Security is no longer optional in the light of the rapid adoption of internet-connected devices making up the internet of things (IoT), according to chip manufacturer ARM.
“Malicious entities are increasingly using more novel techniques for compromising connected devices,” said Paul Williamson, vice-president and general manager, IoT device IP, at ARM.
However, he noted that IoT security was a multi-faceted problem, with billions of diverse devices requiring a system-wide approach to protecting them.
“The diversity in this space is challenging for our partners, and today we’re announcing new products that provide a critical layer of system protection by empowering SoC [system on a chip] designers to incorporate higher levels of security in the growing set of applications that require protection against physical attack threats,” he said in a blog post.
In the past, Williamson said it was difficult to justify protecting against physical attacks beyond payment applications, but as IoT gains momentum and more devices with high-value data become connected, the physical attack surface becomes more attractive to hackers.
“This is amplified by the availability of tools and education, which make these physical attacks cheaper and easier to make a reality. To protect the IoT, we need to think beyond software attacks – physical security requires our attention more than ever,” he said.
IoT devices need physical security features
According to Williamson, physical security will not only be required for payment and identity applications, but also for applications such as smart lighting, connected door locks, smart meters or automotive applications.
Physical attacks against IoT devices are typically the result of direct, physical contact with the device SoC, or close proximity to it, and usually aim to exploit vulnerabilities at the silicon implementation level, rather than exploiting a software or design-level weakness.
Physical attacks are either invasive, requiring access to the chip, or non-invasive, for example close proximity side-channel attacks (SCA) which gain information through unintended side channels stemming from the silicon implementation such as through observing the chip’s power consumption or electromagnetic field emission during a cryptographic operation.
Both attack classes have similar goals, said Williamson – namely to retrieve sensitive information processed within the chip, or simply cause it to carry out unintended behaviour to serve the attacker’s goals.
ARM’s Cortex-M35P processor is aimed at making physical security accessible for all developers by enabling them to hinder physical tampering and achieve a higher level of security certification.
“It’s the first processor in the Cortex-M family with designed-in tamper resistance,” said Williamson, adding that it is built on the industry proven anti-tamper technology used in ARM SecurCore processors which have been deployed mainly in smartcards and credit cards.
The new processor includes ARM TrustZone technology for robust software isolation, which ARM claims makes it easier and faster for designers to embed multi-layered payment or telecom-certified security at the core of any device.
As new IoT use cases emerge, Williamson said physical security required the industry’s attention more than ever.
In March, the UK government announced plans to introduce tough new cyber security and compliance measures to better protect IoT devices as part of its ongoing, five-year, £1.9bn security initiative.
The Secure by Design review was developed with support from device manufacturers, retailers and the National Cyber Security Centre (NCSC) to address the security vulnerabilities in many IoT devices.
The government claimed that, averaged out, every household in the UK now owns at least 10 internet-connected devices, and most would add at least five more in the next couple of years. This suggests there could be more than 420 million potential sources of attack in UK homes by 2020.