back to article ARM: Hold my beer, we'll install patches for your crappy IoT gear for you

Processor designer ARM will squirt security fixes directly into internet-connected gadgets to hopefully keep them defended from hackers. Manufacturers of Internet-of-Things gizmos and other embedded products have complained that updating gear in the field is too much hard work. That means devices are rarely patched when …

  1. Pen-y-gors

    Hey, really neat!

    Get this working properly and no more need to faff around trying to find vulnerable Thingies. Just hack the update server and you can zap the firmware of meeeeelions of devices in one go.

    Progress is a wonderful thing...

    (And don't say it won't be pos-sible to hack the update server. If we've all learned one thing in recent years, it's that NOTHING can't be eventually hacked if you try hard enough)

    1. Mage Silver badge
      Facepalm

      Re: Hey, really neat!

      That's what I thought too. Though router or IoT DNS setting change (poisoning), which can be done by websites to MANY routers that have default setttings ...

      I am expecting MS Windows & Apple Mac Auto updates to be hijacked either by DNS hijack or server hacks, periodically.

      This is a stupid idea. The problem isn't distribution, or even the developers, it's the management of the companies selling the stuff. How many will stay in business to release patches? Who other than the original manufacture and development team can create the the patches.

      It's beyond stupid, but delusional dangerous fantasy!

      1. Anonymous Coward
        Anonymous Coward

        Re: Hey, really neat!

        "I am expecting MS Windows & Apple Mac Auto updates to be hijacked either by DNS hijack or server hacks, periodically."

        You may not be wrong, but I remember hearing dire warnings about this very thing when WU was first announced. Many years, and thousands of patches later, it hasn't happened. (I could argue that MS hijacked their own WU process for evil instead, but that horse is long dead.)

        Not that WU couldn't be compromised tomorrow, but at some point you have weigh the benefit vs. the risk. No solution is going to be risk-free, and you can't stand still for one that is. Who knows what havoc we'd be dealing with today without WU ($diety knows there's enough with it), but I hope you get my point.

        1. nijam Silver badge

          Re: Hey, really neat!

          > ...thousands of patches later, it hasn't happened

          I'm sure I've read about cases where Windows Update was tricked into installing third-party malware. And that's even without the obligatory joke about most Microsoft patches being malware in the first place.

    2. Stevie

      Re: Hey, really neat!

      Okay, you've spotted the weakness in the idea.

      Now, what's your plan to fix the mess?

      Please don't talk about people "securing their home network" or companies "becoming responsible" because most people don't know how to do that (and never will, get over it) and cheap Chinese rubbish will always be more attractive to the cash-strapped tat-obsessed than expensive did-the-job-right domestic products.

      There is value in exchange of ideas. There is virtually none in just shouting "that won't work" over and over.

      1. Charles 9

        Re: Hey, really neat!

        "There is value in exchange of ideas. There is virtually none in just shouting "that won't work" over and over."

        But sometimes, like the Traveling Salesman Problem, there's just no practical solution. Well, apart from creating a new kind of human being...

    3. Anonymous Coward
      Anonymous Coward

      Re: Hey, really neat!

      Oh, such a helpful service from our very own.

      No, no, we at GCHQ totally support this. We'll even generate the keys for you.

      Just because the devices are small enough to be called "things" doesn't mean they are not helpful in snooping on people..

    4. Anonymous Coward
      Anonymous Coward

      Re: Hey, really neat!

      You must be wholly unaware of this "code signing" thing.

      You could completely own the update servers and as long as the device has a proper public key and strong hashing algorithm embedded (2048 + SHA2) in it you can easily verify origin and therefore reject unsigned or badly signed updates.

      Breaking into a website is one thing... but somehow getting a properly secured offline HSM (Hardware Security Module) to either cough up its keys or sign your malware is another thing entirely... if you can do the latter, the NSA probably has a job offer for you.

