For some time now, observers have been sounding the alarm about the relatively weak state of IoT-enabled device security. Ever since Mirai used connected IoT devices in 2016 to unleash large-scale distributed-denial-of-service attacks, the cybersecurity industry has been playing catch-up to effectively improve IoT security.
As the number of connected devices continues to accelerate (Frost & Sullivan estimates the economic value of the IoT to reach US$19 trillion by 2022), vulnerabilities in IoT-enabled devices must be addressed immediately.
For years, hackers have exploited the weak security embedded in IoT devices. Whether they are finding exploits in smart meters, or taking control of consumer automobiles, hackers have taken advantage of this perceived blind spot in the security industry.
There is new evidence, however, that the industry is increasingly taking IoT security seriously. In the wake of Spectre and Meltdown, two vulnerabilities that affect millions of devices that run on Intel, ARM, and AMD chips, one chipmaker is taking steps to upgrade IoT security at a hardware level.
On May 2, 2018, ARM announced that its Cortex-M35P chip will feature both anti-tampering and software isolation safeguards. The Cortex-M family of chips are designed to power IoT-style devices; however, this chip is the first in the prolific chipset family that resists physical attacks.
Encrypting The IoT
Last month I reported on encrypted VPN channels for the IoT, endorsing NCP Engineering’s encrypted communication solution due to its central management system that allows users a high degree of visibility across their entire IoT network.
In that report, I argued that: “Authentication at each step along the encrypted communication channel is essential to ensuring that the [IoT] is secure and resistant to the types of IoT compromises […] that can significantly damage business processes. Most organizations do not, however, have the in-house expertise to ensure that their [IoT] is properly secured. As a result, Frost & Sullivan recommends a specialist VPN MSSP to mitigate security risks in the [IoT].”
One of the main concerns that encrypted IoT communication channels address is a man-in-the-middle attack, where the attacker intercepts communication between two systems, posing as the original “sender.” This type of attack is particularly dangerous when considering autonomous vehicles, where the man-in-the-middle could pose as the server sending information to a vehicle or drone, and effectively take control of that vehicle.
While it is true that encrypted VPN communication channels can dramatically improve the security posture of an IoT network, this technology does nothing to prevent tampering with the devices themselves. To address that gap, ARM’s Cortext M35P chip aims to resist vulnerabilities at the silicon level, rather than protecting from software or design vulnerabilities.
Chips embedded in IoT devices can be attacked either through direct physical contact with the chip itself, or through a close-proximity reading of the chip’s power output or its electromagnetic output. These sophisticated attacks can bypass software-based security such as encrypted communications and put data at risk at a level that is left unprotected by traditional security measures.
ARM’s new measures aim to mitigate or eliminate that risk, effectively raising the bar for malicious actors who aim to attack an IoT network.
Stepping Up IoT Security
This step from a major chip manufacturer signals that the industry is getting serious about securing the IoT. If widely adopted, designs that secure IoT-enabled devices at a chip level would bring the IoT a step closer to the levels of security seen in smartphones with a hardware-secure element, which are favored by government officials and high-ranking business executives.
With ARM leading the way, it seems inevitable that other chip makers will adopt this approach in order to remain competitive. For consumers and enterprise, the ultimate end-users of the IoT, the combination of hardware-secure devices and software-secure encrypted communication channels may broaden the appeal of and mitigate concerns around the safety and security of these devices.