Choizit goes on to blame, not the OpenSSL team, but the mindless OEM and ODM development teams who blindly use open source software with the assumption that it must be solid.
At Quadros Systems we have long been skeptical of the lemming-like move to open source without a commensurate look at what is really in the code. The lure of "free" software has blinded many to some of the inherent risks.
1. Does the ready availability of open source software and the ability by malicioius hackers to study it make it more prone to trapdoors and backdoors?
2. Do developers assume that because it is open source, thousands of others must have already checked out the code, so it must be safe?
In this new era of "the Internet of Everything" your embedded device may be more vulnerable than ever.
NOTE: OpenSSL was NOT used in the development of Quadros Systems SSL/TLS software.
Cyber security is one of the most critical topics for today's embedded development teams.
Security guru, Bruce Schneier, recently wrote in Wired Magazine about how vulnerable our connected devices really are. "These embedded computers are riddled with vulnerabilities, and there’s no good way to patch them."
In related news Symantec has discovered a new Linux worm that appears to be engineered to target the “Internet of things”. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers.
With more and more devices being connected to the Internet I thought I would review five
steps we recommend to our OEM/ODM customers to protect their embedded devices from attack:
- Be aware. This can happen to you. Hacking and intrusion can range from malicious fun by bored teenagers to coordinated attacks for terrorism or even industrial espionage. Don't think your deployed devices are immune from these threats. Do you have security policies in place? If not, start with an assessment of your vulnerabilities.
- Take common sense steps. Good security begins with avoiding stupid mistakes and the associated vulnerabilities. A few years back a hacker broke into the SCADA system of the South Houston water department. "I wouldn't even call this a hack," he said. "This required almost no skill and could be reproduced by a two-year-old with a basic knowledge of [the automation system they used]...it's usually a combination of poor configuration of services, bad password choice, and no restrictions on who can access the interfaces."
- Investigate how to add security to your existing devices. Are your deployed devices able to be field-upgraded? There are many security measures that can be implemented: IP-layer security, encrypted access to applications, and firewall protection. The Achilles test suite from Wurldtech is a popular way to verify that your systems are safe from a variety of attacks including packet floods, port scanning, and spoofing. Quadros Systems is experienced in working with this test suite and in hardening the network interfaces and application. We have successfully helped our customers pass Achilles level 1 and level 2 tests with our software.
- Develop your new devices with security in mind. There is no excuse to build a product today that does not have at least basic security protections and the ability to upgrade in the field. Add security specifications to your product development plan. Talk with your customers about their security requirements.
- Add security management and event reporting to new devices. Many embedded devices today are visible to hackers but not to Enterprise Security Management Systems. One result of this is that a hacker can probe a device indefinitely without discovery. By adding a firewall and management agent, this situation can be reversed. Embedded devices can now be visible to enterprise management systems but not hackers.
And talk with us at Quadros Systems about how we can help you add security to your embedded device. We offer a range of protections including:
IP-layer security with Internet Key Exchange
Encryption for remote connections to the server
Firewall protection with available agent to connect to security information and event management systems
Certification Consulting. Achilles® Certification from Wurdltech provides an industry-leading benchmark for the development of the secure applications, devices and systems. It is part of the ISASecure EDSA Certification for Communications Robustness. Quadros Systems has successfully worked with our customers to pass Achilles Level 1 and Level 2 tests.
The Atollic® TrueSTUDIO® C/C++ embedded development suite for ARM® microcontrollers now offers debug visibility for the RTXC™ Quadros™ real-time operating system. Thirteen dockable windows provide deep insight into the status of the RTOS during a debug session.
This feature is included in Atollic TrueSTUDIO v4.1 which was just released last week.
Click on the images below for full-screen viewing.
Atollic® TrueSTUDIO® is the leading C/C++ development tool for ARM® developers, reducing time to market and increasing efficiency in your next embedded systems project.