    5. Christian Berger

      Yes, particularly since...

      ... instead of having a simple HTTP-Server at the manufacturer which simply serves a fixed signed firmware file, this requires a rather complex system which has to take complicated input from the outside.

      So essentially they make a simple process _much_ more complex and believe that this would somehow increase security.

      Increasing complexity somehow seems to be a thing for mbed.

      1. Anonymous Coward
        Anonymous Coward

        Re: Yes, particularly since...

        "... instead of having a simple HTTP-Server at the manufacturer which simply serves a fixed signed firmware file, this requires a rather complex system which has to take complicated input from the outside."

        Because what happens when (not if) the manufacturer disappears?

    6. annodomini2
      Devil

      Re: Hey, really neat!

      If there's a way in, you can get in.

  2. PerspexAvenger

    "Product makers pay..."

    And that right there is why this will not progress.

    1. energystar
      Boffin

      Re: "Product makers pay..."

      A better strategy, ARM Holdings?

      Better sell a builders' solution over a virtual engine. And Consumers will be buying ARM security.

    2. Michael Habel

      Re: "Product makers pay..."

      Yeah, how exactly will that work, when (紅眼航班 Hóngyǎn hángbān) Fly by night.cn has gone... As they say total, and is no longer willing, much less able to pay ARM for this service? And, just how much will such a service add to the cost of any given IoT'ing?

    3. You aint sin me, roit

      Re: "Product makers pay..."

      Or, for the more cynical, this is a business opportunity for ARM.

      The fact of the matter is that nothing that ARM is proposing is new. All of the IoT objects that are already out there *could* have been protected in a similar manner (Secure Element supporting TLS for secure download of patches/firmware upgrades/key migration).

      The only thing that's new is that ARM is offering to provide the service.

      Smartphones have incorporated Secure Elements for years - why doesn't the iKettle have one? Because it costs too much - and an ARM-managed support contract would boost the price even more.

      1. energystar
        Childcatcher

        Re: "Product makers pay..."

        "...Because it costs too much - and an ARM-managed support contract would boost the price even more."

        So, all this play of late distill to "If you want it with bells and whistles, then it's going to cost [a lot] more".

  3. bombastic bob Silver badge
    FAIL

    'pushed updates' - works so well for Win-10-nic

    just thought I'd mention it...

  4. 4d3fect

    "It's all going to end in tears."

  5. Steve Hersey

    OK, so the dystopian-but-realistic solution is...

    The major ISPs and network infrastructure operators, who of anyone have the most skin in the game, wind up banding together and establishing an infrastructure to (semi-)automatically identify and black-hole the IP addresses of the insecure tat that's doing the DDoS'ing, preferably in close to real time. Your internet connection gets turned off until you fix or disconnect the offending devices on your net.

    I already hear you thinking, "But that just creates another hackable service the bad guys can use to disable connectivity for the target of an attack, and this time they don't even need to pwn a thousand devices to do it, just pwn the countermeasure system!" Alas, that argument is true, and weighs against *any* realistic countermeasure; the ISPs would simply have to do a good job designing their system to be resistant to abuse. An imperfect system for sure, but at least it doesn't rely on tat-makers to become responsible netizens.

    Clearly, *someone* needs to do a good job designing their system to be resistant to abuse, and it self-evidently won't be the bottom-dollar bottom-feeders making said insecure tat. Until then, it'll continue to be the Wild Wild Web.

    1. Anonymous Coward
      Anonymous Coward

      Re: OK, so the dystopian-but-realistic solution is...

      "Clearly, *everyone* needs to do a good job designing their system to be resistant to abuse, ..."

      FTFY

      Security is a process, not an one-off and everyone needs to play their part *in* that process.

      1. Steve Hersey

        Re: OK, so the dystopian-but-realistic solution is...

