Some may think that embedded software simply cannot be hacked. Is it really so? How can we defend ourselves? In this text, you’ll find out.
Not so long ago, the idea of hacking devices or systems every Tom, Dick, and Harry would hear in Poland could be perceived as since fiction. From time to time, we have heard about a brilliant hacker who hacked into the CIA or played a prank on some popular website.
There were people who magically made phone calls using a phone booth without paying, broke the security system of a popular game console, or pranked a friend by controlling their CD-ROM over the local network.
However, most of these incidents involved non-embedded systems, and most of the hacking incidents were intended for learning, fooling around, or getting popular in the cyberspace.
When the global production shifted towards China, plagiarism became a massive problem. The Chinese copied everything they could. Manufacturers of popular embedded devices were petrified when cheaper versions of their solutions appeared on the market. In the beginning, some believed that nobody would buy this “junk,” but it wasn’t so. To prevent copying, various methods of protecting the devices and their software were created.
Some manufacturers used mechanisms protecting the flash memory from being read by the processor. Some used encrypted bootloaders or other simple mechanisms confirming the hardware (HW) is made by the proper manufacturer. However, the scammers didn’t fall behind, they were inventing more and more advanced bypasses for the security systems. As a result, the practice became more popular, making microcontroller hacking or device copying a lot cheap
The worldwide growth of the Internet has led us to connect everything to the network, even light bulbs, refrigerators, hairdryers, and cars. However, not everything has been designed to work safely within such an environment. Some things were just not meant to be used in connection to the net originally.
What is more, constant increase in embedded systems’ computing power, which could make older PCs blush, and development speed pressure from manufacturers make most devices utilize open-source solutions.
Unfortunately, the time for testing or analyzing code quality is reduced to the minimum, which sometimes means no testing at all. Embedded systems prone to attacks from the web encourage the criminals. Hacking has largely transformed from a form of learning and showing off into a criminal practice. Today, hackers (blackhat) steal and extort money, sell personal information, trade business data, leak system blueprints, and blackmail their victims.
Who would even want to break in here? Who would need this information? Why should I care if I have nothing to hide? Many people disregard the threat of hacker attacks. Yet nowadays it’s not a matter of if, but rather when someone breaks in.
Law enforcement statistics are terrifying. In 2020, about 55,000 cybercrimes were recorded in Poland, while four years earlier they were half of the number. In addition, some governments support teams of hackers who, on their behalf, perform y questionable tasks to obtain data or disable selected industrial systems. Don’t believe me? I suggest reading the following articles:
Furthermore, we must remember that criminals do not always want our data stored in the system. Sometimes the hijacked machine is used for its computing power, resources, microphones, cameras, or other resources that may be used in another crime or be a source of information about the device user.
After just a moment of searching the Internet, you can find a lot of articles describing vulnerabilities or incidents related to products such as toys, both for kids and of the adult type, various IoT house appliances, and the most critical embedded systems such as cars, cameras, or routers.
All these incidents show that there is still a lot of work to be done with regard to security in embedded systems in general, regardless of the size and complexity of particular systems. Neglecting this issue may result in products and even whole brands losing their users’ and clients’ trust.
Here are just a few examples of such break-ins.
Yes, of course! Although, the fight is not fair, because the programmers and constructors aim at patching all system vulnerabilities, while the criminals need to find just one, small hole in our defense system to use it. However, even a basic security system, if well-designed, will discourage a certain group of perpetrators and make things harder for the remaining ones. Obviously, no system is fully secure. Nevertheless, by building new “walls” to our “fortress”, we make the attacks less profitable or requiring very high technical skills of the attacker. This definitely discourages cybercriminals – after all, they are either looking for quick and easy earning or a precious loot.
First of all, it is worth checking the system carrying out specialized security tests. These are called penetration tests. They should reveal a number of weaknesses in the product. The report will become a good introduction to the analysis of software vulnerability when determining the threats and risks associated with it. Then, based on the analysis and test results, appropriate mechanisms should be implemented to reduce the risk of specific threats and to fix the gaps found during the tests.
Securing communication is one such mechanism. In some cases – a completely new development process armed with tools and processes improving code production is the right choice. In others, the use of hardware (HW) crypto elements on PCBs, security systems of JTAG, or other external peripherals does the trick. To check whether the implemented processes provide measurable benefits, it is worth extending the testing process by new types of security tests, such as fuzz tests at different levels of the system, encryption algorithm tests, or the module-dedicated white/gray or black-box penetration tests.
A huge amount of money can be spent on system security. To avoid that, it is important to carry out a meticulous and in-depth analysis of the system in order to choose the best mechanisms and tests for its needs. It is good to know that although the field of security is very complex and expensive, investing in basic protection is still better than ignoring the issue. Keep in mind that the technological awareness both among general users and governments is constantly growing. Underestimating the importance of security may quickly turn against you. We can already see the tendency of introducing governmental safety standards (see articles below) required for all devices distributed in the market. Not meeting them, not only will you suffer financial losses, but you will also be perceived as a delinquent and lose credibility among the users. So, let’s not trivialize the topic of security, because as the facts show, the threat is real and can affect us at any time.
At Solwit, we always put system security high on our priority list. Over the last 10 years, we have completed projects that required compliance with very strict safety standards, also in accordance with the ISTQB standards.