Is it possible to hack your embedded software? Insights about cybersecurity in embedded systems.
Some may think that embedded software can not be hacked. Is it really so? How to defend ourselves? In this article, you’ll find the answers.
Hackers
Not so long ago, the idea of hacking devices or systems could be perceived as fiction. From time to time, we have heard about a brilliant hacker who hacked into the CIA or played a prank on some popular website.
There were people who magically made phone calls using a phone booth without paying, broke the security system of a popular game console, or pranked a friend by controlling their CD-ROM over the local network.
However, most of these incidents involved non-embedded systems, and most of the hacking incidents were intended for learning, fooling around, or getting popular in cyberspace.
A new player in the market — China
When global production shifted towards China, plagiarism became a massive problem. The Chinese copied everything they could. Manufacturers of popular embedded devices were petrified when cheaper versions of their solutions appeared on the market. In the beginning, some believed that nobody would buy this “junk,” but it wasn’t so. To prevent copying, various methods of protecting the devices and their software were created.
Some manufacturers used mechanisms protecting the flash memory from being read by the processor. Some used encrypted bootloaders or other simple mechanisms confirming the hardware (HW) is made by the proper manufacturer. However, the scammers didn’t fall behind, they were inventing more and more advanced bypasses for the security systems. As a result, the practice became more popular, making microcontroller hacking or device copying a lot cheaper.
Connecting to the Internet
The worldwide growth of the Internet has led us to connect everything to the network, even light bulbs, refrigerators, hairdryers, and cars. However, not everything has been designed to work safely within such an environment. Some things were just not
meant to be used in connection to the network originally.
Moreover, constant increase in embedded systems’ computing power, which could make older PCs blush, and development speed pressure from manufacturers make most devices utilize open-source solutions.
Unfortunately, the time for testing or analyzing code quality is reduced to the minimum, which sometimes means no testing at all. Embedded systems prone to attacks from the web encourage criminals. Hacking has largely transformed from a form of learning and showing off into a criminal practice. Today, hackers (black hat) steal and extort money, sell personal information, trade business data, leak system blueprints, and blackmail their victims.
Is your software really safe?
Who would even want to break in here? Who would need this information? Why should I care if I have nothing to hide? Many people disregard the threat of hacker attacks. Yet nowadays, it’s not a matter of “if”, but rather “when” someone breaks in.
Why is that so important?
Law enforcement statistics are terrifying. In 2020, about 55,000 cybercrimes were recorded in Poland alone, while four years earlier they were just half of that. In addition, some governments support teams of hackers who, on their behalf, perform questionable tasks to obtain data or disable selected industrial systems. If you still do not believe read the following articles:
Windows bug used to spread Stuxnet remains world’s most exploited | Ars Technica
Furthermore, we must remember that criminals do not always want our data stored in the system. Sometimes the hijacked machine is used for its computing power, resources, microphones, cameras, or other resources that may be used in another crime or be a source of information about the device user.
Breaking into embedded systems — does it happen?
It doesn't take much research on the Internet to find a lot of articles describing vulnerabilities or incidents related to products. Such as toys, both for kids and adults of the adult type, various IoT house appliances, and the most critical embedded systems such as cars, cameras, or routers.
All these incidents show that there is still a lot of work to be done with regard to security in embedded systems in general, regardless of the size and complexity of particular systems. Neglecting this issue may result in products and even whole brands losing their users’ and clients’ trust.
Here are just a few examples of such break-ins.
Tesla (TSLA), Cloudfare (NET) Breached in Verkada Security Camera Hack — Bloomberg
Not even your vibrator is safe from data-mining, hackers prove (mashable.com)
Using a Toy to Open a Fixed-Code Garage Door in 10 Seconds
The Worst and Weirdest IoT Hacks of All Times (finance-monthly.com)
Hackers Can Steal a Tesla Model S in Seconds by Cloning Its Key Fob | WIRED
How easy is it to steal your car? — Which? News
How to protect your embedded software?
The fight is not fair, because the programmers and constructors aim at patching all system vulnerabilities, while the criminals need to find just one, small hole in our defence system to use it. However, even a basic security system, if well-designed, will discourage a certain group of perpetrators and make things harder for the remaining ones. Obviously, no system is fully secure. Nevertheless, by building new “walls” to our “fortress”, we make the attacks less profitable or requiring very high technical skills of the attacker. This definitely discourages cybercriminals — after all, they are either looking for quick and easy earning or precious loot.
How to insecure your almost ready software product?
First of all, it is worth checking the system carrying out specialized security tests. These are called penetration tests. They should reveal a number of weaknesses in the product. The report will become a good introduction to the analysis of software vulnerability when determining the threats and risks associated with it. Then, based on the analysis and test results, appropriate mechanisms should be implemented to reduce the risk of specific threats and to fix the gaps found during the tests.
Securing communication is one such mechanism. In some cases — a completely new development process armed with tools and processes improving code production is the right choice. In others, the use of hardware (HW) crypto elements on PCBs, security systems of JTAG, or other external peripherals does the trick. To check whether the implemented processes provide measurable benefits, it is worth extending the testing process. You can do it by new types of security tests, such as fuzz tests at different levels of the system, encryption algorithm tests, or module-dedicated white/grey or black-box penetration tests.
Summary
A huge amount of money can be spent on system security. To avoid that, it is important to carry out a meticulous, in-depth analysis of the system in order to choose the best mechanisms and tests for its needs. It is good to know that although the field of security is very complex and expensive, investing in basic protection is still better than ignoring the issue. Keep in mind that technological awareness both among general users and governments is constantly growing. Underestimating the importance of security may quickly turn against you. We can already see the tendency of introducing governmental safety standards (see articles below) required for all devices distributed in the market. Not meeting them, not only will you suffer financial losses, but you will also be perceived as a delinquent and lose credibility among the users. So, let’s not trivialize the topic of security, because as the facts show, the threat is real and can affect us at any time.
Security for IoT designs is becoming a legal requirement — EDN Asia
IoT Security Threats & How To Defend Against Them — Smarthome
Automotive Cybersecurity Management System Assessment | TÜV SÜD Polska (tuvsud.com)
At Solwit, we always put system security high on our priority list. Over the last 10 years, we have completed projects that required compliance with very strict safety standards, also in accordance with the ISTQB standards.
Do you need a consultation? Do you want to check if your software is resistant to hacker attacks? Contact us!
About the author: Piotr Strzałkowski, Embedded Domain Manager with 10+ years of experience. He succeeded in projects with high-security standards (SIL 4) in systems used in automotive and railway solutions.