Atollic TrueSTUDIO is based on one of the most widely used compilers in the world, thus providing proven and reliable code generation, compact code and high performance for ARM7™, ARM9™ and ARM Cortex™ projects. Atollic TrueSTUDIO conforms to open standards, such as the ECLIPSE™ IDE framework and the GNU toolchain, significantly reducing training and porting costs across teams and projects.
More information on Atollic TrueSTUDIO can be found here: http://www.atollic.com/index.php/truestudio
A recent thread in the Real Time Embedded Engineering Group on LinkedIn raised some interesting issues among developers when they were asked about their most difficult problem areas. Do these sound familiar?
- Unrealistic development schedules set by managers who don't understand development
- Deficient documentation of the processor
- Insufficient errata; struggling with a problem for two years, contacted the manufacturer with no result, and 1 year later there is the errata.
- Finding and resolving timing issues
- Weak or poor tools: debuggers, emulators
- Bosses expecting if I kneel or spend time with the device it may relent and start working
- Learning NEVER to use a device/processor/controller if there aren't many 'how to, why, when" questions on Google. The device is too good to be true or else you end being the only using and fighting the problem.
- Low level debugging and overall performance of the system
- Hardware/software co-development. Finding root causes when both the code and the hardware are suspect.
- A paucity of available low-level-embedded example code
- Hardware debugging, especially during software integration on a new design where all hardware unit tests showed OK but putting it altogether creates a side effect.
- A badly written device driver delivered with the H/W; caused havoc and a delay of more than 4 months
- S/W interface which was way too complex to interpret on an embedded system
Of course at Quadros Systems we would argue that starting with the right software platform can make a big difference. RTXC Quadros RTOS-based software is delivered fully integrated with working drivers and interfaces with a binding to your chosen tool environment. Start with the provided sample project and you are good to go. Our Release Notes with tool caveats can reduce the learning curve up front, and save valluable time when development crunch time begins. We know our customers save weeks, if not months, over developing a product using free or poorly tested software.
Use the button below to engage with us on your next product. Find out how Quadros Systems invests in your success.
As embedded and machine to machine (M2M) devices evolve, new issues are rapidly emerging that affect both legacy systems and those being planned. Network security is one of those.
Malicious attacks on Supervisory Control and Data Acquisition (SCADA) and other industrial control and smart grid networks are a major concern. Recently the Industrial Control Systems Cyber Security team noted that there are now several new, publicly available exploit tools that specifically target Internet accessible industrial control system and programmable logic controllers (PLCs). Targeted systems include those from Rockwell Automation, GE, and Schneider Electric. And this is just the beginning of an evolving threat with malicious hacking to industrial espionage, and even cyber-terrorism.
According to a new study from VDC Research security is the now the number three concern for M2M OEMs after cost and performance.
There is now an exposed soft underbelly in many deployed M2M systems that is vulnerable to hacking, denial of service (DoS) or other unwanted intrusion. Most of these systems were not designed to withstand the kinds of sophisticated cyber-attacks we are seeing today. According to VDC most engineers did not even considered security in their prior designs.
Even today embedded engineers are looking to add connectivity without factoring in the potential security risks. Many of these systems are home-grown and do not have the benefit of a commercial real-time operating system or proven security software.
Quadros Systems has been actively supplying security for M2M and embedded systems for many years. Our SSL/TLS package provides application level security to HTTP and FTP protocols. And our IPsec/Internet Key Exchange (IKE) package offers encryption security at the IP layer.
Last week we announced our most recent solution to address the network security: an embedded firewall. We have partnered with Icon Labs to offer three stage protection to customers using the RTXC Quadnet Ethernet-TCP/IP stack: static filtering, rules-based filtering and threshold filtering.
Floodgate Packet Filter has been used to provide security for industrial control applications, small footprint industrial firewall appliances and MCU based control devices. It provides Stateful Packet Inspection (SPI) and rules based filtering to protect embedded devices from real-world cyber-attacks. Rules-based filtering utilizes white-listing and black-listing to define system criteria such as port number, protocol, or source IP address for protection. Floodgate also features Stateful Packet Inspection (SPI) that provides dynamic packet filtering based on the state of the connection to a device.
