Embedded Devices, once thought to be too small to include their own security, undergo a more thorough analysis beginning with firmware testing. The software inside the chip is just as important as the application controlling it. Both need to be tested for security and quality. Some of the early IoT botnets have leveraged vulnerabilities and features within the device itself.
“Embedded devices really are one of the most common devices on the Internet, and the security of these devices is terrible.” Those were the words of network security expert H.D. Moore, the developer of the penetration testing software Metasploit Framework, when discussing an illicit attempt to survey the entire internet.
Consumer Based Embedded Devices
Dan Goodin of Ars Technica tells the tale of a guerilla researcher who collected nine terabytes of data from a scan of 420 million IPv4 addresses across the world. “The vast majority of all unprotected devices are consumer routers or set-top boxes which can be found in groups of thousands of devices,” wrote the anonymous researcher in his 5,000-word report. “A lot of devices and services we have seen during our research should never be connected to the public Internet at all.”
Hackers can do a lot of damage, and with billions of IoT devices forecast to be connected in the next few years, embedded devices security should be more than an afterthought.
In 2015, two white hat hackers demonstrated that they could break into late model Chrysler vehicles through the installed UConnect, an internet-connected feature that controls navigation, entertainment, phone service, and Wi-Fi.
By rewriting firmware on a chip in an electronic control unit (ECU) of a Jeep Cherokee, they were able to use the vehicle’s controller area network (CAN) to remotely play with the radio, windshield wipers, and air conditioning — even kill the engine.
The cybersecurity risks are real. Alan Grau writes on the IEEE Spectrum website about three significant incidents affecting the health care industry. A report by TrapX Labs called “Anatomy of an Attack–Medical Device Hijack (MEDJACK)” describes how hackers were able to target medical devices to gain entry to hospital networks and transmit captured data to locations in Europe and Asia. “Stopping these attacks will require a change of mindset by everyone involved in using and developing medical devices,” says Grau.
Another notorious security intrusion is described in an article on The Verge, “Somebody’s watching: how a simple exploit lets strangers tap into private security cameras” . Strangers were able to watch live streams of unwitting security camera owners within their homes. The vulnerabilities of existing firmware allowed for egregious invasion of privacy.
Embedded Devices and IoT Vulnerabilities
Many of the hackable embedded devices now on the market were created without much consideration for security. “Security needs to be architected from the beginning and cannot be made an option,” says Mike Muller, CTO of ARM Semiconductors, at a seminar he gave at the IoT Security Summit 2015. Muller believes that very few developers have any real understanding of security. ·“We cannot take all of the software community and turn them into security experts. It’s not going to work.” The answer is that best practices for embedded security must be established and followed. That includes splitting memory into “private critical and private uncritical” and creating device-specific encryption keys. “You have to build systems on the assumption that you’re going to get hacked,” warns Muller.
Identifying potential IoT vulnerabilities requires robust testing before putting devices into production. In 2014, the Open Web Application Security Project (OWASP) published a list called Internet of Things Top Ten: A Complete IoT Review. They recommend testing your IoT device for:
- Insecure Web Interface (OWASP I1)
- Poor Authentication/Authorization (OWASP I2)
- Insecure Network Services (OWASP I3)
- Lack of Transport Encryption (OWASP I4)
- Privacy Concerns (OWASP I5)
- Insecure Cloud Interface (OWASP I6)
- Insufficient Security Configurability (OWASP I8)
- Insecure Software/Firmware (OWASP I9)
- Poor Physical Security (OWASP I10)
As with any testing, well-written test cases will help manufacturers ensure the security of the device. Better to run through possible scenarios in the lab that to have major issues with customers later.
In November 2016, Dan Goodin of Ars Technica reported that a “New, more-powerful IoT botnet infects 3,500 devices in 5 days”. Goodin writes that “Linux/IRCTelnet is likely only the beginning of what could be a long line of next-generation malware that steadily improves its capabilities.” And he laments the defenselessness of IoT devices that proliferate across the web. It’s a sentiment that’s shared by many.
What about your experiences with IoT security and embedded devices? Any stories to tell? What are your recommendations for making things safer? Feel free to post your comments here.