        Agreed, everyone *should* behave responsibly, but the core of the problem is that there are a lot of nonspecialists out there with no idea that this is a problem, and lotsa cheap-artists building insecure junk to sell to them. Educating everyone's Aunt Sally that the cheap baby-cam is a hazard will be a challenge, and getting the cheap-baby-cam folks to clean up their act will be a near impossibility (the sky is high and the Emperor is far away, after all). For that matter, even specialists (like us) would be hard put to name a SOHO router with decent security that we could recommend to our friends.

        I agree with your stated principle, it's just that getting everyone to be responsible is difficult and unlikely.

    2. Graham Cobb Silver badge

      Re: OK, so the dystopian-but-realistic solution is...

      I am interested in your ideas on how the ISPs identify a connection with problem equipment.

      How can an ISP tell by watching my DSL pipe that IoT device on my home network is performing a DDOS rather than its normal job? No one device needs to be sending unusual numbers of requests as there are some many devices involved. And the requests might even look like valid DNS lookups (for example).

      Also, I suspect small businesses are probably much more of a problem than consumer lines. Small businesses are much more likely to have things like cameras and crappy, cheap, video recorders connected to them and visible from the internet so the owner can monitor if they are worried or the burglar alarm goes off. They also have business T's & C's which may make it expensive to cut them off.

      1. Steve Hersey

        Re: OK, so the dystopian-but-realistic solution is...

        A DDoS is hard to spot at the source end, but is pretty unmistakable at the target end (that's rather the idea, after all). The idea would be something like this: A DDoS target notifies their ISP, who analyzes the attack pattern, then starts back-tracing the source addresses of incoming attack packets and reporting them to participating source ISPs, who then filter or disconnect the originating addresses. A significant percentage of inbound traffic to the target will be malicious in a DDoS, so it's not such a needle-in-haystack proposition if you're the destination ISP.

        Other ISPs could conceivably be triggered to get into the act by logging source addresses sending to the affected targets, filtering out the legitimate players, and dealing with the rest.

        This is not a simple endeavor by any means, and it would definitely require careful automation, but if properly implemented it could nobble many DDoS attacks and deprive them of effect. Even if you don't actively disconnect attack sources, but simply throttle their traffic to the target, a DDoS could be mitigated to the point where it becomes not worth the trouble.

        1. Vic

          Re: OK, so the dystopian-but-realistic solution is...

          A DDoS target notifies their ISP, who analyzes the attack pattern, then starts back-tracing the source addresses of incoming attack packets

          That's fine for TCP connections (not SYN floods[1]), but useless against UDP attacks such as DNS or NTP amplification attacks.

          Vic.

          [1] Yes, there are ways of mitigating SYN flood attacks.

  6. Anonymous Coward
    Anonymous Coward

    One ring to rule them all

    How about instead of spyware for everyone ARM instead release the complete tool set as oss and compel hardware manufactors to maintain any non-standard code they produce.

    ARM hardware is not vulnerable by design merely badly implemented and obscured by choice

    ARM should make license holders maintain their products rather than grab the cash and look the otherway

    1. Anonymous Coward
      Anonymous Coward

      Re: One ring to rule them all

      Potential licensees don't agree to the terms, they walk away, ARM loses. There's no legal backing to FORCE what you want, especially when international clients (who have their own sovereignty and laws) come into play.

  7. Anonymous South African Coward Bronze badge

    Rose-tinted glasses.

    Meh.

  8. Anonymous South African Coward Bronze badge

    Ne'er-do-wells will and can think outside the box, and they will find ways and means to worm their way into this - then push out their updates to IoT devices waiting in eager anticipation for "secure" wolf-in-sheep-clothing updates.

    It is too early to say how, but they will be able to.

    1. Anonymous Coward
      Anonymous Coward

      "Ne'er-do-wells will and can think outside the box, and they will find ways and means to worm their way into this - then push out their updates to IoT devices waiting in eager anticipation for "secure" wolf-in-sheep-clothing updates."

