Is open source software safe to deploy? Damien Choizit has written a thoughtful opinion piece in Software Development Times in the aftermath of the Heartbleed OpenSSL debacle. He writes, “the question on everyone’s mind is, ‘What does this mean for open-source software development?’ The truth of the matter is, Heartbleed wasn’t the real problem. Rather, it was with how we currently view and deploy open-source and outsourced code.” Choizit goes on to blame, not the OpenSSL team, but the mindless OEM and ODM development teams who blindly use open source software with the assumption that it must be solid. At Quadros Systems we have long been skeptical of the lemming-like move to open source without a commensurate look at what is really in the code. The lure of “free” software has blinded many to some of the inherent risks. 1. Does the ready availability of open source software and the ability by malicioius hackers to study it make it more prone to trapdoors and backdoors? 2. Do developers assume that because it is open source, thousands of others must have already checked out the code, so it must be safe? In this new era of “the Internet of Everything” your embedded device may be more vulnerable than ever. ...
Embedded Device Security
Cyber security is one of the most critical topics for today’s embedded development teams.Security guru, Bruce Schneier, recently wrote in Wired Magazine about how vulnerable our connected devices really are. “These embedded computers are riddled with vulnerabilities, and there’s no good way to patch them.”In related news Symantec has discovered a new Linux worm that appears to be engineered to target the “Internet of things”. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. With more and more devices being connected to the Internet I thought I would review five steps we recommend to our OEM/ODM customers to protect their embedded devices from attack: Be aware. This can happen to you. Hacking and intrusion can range from malicious fun by bored teenagers to coordinated attacks for terrorism or even industrial espionage. Don’t think your deployed devices are immune from these threats. Do you have security policies in place? If not, start with an assessment of your vulnerabilities. Take common sense steps. Good security begins with avoiding stupid mistakes and the associated vulnerabilities. A few years back a hacker broke into the SCADA system of the South Houston water department. “I wouldn’t even call this a hack,” he said. “This required almost no skill and could be reproduced by a two-year-old with a basic knowledge of [the automation system they used]…it’s usually a combination of poor configuration of services, bad password choice, and no restrictions on who can access the interfaces.” Investigate how to add security to your existing devices. Are your deployed devices able to be field-upgraded? There are many security measures that can be implemented: IP-layer security, encrypted access to applications, and firewall protection. The Achilles test suite from Wurldtech is a popular way to verify that your systems are safe from a variety of attacks including packet floods, port scanning, and spoofing. Quadros Systems is experienced in working with this test suite and in hardening the network interfaces and application. We have successfully helped our customers pass Achilles level 1 and level 2 tests with our software. Develop your new devices with security in mind. There is no excuse to build a product today that does not have at least basic security protections and the ability to upgrade in the field. Add security specifications to your product development plan. Talk with your customers about their security requirements. Add security management and event reporting to new devices. Many embedded devices today are visible to hackers but not to Enterprise Security Management Systems. One result of this is that a hacker can probe a device indefinitely without discovery. By adding a firewall and management agent, this situation can be reversed. Embedded devices can now be visible to enterprise management systems but not hackers. And talk with us at Quadros Systems about how we can help you add security to your embedded device. We offer a range of protections including: IP-layer security with Internet Key Exchange Encryption for remote connections to the server Firewall protection with available agent to connect to security information and event management systems Certification Consulting. Achilles® Certification from Wurdltech provides an industry-leading benchmark for the development of the secure applications, devices and systems. It is part of the ISASecure EDSA Certification for Communications Robustness. Quadros Systems has successfully worked with our customers to pass Achilles Level 1 and Level 2 tests. ...
Are security issues lurking in your embedded device?
s embedded and machine to machine (M2M) devices evolve, new issues are rapidly emerging that affect both legacy systems and those being planned. Network security is one of those. Malicious attacks on Supervisory Control and Data Acquisition (SCADA) and other industrial control and smart grid networks are a major concern. Recently the Industrial Control Systems Cyber Security team noted that there are now several new, publicly available exploit tools that specifically target Internet accessible industrial control system and programmable logic controllers (PLCs). Targeted systems include those from Rockwell Automation, GE, and Schneider Electric. And this is just the beginning of an evolving threat with malicious hacking to industrial espionage, and even cyber-terrorism. According to a new study from VDC Research security is the now the number three concern for M2M OEMs after cost and performance. There is now an exposed soft underbelly in many deployed M2M systems that is vulnerable to hacking, denial of service (DoS) or other unwanted intrusion. Most of these systems were not designed to withstand the kinds of sophisticated cyber-attacks we are seeing today. According to VDC most engineers did not even considered security in their prior designs. Even today embedded engineers are looking to add connectivity without factoring in the potential security risks. Many of these systems are home-grown and do not have the benefit of a commercial real-time operating system or proven security software. Quadros Systems has been actively supplying security for M2M and embedded systems for many years. Our SSL/TLS package provides application level security to HTTP and FTP protocols. And our IPsec/Internet Key Exchange (IKE) package offers encryption security at the IP layer. Last week we announced our most recent solution to address the network security: an embedded firewall. We have partnered with Icon Labs to offer three stage protection to customers using the RTXC Quadnet Ethernet-TCP/IP stack: static filtering, rules-based filtering and threshold filtering. Floodgate Packet Filter has been used to provide security for industrial control applications, small footprint industrial firewall appliances and MCU based control devices. It provides Stateful Packet Inspection (SPI) and rules based filtering to protect embedded devices from real-world cyber-attacks. Rules-based filtering utilizes white-listing and black-listing to define system criteria such as port number, protocol, or source IP address for protection. Floodgate also features Stateful Packet Inspection (SPI) that provides dynamic packet filtering based on the state of the connection to a device. The combined solution will add a layer of protection against threats such as packet floods, request storms, port scans, malformed IP packets and corrupted Ethernet frames. It is designed to meet ANSI/ISA/IEC/TS 62443 standards for cyber security. The system is designed explicitly for use in embedded devices with limited memory and processor speeds that require secure network implementation certified to standards such as the ISASP 99 which is measured by the Wurldtech Achilles® Test Platform. Get more details on network security options from Quadros Systems: Embedded Firewall Application Security (SSL/TLS) IP layer Security Achilles Test Suite Consulting Services ...