Embedded Device Security

Cyber security is one of the most critical topics for today’s embedded development teams.Security guru, Bruce Schneier, recently wrote in Wired Magazine about how vulnerable our connected devices really are. “These embedded computers are riddled with vulnerabilities, and there’s no good way to patch them.”In related news Symantec has discovered a new Linux worm that appears to be engineered to target the “Internet of things”. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. With more and more devices being connected to the Internet I thought I would review five steps we recommend to our OEM/ODM customers to protect their embedded devices from attack: Be aware. This can happen to you. Hacking and intrusion can range from malicious fun by bored teenagers to coordinated attacks for terrorism or even industrial espionage. Don’t think your deployed devices are immune from these threats. Do you have security policies in place? If not, start with an assessment of your vulnerabilities. Take common sense steps. Good security begins with avoiding stupid mistakes and the associated vulnerabilities. A few years back a hacker broke into the SCADA system of the South Houston water department. “I wouldn’t even call this a hack,” he said. “This required almost no skill and could be reproduced by a two-year-old with a basic knowledge of [the automation system they used]…it’s usually a combination of poor configuration of services, bad password choice, and no restrictions on who can access the interfaces.” Investigate how to add security to your existing devices. Are your deployed devices able to be field-upgraded? There are many security measures that can be implemented: IP-layer security, encrypted access to applications, and firewall protection. The Achilles test suite from Wurldtech is a popular way to verify that your systems are safe from a variety of attacks including packet floods, port scanning, and spoofing. Quadros Systems is experienced in working with this test suite and in hardening the network interfaces and application. We have successfully helped our customers pass Achilles level 1 and level 2 tests with our software. Develop your new devices with security in mind. There is no excuse to build a product today that does not have at least basic security protections and the ability to upgrade in the field. Add security specifications to your product development plan. Talk with your customers about their security requirements. Add security management and event reporting to new devices. Many embedded devices today are visible to hackers but not to Enterprise Security Management Systems.  One result of this is that a hacker can probe a device indefinitely without discovery. By adding a firewall and management agent, this situation can be reversed. Embedded devices can now be visible to enterprise management systems but not hackers. And talk with us at Quadros Systems about how we can help you add security to your embedded device. We offer a range of protections including: IP-layer security with Internet Key Exchange Encryption for remote connections to the server Firewall protection with available agent to connect to security information and event management systems Certification Consulting. Achilles® Certification from Wurdltech provides an industry-leading benchmark for the development of the secure applications, devices and systems. It is part of the ISASecure EDSA Certification for Communications Robustness. Quadros Systems has successfully worked with our customers to pass Achilles Level 1 and Level 2 tests. ...