prpl Foundation Reveals Vision for a Secure Internet of Things

Report Describes Hardware-Enforced Approach to Enabling High-Grade, Scalable, Interoperable Security for IoT Devices

SANTA CLARA, CA, Jan. 7, 2016 –The prpl Foundation today announces availability of a new document describing a scalable, interoperable and high quality approach to improved security for devices and information in a rapidly connecting world. The new publication, Security Guidance for Critical Areas of Embedded Computing, outlines an easy-to-implement approach and is available at http://prpl.works/security-guidance/.

“The Internet of Things is rapidly connecting our world in ways not anticipated even a decade ago. This connectivity finds its way into everything from light bulbs and home appliances to critical systems including cars, airlines and even hospitals. Security, despite its huge and increasing importance, has so far been addressed in piecemeal and often proprietary ways. Given ubiquitous connectivity and the rapid emergence of IoT, the need for a well-designed, structured and comprehensive security architecture has never been greater,” said Art Swift, president of the prpl Foundation.

Embedded systems and connected devices are already deeply woven into the fabric of our lives, and their footprint is expanding at a staggering rate. Gartner estimates that 4.9 billion connected things were in use by the end of 2015, a 30% increase from 2014. This will rise to 25 billion by 2020 as consumer-facing applications drive volume growth, while enterprise sales account for the majority of revenue.

Security is a core need for manufacturers, developers, service providers and other stakeholders who produce and use connected devices. Most of these – especially those used on the “Internet of Things” – rely on a complex web of embedded systems. Securing these systems is a major challenge, and failure to do so can result in significant harm to individuals, businesses and to nations.

“Under the prpl Foundation, chip, system and service providers can come together on a common platform, architecture, APIs and standards, and benefit from a common and more secure open source approach,” added Cesare Garlati, prpl’s chief security strategist.

The new Security Guidance Document lays out a vision for a new hardware-led approach based on open source and interoperable standards. It proposes to engineer security into connected and embedded devices from the ground up, using three general areas of guidance. These are not the only areas that require attention, but they will help to establish a base of action as stakeholders begin addressing security in earnest.

These areas include:

Addressing fundamental controls for securing devices. The core requirement, according to the document, is a trusted operating environment enabled via a secure boot process that is impervious to attack. This requires a root of trust forged in hardware, which establishes a chain of trust for all subsystems.

Using a Security by Separation approach. Security by Separation is a classic, time-tested approach to protecting computer systems and the data contained therein. The document focuses on embedded systems that can retain their security attributes even when connected to open networks. It is based on the use of logical separation created by hardware-enforced virtualization, and also supports technologies such as paravirtualization, hybrid virtualization and other methods.

Enforcing secure development and testing. Developers must provide an infrastructure that enables secure debug during product development and testing. Rather than allowing users to see an entire system while conducting hardware debug, the document proposes a secure system to maintain the separation of assets.

By embracing these initial areas of focus, stakeholders can take action to create secure operating environments in embedded devices by means of secure application programming interfaces (APIs). The APIs will create the glue to enable secure inter-process communications between disparate system-on-chip processors, software and applications. Open, secure APIs thus are at the center of securing newer multi-tenant devices. In the document, the prpl Foundation offers guidance defining a framework for creating secure APIs to implement hardware-based security for embedded devices.

Supporting Quotes:

“Great paper, very well laid out and easy to read and comprehend. Focus is around constructing the hardware and virtual layers of the endpoints to be designed properly to limit exposure should they come under attack. The four types of IoT systems mentioned in this paper (auto, medical, weapons, and airlines) can all have very personal ramifications to an individual’s health if something should go wrong”

– David Lingenfelter, Information Security Officer, IBM Security Systems and Co-Chair Mobile Group at Cloud Security Alliance

“Imagination welcomes prpl’s efforts in addressing the critical security needs in embedded devices with a well-designed, open and standards-based approach. We agree that a structured solution starting with a clear root-of-trust and building comprehensive hardware separation and a robust development and test infrastructure is critical. In fact, we developed OmniShield-ready hardware and software IP driven by the same fundamental considerations, providing root-of-trust and hardware virtualization across all the processors in an SoC including CPUs and GPUs to build a truly secure and reliable system.”

– Majid Bemanian, Director of Marketing, Imagination Technologies

“I read the document with great interest. It is a very good and comprehensive report which we do support. Our security expertise is mainly on network security and user authentication: device security is new to us but I see a lot common approaches with the network security.”

– Rahim Tafazolli, Director of Institute for Communication Systems and 5G Innovation Centre at University of Surrey

“I like the [document] approach as well as the flow of information. The security topics covered are appropriate and well written. It lays out the case for the dangers, problems and effect on ‘the individual way of life’ if IoT systems are not secured – as a single vulnerable coffee maker can give someone access to your whole connected life. I would even suggest starting a prpl Foundation working group to engage other IoT vendors.”

– Mike Janke, Chairman & Co-Founder of Silent Circle

“The prpl document is a fine start for describing the security methods needed, and in general we agree with the mechanisms described in the document.”

– Sherman Chen, VP of Engineering, Broadband and Connectivity Group, Broadcom

“[The prpl guidance] is an excellent document showing how to secure embedded computing in a world of IoT. Using detailed examples of recent hacks in embedded computing, it takes the reader step by step though the weaknesses and show how they can be overcome using methods like root of trust, secure boot process, separation of duties and secure development and testing. All the methods are described in details using infographics and examples.”

– Jesper Jurcenoks, Product Manager Vulnerability Assessment at Alert Logic

“Security of devices is a fundamental topic that goes together with their technological evolutions and feature sets; IoT will not scale up if each connected device will not be perceived as a trusted entity by end users; this document provides a great analysis on the subject.”

– Corrado Rocca, Head of the Home Gateway Initiative (HGI) Marketing Committee, HGI

“As a security engineer I spend my professional life addressing inherent risk in network and control systems, from medical devices through to complex operational platforms. This paper neatly deals with many of the problems my clients struggle with and I recommend it to anyone that is interested in making our world more secure and resilient.”

-Nigel Stanley, Practice Director – Cyber Security, TUV Rheinland OpenSky Ltd.

“The prpl guidance is hitting on several important points, such as separation and secure boot. With IoT, every endpoint can be individually attacked from a hardware perspective, which can be used as a stepping stone to further software attacks. A ‘break once’ in hardware can still lead to a ‘run anywhere’ in software, which is a risk to an entire ecosystem.”

– Jasper van Woudenberg, Chief Technology Officer, Riscure North America

About prpl
prpl (pronounced “Purple”), is an open-source, community-driven, collaborative, non-profit foundation targeting and supporting the MIPS architecture – and open to others – with a focus on enabling next-generation datacenter-to-device portable software and virtualized architectures. prpl represents leaders in the technology industry investing in innovation in efficiency, portability and compatibility for the good of a broad community of developers, businesses and consumers. Initial domains targeted by prpl include datacenter, networking & storage, connected consumer and embedded/IoT. See: www.prplfoundation.org.