As embedded devices permeate society and assume ever more important roles, the consequences of security failures are potentially catastrophic. Embedded devices provide unattended operation for thousands of mission-critical or safety-related systems in sectors such as manufacturing, health care, transportation, finance, and the military. Although we rely on these embedded systems without giving them a second thought, any one could be the potential target of casual hackers, organized crime, terrorists, or even adversary governments. The responsibility to protect against these attacks falls squarely on the shoulders of the system designer, who must secure not only the data that passes through or is stored on his embedded device, but also the intellectual property of the product itself.

Historically, designers physically protected and isolated embedded devices to achieve reasonable data security. Today, widespread interconnectivity may expose a critical embedded system to data extraction or process manipulation from anywhere in the world.

Unlike desktop systems, an embedded product must incorporate all security measures before its deployment. Embedded-system designers cannot wait for a breach and then devise a patch to cover security flaws. Users expect embedded products to perform a function for years without modification, and you can't stop or reboot many devices without risking loss of life, property, or critical information.

Security must be a prime design consideration from conception through production, deployment, and end-of-life disposal, because it is almost impossible to add to products currently in the field. The NIST (National Institute of Standards and Technology) provides designers with a number of security-related publications at its CSRC (Computer Security Resource Center). These documents outline life-cycle design principles to consider, such as security-policy definition, product design, threat identification, technological options, and programmer education. For example, the first challenge is to identify what data or proprietary information requires protection before selecting safeguards. It may be possible to reduce or even eliminate sensitive data to minimize the security effort. Next, you should determine your possible attackers and their level of sophistication. A simple password may stop a curious amateur, but determined intruders require multiple levels of security.

An obvious security measure is to physically isolate networked systems from outside influence. If you can collocate the embedded system and server on the same network segment without Internet access, most security problems disappear. Isolation is especially effective in highly critical applications, such as controlling a factory, where disruption would be costly. Minimizing the connection time to the Internet can also thwart many hacking attempts. A short-term connection to exchange data at random times prevents search robots from identifying your system. However, if your embedded system is a target of a hacker, short connections will only delay unauthorized access.

Attackers can steal embedded devices, especially portable products, disassemble them, and probe them with sensitive test equipment to extract data. They can remove memory elements from the products to possibly extract their contents. Likewise, they can use active debugging ports and software to read sensitive data or force unintended operation. Attackers may even monitor electromagnetic radiation or force the system to operate outside its design parameters, with extreme temperatures, voltage excursions, and clock variations, to gain information.

Equipment designers should also incorporate physical deterrents to safeguard sensitive or proprietary information. A hardened enclosure requiring specialized equipment to open may deter some attacks. Internally, designers should engineer pc boards with security in mind. For example, BGA packages with critical signals hidden on internal board layers complicate probing and reverse-engineering. Although you can remove some formulations with acid, epoxies and conformal coatings also provide protection to all or part of a product's sensitive internal circuitry.

To establish standards for system security, the United States, Canada, and several European nations created the "Common Criteria for Information Technology Security Evaluation" usually referred to as "the Common Criteria." The Common Criteria Web site includes a developer section with guidelines and complete documentation. The Common Criteria structure allows consumers, developers, and evaluators to specify the security functions of a product in standard-protection profiles and EALs (evaluation-assurance levels). Another embedded-software security standard, MILS (Multiple Independent Levels of Security), requires a partitioned real-time operating system that you can certify with rigorous tests (Figure 1). Memory protection and guaranteed resource availability allow you to manage secure and nonsecure data on a single processor. The MILS architecture allows designers to create application code with tamperproof security features that you cannot bypass, that you can verify mathematically, and that the system always invokes.

Before a user can interact with a secure embedded system, he must undergo an authentication process to verify his identity. Authentication scenarios may include combinations of a secret password; a physiological trait, such as a fingerprint; or a security device, such as a smart card or key. For example, the EntréPad 1510 slide sensor from AuthenTec enables fingerprint authentication for portable devices such as cell phones. Contained in a 12×5-mm, 40-pin BGA package, the sensor includes a dense 128×8-pixel-detection matrix along with pattern-matching firmware (Figure 2). Hackers have been successful in obtaining passwords by visually or electronically capturing keystrokes or simply asking for them through a variety of subterfuges. Often, passwords pass over local wired or wireless networks in the clear or unencrypted, and attackers can capture them with simple packet-capture programs widely available on the Internet.

