Embedded Systems Security

Embedded systems are computing systems designed for dedicated functions within larger systems, often with real-time constraints. They consist of a combination of hardware, software, and optionally mechanical parts. The software for embedded systems is often written in low-level programming languages, such as C or assembly language, to optimize performance and minimize memory usage. In addition to the application code, embedded systems also require software for managing the hardware interfaces, such as device drivers, communication protocols, and embedded OSes.

Embedded systems are commonly found in consumers, industrials, automotives, home appliances, smart buildings, medical, telecommunication, commercial, aerospace and military applications.

 With the increasing use of IoT, embedded systems are becoming more connected and integrated with other systems, which presents new challenges for ensuring security and reliability.

Embedded systems typically have limited resources in terms of processing power, memory, and energy, and are designed to operate reliably in harsh environments. They can be based on a variety of hardware architectures, such as microcontrollers, digital signal processors, or field-programmable gate arrays (FPGAs).  These limitations provide an avenue of attack in that a software virus, or a hardware Trojan horse can cause denial of service by consuming any of these resources.

For example, an attacker can drain the battery of a limited lower power consuming embedded system and causes system failure even when breaking into the system is impossible. Embedded systems generally carry out tasks that have timing deadlines. Missing these timing deadlines may cause loss of property or even life by simply adding some sort of delay in the execution of an instruction or a series of instructions, the attacker can achieve the objective of the attack. Moreover, some embedded systems operate under extreme conditions (high temperature, humidity, and radiation); causing any of these environment parameters to change can also affect the performance of embedded systems.

General purpose computers usually employ a popular brand of processors. Whereas, in the case of embedded systems there is a lot of variation in processors and operating systems. This provides for an inherent security against the propagation of attacks and security threats from one device to the other. 

Embedded systems might operate unattended without the need of a system administrator. Therefore, there is usually no reporting mechanism on the attacks being carried out against the device compared to those reported by an antivirus or firewall in the case of traditional computer systems. Circuit level attacks may also exist either at the level of discrete components or hidden in an integrated circuit.

Some Common Attacks on Embedded Systems:

·        Control hijacking attacks: An attacker can divert the normal control flow of the programs running on the embedded device resulting in executing code injected by the attacker.

·        Reverse engineering: Often, an attacker can obtain sensitive information (e.g., an access credential) by analyzing the software (firmware or application) in an embedded device. This process is called reverse engineering. By using reverse engineering techniques, the attacker can find vulnerabilities in the code (e.g., input parsing errors) that may be exploited by other attack methods.

·        Malware: An attacker can try to infect an embedded device with malware. A malware that infects an embedded device may modify the behavior of the device, which may have consequences beyond the cyber domain.

·         Injecting crafted packets or input: A similar type of attack is the manipulation of the input to a program running on an embedded device. Both packet and input crafting attacks exploit parsing vulnerabilities in protocol implementations or other programs. In addition, replaying previously observed packets or packet fragments can be considered as a special form of packet crafting, which can be an effective method to cause protocol failures.

·         Eavesdropping (or sniffing): This is a passive attack method whereby an attacker only observes the messages sent and received by an embedded device. Those messages may contain sensitive information that is weakly protected or not protected at all by cryptographic means. In addition, eavesdropped information can be used in packet crafting attacks (e.g., in replay type of attacks).

·        Brute-force search attacks: Weak cryptography and weak authentication methods can be broken by brute force search attacks. Those involve exhaustive key search attacks against cryptographic algorithms such as ciphers and MAC functions, and dictionary attacks against password-based authentication schemes. In both cases, Brute-force attacks are feasible only if the search space is sufficiently small.

·        Normal use: An attacker exploits an unprotected device or protocol through normal usage. For instance, the attacker can access files on an embedded device just like any other user if the device does not have any access control mechanism implemented on it.

