Insecurity of things in the home

The smart home is becoming a reality

Finally, the smart home is starting to mean something to the average homeowner, who is not a geek. It has taken time to get the key foundational elements in place to enable a connected smart home, as we all now take for granted internet connections with WiFi and think nothing of pairing a Bluetooth headset to a phone. Smart home items are starting to be common place in your local DIY store, meaning that many of us are starting to realize our idea of what we want in a smart home.  We are talking to Amazon’s Alexa to set timers and with it many of us are performing basic automation tests (like turning the lights on or off, or controlling our heating from either voice control or a mobile application). Innovation is making it easier for the consumer, whilst reducing the cost of devices and making the smart home devices market grow (as reflected by research by IHS Markit).

 IHS Markit Smart Home IoT Device Shipments

Figure 1: IHS Markit – Smart Home IoT Device Shipments

So that is the good news. The not so good news, is that a lot of these new devices are targets to be attacked by hackers - these attacks have the potential to scare off the homeowner and slow the growth for smart home. Unfortunately for many devices, security has been a design afterthought making them easy targets to be compromised. We have seen a number of high exposure attacks: in October 2016, a Domain Network Server (DNS) attack used 100,000 smart home infected webcams to create a botnet that brought down major websites (including Twitter, the Guardian, Netflix, Reddit, CNN and many others in Europe and the US).  

In the webcam attack, hackers gained access to devices which had not reset the default account names and passwords. In the future, hopefully we will close that door by requiring default account names and passwords to be changed before the device can be used.  This example is a low hanging fruit, but there will always be other ways that a hacker can compromise a device. What is needed is a mindset to stay ahead of the potential hacker, detecting a breach, mitigating the impact, and quickly repairing it.

Arms history of security IP products 

Figure 2: Arm’s history of security IP products

The Security Manifesto & Platform Security Architecture (PSA)

Arm has a long history of delivering security technology. With over 100 billion devices using Arm cores, we are providing technology inside our designs that helps to protect devices. For the Internet of Things (IoT) to truly grow, how we approach security will have to change.  Arm has been looking at this for a long time and we feel it is time for the industry to take the next step.  In October 2017, Arm released the Security Manifesto, and it defines a social contract for those delivering technology to market.  Some of the key points are:

  • IoT security cannot be optional
  • Security needs to be built from the ground up
  • Security at the core of every device

The Security Manifesto highlights the commitment needed, making it real will require focus.  Along with the Security Manifesto release, we introduced a security architecture for platforms that we call the Platform Security Architecture (PSA) – a recipe for designing-in the right level of security into a system. The aim for PSA is to make it easier and cheaper to build and deploy more secure connected devices at scale.

 PSA is based on these assumptions:

  • Security is not just a software problem
  • Architecture is important, as well as hardware features
  • Design your system assuming a compromise will happen
  • Design so you can react – how to react to hacks is critical

Arm Platform Security Architecture

 Figure 3: the Arm Platform Security Architecture

PSA supports three development phases: ‘analyze’, ‘architect’ and ‘implement’ – building on common principles such as device identity, trusted boot sequence, secure over-the-air software update and certificate based authentication.

The process starts by understanding and documenting the possible ways a device can be attacked in Threat Models and Security Analyses documents. From this analysis stage, security requirements for essential hardware and software attack prevention methods are defined, taking into consideration the common principles. With these security requirements in hand, designers can then use PSA’s hardware and software specifications to architect a more secure system. Finally, firmware developers will be able to get a head-start on implementation by using an open source implementation of the software specifications.

Over the coming months, Arm will release the first of many PSA open source documents and software. This will help our customers to design products with security at the foundation, and not as an afterthought.

We know this is not an instant fix, rather a mindset change to how security is handled and designed-in to products.  This is a large task and luckily, we are not alone, major players from all parts of the ecosystem share our view and are ready for the journey. 

This task will never end, as long as there is value in compromising a device, there will be hackers working to get inside it.  By putting an industry wide focus on security, instilling best practices and applying new technology we make it harder for attacks to happen. Ultimately, making it easier for consumers to enjoy the benefits of what IoT devices in the home can offer.

Want to learn more?

Platform Security ArchitectureSecurity Manifesto