      How without the signing key, and if you can steal a signing key (a private key), you'd make better money as a spy.

  9. asdf

    lol in my head

    The phrase hold my beer is always to be followed by, and watch this shit (ie. a redneck's last words).

  10. Swiss Anton

    Am I missing something ...

    ... but isn't it already possible to update these IOTs over the net.

    Oh hang on, maybe the scumbags closed that door when they applied their malware.

  11. ma1010
    Black Helicopters

    How can we fix this?

    One thing that MIGHT help is if there were laws making manufacturers of IOT tat responsible if those devices get p0wned. That would motivate them to sign up with ARM's (or some other similar) patching scheme since they don't want to get sued by DYN or whoever got DDOSed this week. Or their customers who lost money due to no Internet connection.

    Perhaps governments should also implement (as others have suggested before) the idea of implementing an international standards testing organization to security test and approve all Internet appliances before they can be sold. That should at least get rid of the hard-coded passwords and other "please p0wn me" crap so often baked into such tat.

    It's scary to want more government regulation, but is there a viable alternative that will get the manufacturers together on sensible security? IOT as it stands now is a complete disaster and needs serious fixing. Yet at least some people seem to want these gadgets, and we need to do something to try to mitigate the inevitable damage.

    1. Michael Habel

      Re: How can we fix this?

      Wouldn't a lot of this malarkey be curtailed if these ODM/OEM purveyors would just allow their End-users the ability to alter the 'admin' user accout? Of course this would also mean using something a bit more creative then '1234', or 'password' too.

    2. Barry Rueger

      Re: How can we fix this?

      Perhaps governments should also implement (as others have suggested before) the idea of implementing an international standards testing organization to security test and approve all Internet appliances before they can be sold.

      Though I expect howls of outrage from the Usual Suspects, I'd say that's exactly what's coming - some kind of Underwriters Laboratory type thing. (or whatever the EU equivalent is.)

      Just as it was eventually agreed that manufacturers couldn't be trusted to make safe electrical stuff,

  12. Herby

    Just "require" an update as specified intervals...

    It probably won't work, but just have the silly IoT device "time out". Then you take it back to the manufacturer to "update" it for another interval, or it lights up an "insecure" light. Not ideal, but might work.

    I don't see much better solutions in the offing.

  13. Anonymous South African Coward Bronze badge

    Drone armed with percussion tool?

  14. Anonymous Coward
    Anonymous Coward

    This can at most secure the common OS part

    As long as ARM maintain that OS version. Patching anything above will still be in the hands of the OEM, which may not have much incentives to patch it (see smartphones....). ARM would also need to ensure patching the common part doesn't brick the devices.

    But IMHO ARM is not interested truly in the patching system, that's the bait. The real aim is to become the user data collector - even devices without patches available will keep on sending data.

    For what matters me, I will never buy an Internet of Thieves devices. My data belongs to me only.

  15. yoganmahew

    Fix it with cheese.

    Gorgonzola the lights, Cheddar the thermostats, Wensleydale the cameras. I do like a nice bit of Wensleydale.

    Well, it's as good an idea as storing all the non-existent updates in a cloud. The problem with IoTs is not that it's difficult to update them, the problem is that nobody is arsed to go and fix them. Maintaining stuff is expensive, particularly when maintaining means anything after the device is boxed.

    So says the man with the Samsung Android 4 phone where the Samsung apps have been updated, but the O/S has not been...

  16. David Roberts

    My master plan {cough}

    1) Mandatory security testing befor a product is allowed on sale. This includes the policing of non-compliant imports from the usual suspects. All it needs is legislation and policing.(!)

    2) Approved supplier then places money (and source code in escrow) with central patching organisation. So when the manufacturer conveniently ceases to trade the code can still be patched. Patches tested and distributed by central body. So patching and support outlives an individual hardware version or manufacturer/supplier.

    3).......