The combined solution will add a layer of protection against threats such as packet floods, request storms, port scans, malformed IP packets and corrupted Ethernet frames. It is designed to meet ANSI/ISA/IEC/TS 62443 standards for cyber security. The system is designed explicitly for use in embedded devices with limited memory and processor speeds that require secure network implementation certified to standards such as the ISASP 99 which is measured by the Wurldtech Achilles® Test Platform.
Get more details on network security options from Quadros Systems:
IPsec/IKE and SSL/TLS
Network security solutions from Quadros Systems can be applied to current projects as well as legacy systems.
Kaivan Karimi of Freescale has written an excellent overview of the Internet of Things (IoT): "Will the Internet of Things (IoT) turn your smart phone into the center of the universe?"
We agree with his assessment that the smart phone may be one of the many hubs or gateways used to query or analyze Big Data from sensing and other smart devices but it is much more likely that Wi-Fi and Weightless will win out as the networks of choice for IoT over the LTE network (or its successors).
Wireless network operators are clearly positioning themselves as key players in the evolving IoT space as are Internet ISPs and cable providers. And Verizon is well positioned in telematics, as well.
But The IoT future is much larger than connecting consumer appliances and personal information devices. And it is larger than telematics. Karimi says that rolling out IoT is like rolling out the largest control data network in the world: Home Automation, Education, Supply Chain, Auto Safety, Security, Goods Tracking, Farms, Energy Management, Transportation, Health, Lighting--these are only some of the sub-networks that will form the massive IoT.
Chris Rezendez from INEX Advisors writes in the March 12 Issue of the Boston Business Journal, "IoT, M2M connected device solutions are about as broad as you can imagine. All form factor, configuration and functional footprint of unattended, headless, embedded and discrete devices with some combination of sensing, processing and communications."
Quadros Systems has been active in smart devices and intelligent gateways for many years. Our customers are already building out early IoT networks on factory floors, in smart buildings, in hospitals and clinics. And we have new developments underway for network security and enhanced wireless connectivity.
As Rezendez writes, "The people and organizations that heard the gun go off months, or years ago who are hard at work on the nth generation of their solution, expanding into their phase II markets, and simply going about the business of building out IoT and M2M markets."
Find out more about how Quadros Systems can help position you for success in this active and growing market space.
We have been asked many times why we provide full source code distribution with our real-time operating system. There are several reasons.
1. Developers new to using an RTOS or those who have not had experience with the RTXC Quadros RTOS can use the source code to get a better understanding of how the “magic” works.
2. Having the source code means you can compile the kernel code any way that you want, with any compiler switches (e.g. models, or options) that you need. The binary version usually comes built for a specific platform. It is either heavily optimized, which makes the kernel code virtually impossible to understand at assembly level, or un-optimized which hurts performance. With source, you can configure the kernel for your specific situation and requirements (e.g. small footprint or high performance)
3. Often during the development cycle, the application under test will crash in the kernel. The problem is not the kernel itself but is caused by a parameter that was passed to the kernel. Having kernel source code available can help you identify an application problem that manifests itself by corrupting or otherwise crashing the kernel.
4. When that new version of your compiler is released, your RTOS can immediately take advantage of it via recompilation - instead of licensing another binary version.
5. If you need technical support from us, it makes it easier for us to be able to step through the kernel source code over the phone than try to blindly walk through assembly code. Errors in your code can be more quickly identified.
In a recent discussion in a Linked-in group focused on software for medical devices a common theme among respondents was management’s lack of understanding about software development. Here are some of the complaints:
- No explicit development standards
- No configuration management process
- High level of quality practices are seen as a waste of time
- Don’t understand fundamental differences between software development and mechanical development
- Lack of a prototype phase to weed out the “science projects” from real products
- No understanding about the time it takes for good software development
- Management doesn’t understand that writing the code is only 20% of the total effort
- Little understanding of how changes in requirements affect the software
- Developers are not trained in key topics of FDA compliance and risk management
- Management does not provide the necessary resources or tools
What is your experience as a software developer or as a manager in a medical device company? Do you have a software development process? Coding standards? Do you work from a well-written requirements document? Does your company have a compliance manager?What kind of training have you had in FDA guidance or IEC 62304?
Some say that it is the duty of the software engineer to educate management. But all too often management doesn't want to hear it. What do you do in those situations?
Ignoring best practices when designing Class II or Class III medical devices will result in
- Products that do not pass audit
- Products that harm patients
Quadros Systems offers a real-time operating system for medical devices that has been developed to a strict product lifecycle and rigorously tested to ensure that it functions exactly as specified. This RTOS and comprehensive documentation suite can give you an solid starting point for your next medical device.
Follow these steps to develop a medical device on time and on budget:
- Save development time by using a solid, well-documented kernel, proven in use in hundreds of millions of devices
- Reduce risk of delays in audit by using a kernel that has been thoroughly tested to ensure that it meets all of its requirements and specifications
- Don't just sling code. Use a rigorous product development process for your own product beginning with a complete requirements document. It will make your life easier and will actually speed up development time.
Find out more about the medical device RTOS from Quadros Systems
Medical device manufacturers whose products support remote patient care and monitoring could see increased revenues this year. According to a new report issued by inMedica, the telehealth market will grow by 55 percent worldwide during 2013, in terms of device and service revenues.
A number of factors are combining to drive this increase
- The US government, as part of the Affordable Care Act has begun penalizing hospitals for readmissions (Medicare and Medicaid patients)
- Healthcare providers are looking to reduce readmission rates and track the progression of chronic diseases
- Healthcare payers are projected to increasingly adopt telehealth as a tool to reduce in-patient costs
- Overall industry goals to improve continuity of care while reducing the cost of delivering services
Theo Ahadome, senior analyst with InMedica remarked that, “For telehealth to succeed in reaching a wider audience, it needs to break out of being a niche market and become part of a comprehensive patient-care model...This is even more important in the post-acute care market where healthcare providers are more willing to pay for telehealth if it is part of a total post-acute care model.”
At Quadros Systems we expect this growth trend to continue as:
- the many pilot projects currently underway will be scaled to reach more patients;
- healthcare payers will begin to see the benefits of using this technology to reduce costs and improve outcomes;
- new service providers will emerge to help hospitals and clinicians implement new telehealth technology;
- healthcare providers will begin to invest in the infrastructure to support new remote monitoring capabilities;
- consumers will lobby their healthcare professionals for ways to get earlier diagnosis and treatment for disease;
Layoffs and hiring freezes are the order of the day at medical device companies. Many manufactures blame the 2.3% tax on revenues imposed on them as part of the Affordable Care Act (US). The tax, which became effective January 1, is estimated to collect more than $30 billion in taxes over the next decade.
In a recent survey by the Advanced Medical Technology Association (AdvaMed) of its members, 62% of the companies said they would have to deal with the cost of the tax by imposing layoffs or reducing hiring.
Analysts say that the tax is particulary onerous because it taxes revenues, not profits. Start-ups will be hit hard since they may not achieve profitablity in the first several years of operation. There is still a possibility that the US Congress may act to reverse the tax however the Obama administration argues that the tax is necessary to lower the cost of medical reform and expects that medical device companies will see more business going forward because of the many who are newly insured because of the affordable care act.
Other factors are also slowing growth at medical technology companies. Reuters reports that the sluggish ecomomy with accomanying job losses and loss of medical insurance is big factor in the weakness of the medical device sector.
If your engineering team has been affected by a RIF talk with one of us at Quadros Systems about how our combination of embedded software products and professional services can help keep your schedule on track. Contact Jim Yastic at +1 512-858-1970 to find out how we can help.
Get more information on the RTXC Quadros Safety Critical RTOS for medical devices