The potential of the “internet of things” grows by the day as more devices and objects are connected to each other. Just one problem: The vast majority of IoT devices appear to be woefully insecure.

With that in mind, U.K.-based chip designer ARM Ltd. today unveiled its vision for protecting more than a trillion connected devices, with security embedded deep into the silicon that powers them.

What ARM is proposing is a common industry framework it calls the Platform Security Architecture, which lays out a secure foundation for every connected device. The company’s proposal has been endorsed by a wide range of cloud, hardware and chip manufacturing partners, including the likes of Google LLC, Cisco Systems Inc. and Baidu Inc.

With its proposal, ARM is attempting to tackle three major problems with the IoT today. The first is that most IoT devices cannot easily be updated with new software to patch known vulnerabilities, which leaves them wide open to hackers. Second, most IoT devices come with hard-coded security credentials, usually using “admin” as both the user name and the password, and users rarely change them. Last, most IoT devices send private data over the web in plain-text format, which means everything is there for the taking if that device becomes compromised.

ARM believes that the best way to overcome these issues is to emmbed security features inside its ARM Cortex processors, which are used in a range of IoT applications and devices, the company’s IoT executive, Paul Williamson, said in a blog post Monday. He added that when it comes to security, no device should be left behind.

One year ago, ARM parent company SoftBank Group’s chairman Masayoshi Son said at ARM’s TechCon 2016 conference that he expects there will be 1 trillion connected devices in the world by 2035. Now, ahead of TechCon 2017, ARM is reiterating the need to protect all of those devices.

“This trust will need to be earned while battling hackers who relentlessly seek vulnerabilities to find more entry points into our lives,” Williamson wrote. “This means that security cannot be an afterthought across all parts of the value chain from device to cloud.”

ARM said it will ship 100 billion chips by the year 2021 as the demand for IoT devices accelerates. But ARM also recognizes that these IoT devices will be incredibly diverse, built by hundreds of  manufacturers, each of which will have its own ideas (or lack of them) about security. That’s why it believes a common security foundation is necessary to secure them all.

The proposed Platform Security Architecture is therefore designed to provide security analysis, firmware and hardware architecture specifications. It comes with an open-source reference design for implementing the firmware specification, called Trusted Firmware-M.

“PSA is a fundamental shift in the economics of IoT security, enabling ecosystems to build on a common set of ground rules to reduce the cost, time, and risk associated with IoT security today,” Williamson said.

Industry analysts welcomed ARM’s initiative, saying it was an essential step toward securing tomorrow’s IoT devices.

“Broad-based IoT deployment will require a fundamental rethinking on security and I think ARM’s industry proposal has a lot of merit,” said Patrick Moorhead, president and principal analyst at research firm Moor Insights & Strategy. “Securing a trillion end points make security mandatory, not optional, and ARM’s proposal contemplates many of the most aggressive surface attack points and also provides a way to update the silicon in the future for new kinds of attacks.”

ARM said the initial focus of its initiative will be its ARMv8-M systems. It expects to release the source code for Trusted Firmware-M early next year. The company also took the opportunity to urge everyone else to do their bit and move faster to secure the IoT. “All parts of the value chain need to embrace the guiding principle that security can no longer be optional,” Williamson said.

Image: kalhh/pixabay