Last night, I went to a most wonderful event, one of the “Pint of Science” series in Cambridge. Similar events run all over the world in a bid to share expert knowledge from academia and industry. The basic idea is to combine hearing talks about science with drinking beer – what a concept! If you've attended any of these talks then please let me know in the comments section.
I was invited to speak on the subject of “Securing the Internet of Things”, something which taxes Arm’s customers, and hence taxes Arm, greatly these days. As Sam George, Microsoft’s director of engineering for Azure IoT, said recently “currently, the bar is low for IoT security.” Clearly something needs to be done and it will take an industry-wide effort to achieve it.
The main emphasis of my talk was to examine how our personal “attack surface” has increased hugely as we have begun to connect ourselves and our things to the internet. As the number of connections multiplies, we come increasingly into contact with people we will never meet, systems we will never see and “things” which do goodness knows what. The vulnerability is increased by the fact that we have been conditioned through the strong security that exists in our mobile phones, and it’s natural to think that all internet-connected devices enjoy a similar level of security. Add to the fact that often times we are not fully aware of the data that is being collected about us, where it is going and how it is being used. Sooner or later, as Murphy dictates, if you extend far enough for long enough, you will come into contact with someone or something malicious.
And if there is something vulnerable between you and the malicious agent, then they have a way to get at you.
We looked at the recent denial of service attacks, which used hacked webcams among other things, and the famous hacked Jeep Cherokee. Then we looked at some very scary live hacking of baby monitors demonstrated at Mobile World Congress just a few weeks ago. One of the presenters mentioned that he found 22,000 hackable baby monitors in Barcelona alone! It is easy to find enough things to scare you out there.
So, what is Arm, and the rest of the industry, doing about this? Well, speaking for Arm, we are actively working to develop technology which implements what we call a “hardware root of trust”. This is technology, baked into the silicon, which implements basic requisites like immutable ID, secure memory, strong encryption and so on. It also enables software architectures which can be separated into secure and non-secure parts, enforced by the hardware. It is this basic hardware level of trust which allows device manufacturers to build devices which can be trusted. Of course, it is still possible to get it wrong (for example, by embedding a fixed default password in the firmware) but we at least make it possible to do it right!
I also talked about practical steps which users should take, such as securing the router, changing passwords, making sure firmware is up to date, and so on.
And somewhere along the line, we touched on how to make a cat fly using buttered toast.
But the best things about the evening was that the organisers had gone to the lengths of brewing a special beer called “Science”. So, for the first time in my life, I was able to walk up to the bar and order “a Pint of Science, please Mr Barman.” Brilliant!