7 takeaways on embedded security
Securing embedded devices is becoming a hot topic, especially as those devices begin to connect to the Internet. There is a real threat from hackers reverse engineering a connected device, and after I attended the "Reverse Engineering RTOS Backdoors" session at ESC Boston the realization struck that such an attack is simple to do. What can embedded software designers do to improve the security of their devices? Here are seven key takeaways from that session that developers need to be aware of.
Takeaway #1 – Exploitation success rate is high
The big questions on the attendee’s minds were how common are security exploits for embedded systems and is security really something that needs to be worried about. Craig Heffner of Tactical Network Solutions, who taught the session, spends his working hours as an embedded systems vulnerability analyst and revealed that 95% of the systems that he attempts to hack have a flaw that allows the device to be commandeered. A success rate of 95% not only reveals that security flaws are present in most embedded systems but also that embedded system developers need to start considering the security implications of what they are doing.
Takeaway #2 – It's not the RTOS but the user code
As you might expect given the session title, there were a number of RTOS vendors in the audience who were very concerned as to where the backdoors and flaws in these embedded systems usually reside. The security flaws turn out to commonly be in the user-developed code and NOT within the RTOS itself. One reason for this is that the RTOS tends to be a collection of small functions that manipulate the low level hardware and don’t present any "low hanging fruit" for exploitation. Instead, hackers prefer to first look at any web-based administration code that may provide them with administrative rights to the device.
Takeaway #3 – Beware third-party code
In the session Heffner presented an example that he randomly selected from the Internet: a Belkin F5D7234-4v4 wireless router. Over the course of a single workweek he was able to discover a backdoor that allowed him to obtain full administrative rights to the device. Additional investigation revealed that routers from other manufacturers had the same flaw. After some tracing, he realized that the backdoor exploit he had found was the result of third-party code included in the devices that had been modified for each OEM. The key lesson from the discovery is that third-party code should be reviewed and vetted for any potential flaws, not just integrated with the assumption that it is flawless.
Takeaway #4 – Analysis tools are cheap
One might think that the tools necessary to download, analyze, and discover a security exploit would be relatively expensive and out of reach for many would-be hackers. Unfortunately, this couldn’t be further from the truth. The tools necessary to perform these feats are mostly free, with the exception of one tool that costs a measly $1000. The potential havoc that could be unleashed for a mere $1000 and a week or two of work is undoubtedly makes the investment extremely worthwhile for hackers.
Takeaway #5 – Disabling WAN access not enough
Embedded developers seem to take the stance that their embedded device is on a local network and that its access to the WAN is disabled, so why care about possible security flaws? If the device can’t see the Internet then there is no way that a hacker could access the device, right? Wrong. Heffner demonstrated an interesting technique using standard HTML that allowed a would-be hacker to use a webpage with nothing more than image tags to enable WAN access in the embedded device. This then allowed hacker access to the device and the rest of the network.
Takeaway #6 – Watch out for text strings
One of the problems with text strings is that … well, it's text. Text can easily be read and understood by anyone who is interested in looking at it. Heffner's review of code pulled from the Belkin device he had hacked revealed the developer's name along with other interesting information that helped the network specialist decipher how the device worked. The moral of the story is to be very careful with information and data stored in your design that is not encrypted.
Takeaway #7 – Secure your firmware
The most important takeaway from the session was to secure your embedded software against outside viewers. Hackers need to be able to see and reverse-engineer code in order to find an exploit easily. Preventing hackers from having access to code in any format makes their job much more difficult. For example, don’t provide binary firmware update images in full that can be downloaded and flashed to the device. A hacker can download the image too and then reverse engineer its behavior.
Sometimes, too, when an update image isn’t available, hackers will just buy the device and download the code from the hardware. The best way to prevent hackers from doing this is to secure embedded flash. Many microcontrollers and microprocessors have methods for securing the flash so that it cannot be read.
Employing these two methods won’t make a device absolutely secure, but they will make it far more difficult to exploit.
Embedded software engineers need to get concerned about security. The pressure to get to market, to add product features, and to create a robust product often leaves developers scrambling to get a product out the door. But once that product enters the world there is no telling how long it will be out there or how it might be exploited for nefarious purposes. Ignoring the security implications on even the simplest connected device could thus result in providing hackers with the computing power they need to really cause some trouble. Security may not be the embedded software developers’ highest priority, but it is time to at least put it on the priority list.
Jacob Beningo is a Certified Software Development Professional (CSDP) whose expertise is in embedded software. He works with companies to decrease costs and time to market while maintaining a quality and robust product. Feel free to contact him at firstname.lastname@example.org, at his website www.beningo.com, and sign-up for his monthly Embedded Bytes Newsletter here.
Join over 2,000 technical professionals and embedded systems hardware, software, and firmware developers at ESC Silicon Valley July 20-22, 2015 and learn about the latest techniques and tips for reducing time, cost, and complexity in the embedded development process.
The Embedded Systems Conference and EDN are owned by UBM Canon.