When an embedded system must connect to a network or the Internet, designers turn to encryption to safeguard their data. Effective encryption schemes work equally well over wired, wireless, or power-line communications systems. Two basic types of encryption algorithms are in use today, both relying on a secret key plus an encoding sequence to transform plain text into cipher text and vice versa. With symmetric encryption, the sender and receiver use the same key to encrypt and decipher a message. Asymmetric encryption uses two keys—one for encryption and another for decryption. Public-key cryptography is a popular form of asymmetric encryption that makes one of the keys available publicly and keeps the other secret. Key distribution and secrecy are fundamental problems in cryptographic security systems (see sidebar "Safeguarding keys").

The most widely used security protocol for TCP/IP network traffic is the SSL (Secure Sockets Layer), which provides data encryption, server authentication, message integrity, and optional client authentication. SSL comes in 128- and 256-bit versions whose names refer to the length of the session key that encrypted transactions generate. The longer the key, the more secure the encrypted data. IPSec (Internet Protocol Security), another encryption standard, implements security at the network layer and allows the system to transparently encrypt network traffic. You can install IPSec in a gateway computer to secure all traffic passing onto the Internet without adding overhead to individual network nodes. Like most other security protocols, IPSec includes provisions for both key and message exchange. Virtual private networks use IPSec to create secure networks over the Internet.

Targeting military-manpack applications in which security is paramount, General Micro Systems recently introduced a secure portable PC with a 6.5×3×0.5-in. main-board footprint (Figure 3). The Spartan P630 is a hardened PC featuring a 1.4-GHz Pentium-M processor, as much as 2 Mbytes of L2 cache, an embedded GPS (global-positioning-system) receiver, and 802.11b/g wireless communications in a pocket-sized form factor. The company can configure the device with as much as 2 Gbytes of ECC memory, 16 Gbytes of bootable flash, as much as 60 Gbytes of hard-disk drive, and an LCD/touchscreen in a hardened, sealed enclosure. To ensure secure operation, Spartan includes software for preboot access control and data encryption along with automatic file deletion if someone compromises the system. Spartan also features a six-hour battery life and is available in a conduction-cooled version operating at –40 to +85°C or a standard convection-cooled version with a 0 to 55°C temperature range. Packaging options include a titanium-aluminum enclosure for rugged applications. Software support for the P630 is available under Windows XP, Linux, QNX, and VxWorks. Prices for the conduction-cooled version start at $3400 (100).

With improving security, device manufacturers are experimenting with business models to attract more customers. In the pay-as-you-go scenario, customers receive a fully functional device and promise to pay for it as they use it or over the life of a subscription plan. If the customer fails to make a payment, the vendor can disable the device by withholding network-activation codes. A strong security model then prevents the customer from bypassing activation or removing parts.

For example, Microsoft recently announced FlexGo, a pay-as-you-go platform to extend PC ownership into emerging markets. FlexGo requires that system components individually track usage based on active minutes or a specific end date. When a consumer has used all of the available computer time, Microsoft limits access to the PC until the consumer adds more time. The company also imposes usage limitations when there are signs of system tampering. Microsoft has also added secure operating-system components to enable metered use of the software. A FlexGo software-development kit allows businesses to use their own billing systems to manage Microsoft's provisioning system to offer pay-as-you-go computer-use time to customers.

With stand-alone embedded-security challenges, Pure Digital manufactures a pocket-sized, one-time-use camcorder that records as much as 20 minutes of video and audio (Figure 4). The device is available through several camera- and convenience-store outlets for as little as $20 plus a $12 processing charge to copy your movies onto a DVD. The device includes a fixed-focus lens, a 1.4-in. color LCD, and speaker plus operator controls to record, play back, and delete unwanted scenes. Although the device is a hacker's delight, and several Web sites are devoted to extracting the video without returning the camcorder for processing, there are sufficient security measures to deter most users.

Security precautions and potential information-disclosure consequences have changed the fundamental design goals for embedded products. Designers are no longer driven to produce the simplest, lowest cost device for each project. Security requirements have forced designers to beef up resources with faster, more capable processors, secure data storage, and tamperproof hardware to protect the system and data while executing the application.