Internet of things: how rules protect against risks

In the last few years, the Internet of things and smart objects have turned out to be vulnerable to considerable risk, regarding, in particular, users’ privacy. In the absence of a single industry standard, it is difficult to intervene to resolve such problems and/or bugs. Among the most dangerous scenarios are smart toys, which have provoked controversy several times over their shortcomings where privacy is concerned.

The list of Internet of Things devices which do not offer adequate protection of user data also includes products sold by tech giants such as Amazon and Google, which dominate the market with their voice assistants Echo and Home. Smart thermostats such as Nest are also facing accusations.

In order to be able to trust this technology, it is of fundamental importance that an industry standard be agreed and formulated. There is currently no such regulation, but people are already working to change this. One notable example is the engineering team at ARM, a company based in Cambridge, UK.

IoT security standards; the ‘IoT Firmware Update Architecture’ document

With the ‘IoT Security Manifesto’ as their starting point, members of the ARM team have drawn up a document entitled ‘IoT Firmware Update Architecture’. It focuses on some rules to be followed by those who create smart devices. The guidelines pay particular attention to the updating process of the products’ Firmware.

Many of the procedures mentioned in the guidelines were already being carried out by companies working with the Internet of things. The innovative aspect of the document however, is the fact that it has set out these guidelines in a written format, which should soon lead to an improvement in security levels and a wider implementation of the rules.

Notable guidelines in the document involve the introduction of end-to-end cryptography and also the prevention of attacks. Another important point is the easier distribution of updates to users, guaranteeing access to updates via Bluetooth, WiFi, UART or USB. The document also highlights the importance of providing multiple authorisations in the case of system hierarchies.

The guidelines drawn up by ARM for those working in the Internet of Things sector also stipulate that during the various updates, the same file formats as in the previous firmware should be used.

Furthermore, they recommend that instructions be maintained within the limits of the available RAM and that compatibility with a light bootloader shared by several devices be guaranteed.  The guidelines also stipulate that details regarding specific information about the cryptography used, the format and publication dates should be made available by manufacturers.

According to Ken Munro, a researcher at Pen Test Partners (a company operating in the cyber security field), this project represents a major starting point in the improvement of the security of the Internet of Things. In his opinion however, there are some points which should be reviewed. One example is the fact that the payload encryption procedure is optional. Another error pointed out by Munro is the absence of a clear definition regarding processes of verification and validation of terms.

The document in question is not ARM’s only contribution to the improvement of security for those using IoT devices. The company has in fact also prepared the PSA (Platform Security Architecture), a platform created to provide those involved in the development of smart objects with a standard shared framework for the protection of devices.

Translated by Joanne Beckwith