ARM, Symantec build security standard for Internet of Things

A coalition of security firms has warned that the lack of a cohesive security strategy around IoT could lead to disaster if left unchecked.
Written by Danny Palmer, Senior Writer

Cybersecurity experts have warned that lack of IoT security means "any system could be compromised"

Image: iStock

The lack of a cohesive cybersecurity standard around the Internet of Things and connected devices could result in highly-damaging security breaches that could compromise any industrial, corporate, or home network.

There are already billions of devices -- ranging from sensors, to cars, to hospital equipment and more -- connected to the internet and Gartner estimates that 5.5 million new 'things' are going online every single day. Over five billion devices are currently connected and the figure is expected to rise to 20 billion by 2020.

However, there isn't any sort of standard applied to security in Internet of Things devices, and experts are already predicting a major cybersecurity breach linked back to an unsecured connected device within the next two years.

Now companies including ARM, Intercede, Solacia, and Symantec have developed the Open Trust Protocol (OTrP), designed to provide secure architecture and code management to protect connected devices. The architecture uses technologies deployed in banking and for handling sensitive data on smartphones and tablets.

"In an internet-connected world, it is imperative to establish trust between all devices and service providers," said Marc Canel, vice president of security systems, ARM. "Operators need to trust devices their systems interact with and OTrP achieves this in a simple way. It brings e-commerce trust architectures together with a high-level protocol that can be easily integrated with any existing platform."

OTrP is a high-level management protocol that works with security products, such as ARM's TrustZone-based Trusted Execution Environments, which are designed to protect mobile computing devices from malicious attack. OTrP can be used with public key infrastructure-based systems to allow service providers, app developers, and hardware maker to use their own keys to authenticate and manage trusted software and assets. The group said OTrP can be easily added to existing Trusted Execution Environments or to microcontroller-based platforms capable of RSA cryptography.

At its heart, OTrP is a management protocol designed to work with security software in order to protected Internet of Things and mobile devices from malicious attacks. OTrP is available to download from Internet Engineering Task Force for those who want to test and prototype it in their security environment.

The group of companies hope that the protocol paves the way for an open standard to enable to management of trusted software without the need for a centralised database - much like established method of security architecture in e-commerce.

With new technologies come increased security risks," said Brian Witten, Senior Director, Internet of Things Security, Symantec. "The Internet of Things and smart mobile technologies are moving into a range of diverse applications and it is important to create an open protocol to ease and accelerate adoption of hardware-backed security that is designed to protect on board encryption-keys."

The full group of companies who've worked together on OTrP consists of Intercede, Solacia, Symantec, Beanpod, Sequitur Labs, Sprint, Thundersoft, Trustkernel, Verimatrix and ARM.

Read more on the Internet of Things

Editorial standards