Over-the-air software update is the only efficient way for device security, says Peter Aldworth, technical director at Arm Mbed.
1. Arm’s launch of Mbed Cloud, a SaaS platform that communicates with firmware in devices to install fixes and feature updates is without a doubt a step ahead in terms of hardware device security. Do you think this could be implemented across the industry to solve the larger problem of recalling devices that have been mass hacked?
IoT is expanding very rapidly. With the expansion comes huge diversity. There are many industries which are developing new business models based on the ability to connect huge numbers of devices to the internet. This is enabling radical and revolutionary new business opportunities across many industries. However, many companies entering this field do not have the experience or the IT expertise required to get security right, whether it’s a logistics company, a developer connecting a smart city or an electricity utility operation.
IoT devices may have a product lifetime of 20 years or more. Over that lifetime we need to enrich those devices, unlock additional business potential, address functional defects and, most importantly, cope with a constantly evolving security context. Remote over-the-air software update is the only efficient / economic way to distribute and install the required software changes. Mbed Cloud Update provides a fail safe and secure software update mechanism. The service includes end-to-end update orchestration managing and monitoring the update process, and is available on any device and on any cloud.
2. What other major challenges in IoT security is Arm currently focused on?
In the past, Arm has worked with its partners to tackle the challenge of security. TrustZone for Cortex-A is the technology foundation that enables developers to create a range of secure services with the smartphone as a platform. For example, you can securely log in to your banking app using your fingerprint for authentication thanks to the hardware features of Trustzone, in the core of the smart devices we use. And now, Arm v8-M architecture extends the proven TrustZone technology to the smallest devices for root of trust, with the latest members of the Cortex-M processor family based on the Armv8-M architecture, Cortex-M23 and Cortex-M33. This has brought TrustZone security to even the smallest of embedded devices, which are to be the foundation for these billion of IoT devices.
Arm is dedicated to build on this heritage and to enable connected devices where security is never optional. There is a huge security challenge to be addressed as the IoT continues to expand into new markets. We see that a few secure devices are being built, but there is a need to find ways to secure devices at scale – we need all the billions of connected devices that will make up the IoT to be secure. Everyone together, needs to take ownership and assume the responsibility to protect devices.
We, as an industry, are enabling the roll-out of one of the most significant technological revolutions we have ever seen. We must address the security challenges. Properly, Responsibly, Together.
3. Arm is a Silver Sponsor of Hardwear.io 2017. What do you want attendees to learn about your company from your presence at the event?
Arm is working to establish a strong set of security principles from across the industry and is driving collaboration across the Arm ecosystem to enable broader best practice security solutions.
We are taking these key principles, found in some devices today, and scaling them out across the ecosystem. Security can no longer be regarded as an optional extra, even on the cheapest, simplest and smallest of devices.
Tim DaRosa, VP of Marketing at HackerOne tells us that leaders in smart home space and hardware manufacturers have opened doors to the hacker community:
1. HackerOne recently predicted its bug bounty payments will quintuple by 2020. Are there any specific industry verticals that are contributing to this spurt?
Technology-first industries consistently lead the way when it comes to innovation within cybersecurity. HackerOne customers have awarded hackers over $20M in bounties and over the last couple of years we’ve seen a spike in IoT and smart home companies launching programs, as well as open-source projects. The world is becoming increasingly connected, introducing new threats, new vulnerabilities and greater risk of breach. These new devices require a new breed of security, one that’s faster, agile and can fight human creativity with human creativity.
We’re also approaching the one year anniversary of the U.S. Department of Defense program on HackerOne, which has been a key driver for adoption of hacker-powered security programs in the federal government. Hack the Pentagon, Hack the Army and Hack the Air Force programs have demonstrated the positive impacts of working alongside white-hat hackers and has established the program framework as a critical component of national security. We’re also seeing momentum in the financial services and automotive industry, respectively. Financial services have always been attractive targets for criminals and this trend continues as everything goes online. Meanwhile, the transportation and automotive industries are experiencing the connected universe for the first time, putting lives behind the wheel - and in flight - at a greater risk of attack. Both are highly-regulated industries but are quickly adopting the hacker-powered security model to increase the speed and agility of their security teams at scale that allows them to keep pace with their organizational and business needs.
2. Hardware security has only picked up as a major concern in the last few years? What percentage of bug bounty programs are focused on hardware security? Have you observed any recent trends in demand from hardware security sector?
Hardware security is a major concern because so much of the world’s critical infrastructure depends on some form of hardware. The IoT boom, for instance, means new hardware innovations are coming online everyday and not just from a commercial perspective (yep, looking at you ‘smart home’ gadget lovers).
On one hand, research in recent years have uncovered security concerns with voting machines, power grids, etc. that could disrupt economies at an astronomical scale. These areas are typically slower in adopting the hacker-powered security model because of the specialized knowledge required to hack them, as well as the cost of shipping hardware to hackers for research.
On the other, we’ve seen a massive growth in connected hardware devices for the masses. As we know, smart thermostats, refrigerators, speakers and other home devices are collecting more data than ever before and presenting new and interesting security threats that every smart home owner should be aware of. The brands we know and love are already being hacked but do the companies that produce them know about it and - if so - are they taking proactive measure to help protect their customers? Leaders in the smart home space, in addition to large hardware manufacturers like Microsoft, Intel, and Nintendo, have all opened that channel of communication with the hacker community, and we’re very excited and eager to help them secure their products and devices with the help of the HackerOne community.
3. This is your first year at Hardwear.io as a sponsor. What can attendees expect from your presence at the show?
We’re here as a resource, to attend the hallway track and learn something new from the great research presented. HackerOne runs more than 850 bug bounty and vulnerability coordination programs, many of which include hardware devices in scope for the first time ever. This kind of innovative research can help many of the companies on HackerOne better defend their technology from attackers, if they know the right people to ask for help.
We’d love to have any of the attendees at this year’s event join HackerOne’s community and support one of our many hardware programs … the bounties are flowing consistently from our IoT customers and we’re always looking for amazing new talent to help further support our customer programs. Stop by our table or visit https://www.hackerone.com/resources/hack-learn-earn to create a new hacker account today.
Your software is only as secure as your hardware, says, Abe Chen, NIO U.S., director of Product and Information Security.
I understand you are focused on delivering autonomous vehicles designed as your living space and digital companion. How much of your focus is directed towards hardware security and how do you plan to keep up with security threats that loom over autonomous devices?
With software, over the air updates allow you to quickly respond to vulnerabilities discovered. With hardware, you may not have this luxury. You have to get it right from the start. At NIO U.S., the security team works hand-in-hand with our engineers to select hardware, review their security capabilities and understand how to take advantage of security features. This same process is applied to our autonomous efforts and devices.
There are multiple players fighting for a larger share of the market pie in the autonomous vehicle market? How does NIO differentiate itself?
At NIO U.S., we are focused on building Car 3.0, a full stack technology architecture for level 4 and level 5 autonomous driving. We offer a holistic system solution using a highly integrated stack versus individual components. This is critical to address the very challenging electrification, autonomous systems and artificial / contextual intelligence transitions.
NIO is the electronic badge sponsor of Hardwear.io 2017. Why is it important for your organization to be at the event?
Your software is only as secure as your hardware. The industry is too focused on securing software and you can’t have one without the other. NIO U.S., wants to contribute to educating professionals and bring attention to the importance of building secure hardware.
Joerg Simon, director of Security & Audit Service at Audius tells us it’s important to put operational requirement with the nerd-factor:
1. Audius has positioned itself as a vendor that helps companies with data protection and audit. What does that mean from a product perspective? How do you futureproof vendor’s data from attacks?
For all our clients, operational business comes first. Putting their operational and legal requirements in context with the nerd-factor of technical security findings it's something that it's viable to help management make the right decisions.
2. How do you differentiate yourself from the host of other companies that provide such services?
By actively developing open source software and Open Standards, Audius strives to help our clients to find the best balance for their operational security in an unbiased way and contribute back to the security ecosystem.