Call the doctor, burgeoning Internet of Things (IoT) devices are having a crisis! During a panel discussion at ARM TechCon, industry experts discussed the challenges of securing millions of devices.
Kevin Krewell, principal analyst at Tirias Research, said he was stunned by the number of connected device startups at this year’s Consumer Electronics Show in Las Vegas. Many companies had good ideas, but had put no thought into securing their devices from attacks.
“There is no pure security. There are levels of insecurity but no guarantee of 100% security,” said Krewell, who moderated the panel.
The semiconductor industry didn’t have a good understanding of different embedded segments until recently because communication buses were proprietary and there wasn’t much of an attack surface, said Zach Shelby, vice president of marketing for ARM’s IoT group.
“Now we’ve just exposed hundreds of millions or billions of devices to the Internet,” he said. “I believe we need to do a little bit of a reset in what our expectations are… with those devices.”
More connected devices create more targets with more information for attackers, said Paul Kocher, chief scientist of cryptography research at Rambus. Vulnerabilities are being created far faster than they’re being fixed.
Moderator: There’s more of an attack surface, there’s the complexity of the interconnect, there are so many verticals. Does each have enough security?
Shelby: There are multiple levels of security problems in communications. A lot of people think of security as what do we do about authentication and encryption over the air for things like Wi-Fi, Bluetooth and Thread. While that sounds important, I think it’s a much smaller problem.
The issue is when we build really, really large systems connected to the cloud using protocols.
Eduardo Montanez, global systems and architecture manager for Freescale microcontrollers: It’s not just about addressing security challenges, but not making [security] over-complex.
Moderator: Who’s going to pay for more secure devices, protocols, and cloud? The consumer certainly won’t.
Montanez: I really do think that the developer needs to contribute — either form having someone steal their IP or for implementing security that their product needs. I think it’s almost a no-brainer. They have to ensure their investment, which is their end product.
Kocher: People will say they want security but won’t actually pay for it when it comes time. A lot of what we’ve had to wait for was for Moore’s Law to make transistors cheap enough to build security in. The other way to look at the cost question is: what are your losses if you screw up?
Shelby: Whether you pay for it now or pay for it later, it’s good. But in the hardware sense…it’s gotta be in there. For example, ARM is bringing TrustZone into all microcontrollers; microcontrollers have been kind of a forgotten space but at the same time it’s been a huge volume.
Montanez: We’ve had that in our devices for some time.
Shelby: We can’t randomly add things in; it has to be part of the computing architecture. In embedded industry we’ve shot ourselves in the foot – we’ve nickled and dimed our vendors to death [for security add-ons].
Moderator: But you can’t just layer top security into a hardware environment.
Shelby: I think all technology players need to start paying for [security] built into platforms. Then we need developers to incur a little bit of that cost in volume.