embedded software boot camp

Security Risks of Embedded Systems

Wednesday, January 15th, 2014 by Michael Barr

In the words of security guru and blogger Bruce Schneier “The Internet of Things is Wildly Insecure — and Often Unpatchable”. As Bruce describes the current state of affairs in a recent Wired magazine article:

We’re at a crisis point now with regard to the security of embedded systems, where computing is embedded into the hardware itself — as with the Internet of Things. These embedded computers are riddled with vulnerabilities, and there’s no good way to patch them.

It’s not unlike what happened in the mid-1990s, when the insecurity of personal computers was reaching crisis levels. Software and operating systems were riddled with security vulnerabilities, and there was no good way to patch them. Companies were trying to keep vulnerabilities secret, and not releasing security updates quickly. And when updates were released, it was hard — if not impossible — to get users to install them. This has changed over the past twenty years, due to a combination of full disclosure — publishing vulnerabilities to force companies to issue patches quicker — and automatic updates: automating the process of installing updates on users’ computers. The results aren’t perfect, but they’re much better than ever before.

But this time the problem is much worse, because the world is different: All of these devices are connected to the Internet. The computers in our routers and modems are much more powerful than the PCs of the mid-1990s, and the Internet of Things will put computers into all sorts of consumer devices. The industries producing these devices are even less capable of fixing the problem than the PC and software industries were.

If we don’t solve this soon, we’re in for a security disaster as hackers figure out that it’s easier to hack routers than computers. At a recent Def Con, a researcher looked at thirty home routers and broke into half of them — including some of the most popular and common brands.

I agree with Bruce and like to see a mainstream security guru talking about embedded systems. I recommend you read the whole article here.

Tags: , , , ,

2 Responses to “Security Risks of Embedded Systems”

  1. Alex M. says:

    I think this is a very hot topic and the society and even the most techical leaders don’t understand this ! I
    I work for a company that develop system for the industrial control applications. This systems are used by our customers for more then 10 years. If this systems must be opend especially using the internet then it’s necessary to protect the system at least for the average lifetime of this product . One way that ius unavoidable in my opinion is the frequently updating. The challenge is now to supprt this for more then a decade in a economic fashion for the manufacturers and the users of such systems. I don’t see that a lot of research is done in this area. I visited the SPS IPC Drive in Nürberg but even there the ZVEI – a research organization to support the electrial industry- don’t even understand this issue.

  2. Aaron K says:

    Alex brings up a good point above. In many embedded applications such as industrial control, marine or rail the systems are in use for 10 plus years. Frequent updates are often at great inconvenience and/or expense. On the hardware side of things I have noticed that TPM (Trusted Platform Modules) are becoming more prevalent the past few years. Various embedded hardware manufacturers have either stand-alone modules or are integrating the chips and circuitry on their embedded SBCs as a feature.

Leave a Reply