We are in the middle of a security arms race on devices. It is a never-ending cycle where hackers will think of new ways to find vulnerabilities and where we in the industry constantly try to stay one step ahead with innovations that lead to better and stronger security. This means searching for security solutions for an increasing number of secure use cases and implementations on a growing list of different devices.
The challenge for the industry is that security threats and attacks on devices are broad, ever-evolving and come in many different forms. As a result, there is no single, magical “silver bullet” security solution. It is a multi-dimensional challenge that needs to be addressed in a variety of different ways. Companies will need to assess the threats and see which solutions work best for them.
Security on consumer devices, such as smartphones, laptops, Smart TVs and wearables, is one area Arm is looking to enhance and improve all the time. All of our security solutions conform to a Trusted Execution Environment (TEE), which consists of hardware-based isolation technology, trusted boot and a small trusted OS, offering protection against software attacks. This is essentially the “secure area” of a main processor, providing security features such as isolated execution, protecting the integrity of applications executing within the TEE, and protecting the confidentiality of assets. Every secure device in the world will run some form of a TEE.
While there are multiple and evolving security threats on devices, there are five use cases that will be vitally important for security on devices now and in the near future – content protection, payment, image verification, user authentication and electronic ID. Prioritizing the security threats on these key use cases will be vital for those looking to stay one step ahead on security.
One of the traditional use-cases driving security requirements on devices is content protection. For example, making sure the latest Netflix show cannot be extracted from your device. Streaming providers and content owners, such as movie studios, require higher levels of security for rendering higher resolutions. Protecting 8K content in the future will be even more important, but also challenging because of the added complexity of protecting video on different tiers and different types of devices.
As the mobile phone becomes integral to people’s every-day life, more use cases are moving towards this device. One such example is mobile payment, as seen through the emergence of Google Pay, Samsung Pay and LG Pay. Payments made via a mobile wallet are more secure because they generally include authentication of users through biometric verification. This lowers the risk of fraud for the consumer, credit card networks and banks. However, it also provides security challenges because of the variety of implementations currently on the market, with some being more secure than others. Moreover, it could be difficult for a credit card network or bank to gain confidence in the security of transactions when they don’t have the ability to review every mobile device implementation. Therefore, a more scalable approach for secure payment transactions might be needed for the ecosystem.
Many security attacks come from exploiting old software. As a result, there has been a massive push led by Google and its partners to provide timely updates on devices. To deliver these system updates, devices need to be able to verify the origin of these updates. Moreover, devices check at boot-time that the image being booted is authentic and that no third-party has injected any malicious code since the last boot – this is known as Secure Boot. Also, image verification, both via Secure boot and when applying system updates, are essential to a secure Android ecosystem. Another compelling security reason is making sure devices cannot be downgraded to an older, vulnerable version – otherwise known as rollback prevention – which requires secure non-volatile storage.
As smartphones have evolved and more personal information is stored on them, having a locking mechanism has become necessary. However, entering a passcode hundreds of times a day quickly can be jarring. The industry has quickly managed to get rid of this problem thanks to fingerprint scanners and face unlock schemes. The secure processing and storage of these credentials are required for all these user authentication features, as they are the gatekeepers to all of the user data. The threat surface for biometrics is very large as the whole pipeline must be secure (from the sensor to the communication channels and processing). However, as the technology matures, biometrics are now being used to authenticate the user for multiple types of applications.
Today, fingerprint and facial recognition are used to authenticate the user for mobile payment transactions for a variety of application logins including retail, finance, health and even online games. In the future, it will be used for electronic IDs. In order to keep attackers at bay, a recent security method from Google has introduced increasing delays between failed attempts. The Weaver API introduced in Android Pie provides that functionality, requiring secure non-volatile storage to store the number of failed attempts between boots.
For new biometric authentication methods, like facial recognition, devices will need secure processing power to protect the model or algorithm at rest or runtime. As a result, machine learning (ML) becomes a crucial component for security, as there is a need to protect ML models and algorithms when they are using multiple CPUs and NPUs on devices. This is a new and significant challenge that Arm is looking at in more detail.
Up to now, having a physical ID has been required to prove your identity to authorities, or even your local gym or bar to show that you’re a member or of a certain legal age. However, in doing so people are giving away a lot more personal information than what is asked of them. For example, when you’re asked if you are over 18, you also give away your full name, your address and exact date of birth, when just proving that you are over the required age is needed. This problem could be solved by having smart electronic ID stored on your devices. Of course, this should not mean having lower security than existing ID schemes, such as biometric passports. In the near future, users will be able to store these existing ID details on the device and only share the relevant information to third parties, both online or in-person. This will be backed by secure elements on devices, exceeding the security requirements of physical IDs that can be stolen, copied or modified today.
At Arm, we invest in many different areas to improve our security offering across our wide ecosystem of partners with processors and subsystem protection (both hardware and software), as well as acceleration and offloading. Arm TrustZone technology provides system-wide hardware isolation for trusted software. The family of TrustZone technologies can be integrated into any Arm Cortex-A core, supporting high-performance application processors.
In 2018, we added new CryptoCell security IP products aimed at performant systems – CryptoCell-713 and CryptoCell-703 – to address the security time-to-market challenge for OEMs, silicon vendors and developers. These are integrated secure elements for System-on-Chip (SoC) designs. CryptoCell-713 is pre-integrated with existing Arm IPs and security architecture, providing the blueprint and implementation for security solutions. Both CryptoCell-713 and CryptoCell-703 can be applied to a range of devices including mobile, DTVs and set-top boxes and are also have fully certified through FIPS 140-2. All of these security products support the Platform Security Architecture (PSA), which is a free of charge architecture-agnostic framework to help secure devices from the ground up.
As more and more devices come to market, and more of our lives are run on them, security threats will only continue to increase. While the threats are diverse and multifaceted, there are key areas on devices that will demand the closest attention by the entire ecosystem, including Silicon Vendors, OEMs, OS Platforms and Application Developers. Addressing these areas will help to future-proof devices, as the security arms race continues to escalate at a great pace. Arm has the security solutions for devices that can help the industry stay one step ahead.
Learn about Arm's security solutions