the software that's on the chip can talk to Mbed Cloud," Segars said. "Those basic security features that any IoT device is going to need can be provided for."

But asked how effective it would be at preventing an attack like the one that crippled US Internet infrastructure last week, ARM's experts still hedged their bets. A lot will depend on whether or not the cloud is able to detect abnormal network activity, explained Michael Horne, who's in charge of marketing for ARM's IoT unit.

Theoretically, the cloud would flag a massive increase as the result of a cyberattack—say, if a camera is designed to upload data once an hour but starts uploading multiple times per second. But because much of Mbed Cloud will be open source, its capability to detect such an increase depends on what type of data the device manufacturer allows it to access.

"Our customers own their data," Horne said. "We don't."

ARM's challenge, then, is the same one that faces IoT security experts like Michael Krebs, who tells anyone who will listen about how putting billions of devices on the Internet without a careful plan to protect them against hackers is a bad idea. Segars agrees.

"Just yesterday we were looking at a product that somebody had built using an ARM-based chip," he said. "The security is non-existent. I mean, scarily bad. You can see the Wi-Fi password going by in clear text. Lots of people are building products like that."

Before last week, though, even people who are early adopters of IoT devices likely didn't lose sleep over how they're secured. Now that consumer awareness has perked up, Segars hopes that companies making light bulbs baby monitors now will pay more attention to security.

"Are people worrying today about constantly updating the firmware?" Segars wondered. "Probably not, but they ought to, and the hacks of the last couple weeks should tell people that you need to worry about this."

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Survey Findings from "The State of Mid-Market Cybersecurity"

    Download Arctic Wolf Networks recently conducted a survey in partnership with Vanson Bourne that reveals major gaps between the perception and reality of cybersecurity challenges.The survey found that mid-market enterprises had very high confidence in their cybersecurity defenses, but in reality they struggled to defend against malicious activity that has become more sophisticated, more targeted and severe.
  • 5300c769af79e

    Mirai Botnet Moves to Take Liberia Offline

    The Mirai botnet, which unleashed a massive DDoS attack that crippled US Internet access last month, may have been used in another attempt to take the entire country of Liberia offline this week.ZDNet reports that a Mirai-based botnet, called "Botnet 14," has spent much of the past week intermittently attacking IP addresses of the two telecom operators that co-own the only fiber cable coming into the West African nation of Liberia.
  • 5300c769af79e

    Understanding Evasive Protocols and the Role They Play in Cybersecurity

    Download Threats that hide in high ports and streaming network traffic aren't being detected or stopped by standard cybersecurity solutions.Learn how evasive protocols such as TOR operate, and why most standard solutions are failing to contain them.
  • 5300c769af79e

    Amazon Cracks Down on Review Freebies

    The updated community guidelines provide a limited exception for reviews generated through the Amazon Vine program, which provides strict guidelines that are designed to ensure the integrity of the product review process.The new policy does not apply to books, which may be provided free for review, noted Chew.