    4) Profit! Also, hopefully, more security in the IoT.

    Oh, and if a firewall on a private network can identify and police port scanners then why do I see continuous port scanning from foreign IP addresses on my Broadband link?

    The first step in all this IoT pawnage seems to be port scanning to identify vulnerable home systems.

    Filter out the port scanners or at least slow the bastards down and you have taken most of the skiddies toys away.

    Extrapolating this starts to get a bit Big Brother but if money isn't spent up front then the cost of slamming multiple stable doors is likely to be much higher.

    1. Anonymous Coward
      Anonymous Coward

      Re: My master plan {cough}

      "Mandatory security testing befor a product is allowed on sale. This includes the policing of non-compliant imports from the usual suspects. All it needs is legislation and policing.(!)"

      One, who PAYS for it, and two, how do you patrol the gray markets that go AROUND your policing? Remember Prohibition and how smuggling was such a lucrative business? Patrol the white market and the gray and black markets will just boom in response.

    2. energystar
      Linux

      Re: My master plan {cough}

      $h!t cleaning money. As insurance deposit. You have my seal of approval. How much that last USA IoT 'glitch' cost?

      $h!t can be huge. Consortium solutions better suited to this scale of risk.

  17. Graham Cunningham

    Sounds like nobody here thinks that baked-in hardware security and signed updates is in the least bit useful for improving the state of things?

    1. energystar
      Windows

      "...baked-in hardware security..." The best kind [as long as the attack is not focused]. And the cheapest also. Only bad point is that full replacement when hacked -at least of the controller board- a requisite. Not going to talk about 'signature' narratives.

    2. Anonymous Coward
      Anonymous Coward

      Signed updates is one thing, but updates are made by man and so is hardware, and in this world, that's not good enough because the bad guys only need to be lucky ONCE.

    3. Vic

      Sounds like nobody here thinks that baked-in hardware security and signed updates is in the least bit useful for improving the state of things?

      Of course not. For that to work, you'd need your manufacturers[1] to care about security, and offer updates when necessary. And if we had that, we'd not have the problem in the first place...

      Vic.

      [1] All of them, really...

  18. You aint sin me, roit

    "The bottom layer is also supposed to work on any device and with any operating system"

    Ouch!

    Having the download secured via ARM's open source TLS implementation is all fine and dandy - it you are executing code in a Trusted Execution Environment, such as TrustZone...

    But ARM promise to secure Joe Blogg's bespoke OS running on a cheap and cheerful microcontroller with no coprocessor support for asymmetric crypto? Because that's the kind of processor they will find in an IoT light bulb/kettle/appliance.

    The required kind of security has been implemented for many years - in payment cards and chipped passports. The security of these products is enforced via rigorous certification, including certification of the development and manufacturing processes (and physical locations).

    This level of security doesn't come cheap...

    1. Charles 9

      Re: "The bottom layer is also supposed to work on any device and with any operating system"

      But the only solution is to MAKE it cheap...or they'll just ignore you.. And don't count on regulation when there's a booming gray market and a country out there with their own sovereignty who could care less about you.

  19. allthecoolshortnamesweretaken

    On the day IoT thingies are "safe" I'll be riding to my paperless office in a fusion-powered self-driving car.

  20. rjs397
    Holmes

    Payment for updates and escrow

    There is the problem that after a time manufacturers will not want to pay for updates to be distributed.

    So I would make it part of the program that:

    - fees are for the first three years only (and after this ARM continue to distribute patches forever)

    - the manufacturer must support the product and provide security updates themselves for three years

    - ARM hold the code in escrow (which must have a working build environment that was used to initially generate the code) which after the three years is then made an open source project; and device owners can opt in to receive updates from those new projects.

    1. Charles 9

      Re: Payment for updates and escrow

      And if manufacturers balk at the requirements and switch to Intel or some other CPU architecture to avoid the rigamarole?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon