Securing Our Embedded SystemsTony Pallone | August 01, 2018
They can be found throughout the typical home, in appliances such as washing machines, microwave ovens and dishwashers, in electronics such as mobile phones, video game consoles, printers and MP3 players and in all types of networked systems such as wireless routers, security systems and home automation interfaces. They are also present throughout our cars, in the form of systems designed for anti-lock braking, electronic stability control, automatic four-wheel drive and more. And in medicine, they are used for CT scans, MRIs, pacemakers, vital signs monitors - the list goes on.
What are they? Embedded systems, which are computer systems that serve dedicated functions within the context of a larger system. They are an essential component of numerous mechanical and electrical devices, including ones many of us interact with on a daily basis. No surprise then that their vulnerability to hacking presents a significant challenge to the smooth functioning of society.
Devices with embedded systems offer a variety of opportunities for hackers - they can be controlled, they can be disabled (or “bricked”) and they even can be used to spy on unwitting users. Given that level of permeability, one might imagine that a greater degree of security would have built into embedded systems from the beginning. But looking back to the development of microwave ovens, for example, it’s unlikely anyone thought of them as a security risk.
What’s changed? The movement toward an internet of things, or IoT, through which the computer systems in everyday objects are increasingly being connected. This trend enables a variety of things to exchange data, potentially reducing the need for human labor, increasing systems efficiency and benefitting the economy as a whole. But there’s a darker side to this trend as well. Look up the phrase “internet of things” on Google and it can be found in this sentence from the Oxford English Dictionary:
“If one thing can prevent the Internet of things from transforming the way we live and work, it will be a breakdown in security.”
So the next question is: What do we do about it?
From the development side, there are a few different layers of embedded systems security to be considered: systems engineering, which is implemented through firewalls, secure communication protocols, data authentication or encryption and the like; hardware, which involves physical barriers to access, such as secure device enclosures; and software, for which security primarily means following best practices. The number of variables involved in software security is considerable, which may explain why its implementation is generally less consistent than the other security types.
The Open Web Application Security Project (OWASP) offers a Top 10 Best Practices for securing embedded applications. The list includes things like preventing the use of functions that could intentionally corrupt firmware memory, avoiding the use of hardcoding sensitive information such as passwords into firmware release images, removing unnecessary pre-production build code prior to firmware release and so on.
On the consumer side, it’s worth noting that the majority of consumers don’t feel particularly confident about IoT security. A recent study by Gemalto found that 90% of consumers believe there should be IoT security regulations, and nearly three-quarters of those surveyed believed that government should play a role to ensure safeguards.
However, it may take some time for that to happen. The National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce, recently issued a draft report on IoT cybersecurity standards that paints an eye-opening picture of the current state of standards development and marketplace implementation. There are few areas in which standards are fully developed; for example, in the area of connected vehicles, cryptographic technique standards are in place but standards are only beginning to be developed for network security. There are, moreover, no areas for which NIST considers market implementation to be complete.
Still, there are some simple things consumers can do right now to bolster security on their embedded systems devices - setting a key lock on a smartphone, changing the default passwords on routers and wireless networks and keeping IoT devices separate from computers and smartphones by segmenting a home network (OK, admittedly that one’s not as simple, but it can be done; here’s one example of a how-to guide). Home scanning software that looks for device vulnerabilities is beginning to appear, as well. Examples include Bullguard and Bitdefender, both of which are free.
The bottom line is that embedded systems are just about everywhere, often buried in devices that don’t seem like computers at all. Where there are systems, there are also system vulnerabilities. As we move forward into a more connected world, we will need to move carefully. Here’s hoping that the pace of embedded systems and IoT development does not exceed our ability, or perhaps more importantly, our willingness, to do exactly that.