 The Effect Of The Above Attacks Can Be The Following:

  • Denial-of-Service caused malfunctioning or completely halting the device.
  • Code execution: Execution of attacker supplied code on the embedded device as the effect of potential attacks. This also includes web scripts and SQL injections, not only native code of the device.
  • Integrity violation: A common effect of potential attacks is the integrity violation of some data or code on the device. This includes modification of files and configuration settings, as well as the illegitimate update of the firmware or some applications on the device.
  • Information leakage: The effect of the attack is the leakage of some classified information.
  • Illegitimate access: An attacker has no access to the device, manages to logically break into it. Or the attacker has already some limit access, but he gains more privileges.
  • Financial loss: Certain attacks enable the attacker to cause great financial losses to the victims.
  • Degraded level of protection: A device is tricked into using weaker algorithms or security policies than it is supported.

To prevent attacks on embedded systems, developers should:

  • Always have your sensitive data and applications secured with strong cryptographic keys.
  • Start your embedded systems with a secure boot.
  • Never ignore misconfigurations or isolation mechanisms.
  • Expect firmware, software to be updated regularly following CI/CD.
  • Limit access to embedded systems to a need-to-use basis.
  • Avoid unauthorized software access.
  • Provide a way for network administrators to monitor connections to and from embedded systems.
  • Allow integration with third-party security management systems.

In summary, security issues in an embedded system span across various layers of abstraction from hardware, firmware, and software. Embedded system security requires an end-to-end approach that includes addressing security issues during the design phase to E2E validation. Security considerations should include the cost of an attack on an embedded system, the cost of an attack and the number of possible attack vectors.

 

Comments

Post a Comment

Popular posts from this blog

QUALITY MANAGEMENT PRINCIPLES & PRACTICES

Image
  I.       QUALITY MANAGEMENT PRINCIPLES 1.      Meeting Customer Expectations : o    Detail : Quality is defined by how well a product or service meets the needs and expectations of customers. This means understanding what your customers value and ensuring your offerings align with those values. o    Example : If you are developing a software product, quality means delivering a bug-free, user-friendly application that performs the functions your customers need. Regularly gathering customer feedback and making improvements based on their input is crucial.   2.      Everyone's Responsibility : o    Detail : Quality is not just the responsibility of the quality assurance team; it involves every employee in the organization. Each person must ensure that their work meets the required standards and contributes to the overall quality. o    Example : In yo...
Read more

KPIs EXAMPLES

  Corporate Quality, Security, Software Development Life Cycle, Hardware Development Life Cycle, Manufacturing KPIs (Key Performance Indicators) Examples Key  Performance Indicators (KPIs) are specific metrics that are used to evaluate the performance of an organization, team, or individual in achieving their objectives. These metrics are quantifiable and directly linked to strategic goals, allowing for monitoring progress and making informed decisions. KPIs usually include primary owners, secondary owners, key objectives, measurements, due dates, status updates, percentage completions, comments etc. Here are some examples of KPIs: I.                QUALITY KPIs:   1. Customer Satisfaction Index (CSI):    - Definition: CSI measures how satisfied customers are with a company's products or services.    - Calculation: CSI can be calculated through surveys, feedback forms, o...
Read more

Firmware Development and Debugging

An Approach To Firmware Development and Debugging 1. Understand the Hardware: Before writing firmware, you need a deep understanding of the hardware you're working with. Study the datasheets, reference manuals, and schematics for the microcontroller or embedded system you're using. This will help you understand the available peripherals, memory layout, and other hardware-specific details. 2. Choose a Programming Language: Firmware can be written in various programming languages, with C and C++ being the most common due to their low-level capabilities and efficiency. Choose a language that is supported by the microcontroller's toolchain and suits the project's requirements. 3. Set Up the Development Environment: - Install the necessary Integrated Development Environment (IDE) or text editor. - Install the toolchain (compiler, linker, debugger) that supports your microcontroller. - Set up any necessary drivers for programming and debugging hardware. 4. Start Writing Code:...
Read more