Embedded Systems Security

An Embedded System is a computer system that is designed for a single purpose, as opposed to a general-purpose computer system (e.g., a desktop or server computer) that is designed to perform multiple functions. As a general-purpose computer system, an Embedded System includes a computer processor, memory, storage, operating system, and input/output peripheral devices. An Embedded System is designed to optimize performance in terms of small form factor, low power consumption, and high throughput, while also providing the required functionality. [3]

Embedded Systems are all around us. In critical infrastructure (telecommunications, smart grids, water networks, air traffic control, space control, military, and so on), home appliances (TVs, phones, refrigerators, printers, sales machines, and so on), medical devices, automobiles, phones, credit cards, and so on. The table below provides some examples of Embedded Systems in use in our daily lives. [2]

Embedded Systems manage the collection, elaboration, and manipulation, and transmission of information. An example of an Embedded System is TLC devices (antennas, access points, routers, switches, etc.) They collect the signal from our cellular phone, transform and elaborate the radio frequency signal into the wired network electrical signal, and transmit voice and data (information) from the source to the receiver. Another example of an Embedded System is Smart TV. Through the integrated microphone and cameras, they can collect sounds and images, transmit this information to a provider to deliver a service to us (e.g., upgrade TV software, install a new application like Netflix or any other application, allow us to talk over Skype).

Embedded Systems and the amount of information they manage are growing dramatically, and today they are the major components and actors of what is called the Internet Of Thighs, Big Data, and Industry 4.0.

Embedded Systems Security

Embedded Systems collect, manipulate, manage, and transmit massive amounts of our information to third parties everywhere (vendors, government entities, marketing entities, and so on) and at any level (from critical infrastructures to home appliances). With the introduction and widespread use of Embedded Systems, information is no longer confined to isolated environments where physical separation and controlled access can provide adequate security. Embedded Systems with valuable information can be distributed across a large area, such as buildings, factories, or industrial plants, which can literally be spread all over the world.

Unfortunately, ensuring the security of information managed by Embedded Systems is not easy, is an open question, and may prove to be a more difficult long-term problem than security for desktop and enterprise computing today. Security concerns are nothing new in the world of Embedded Systems. However, as more Embedded Systems are connected to the Internet, the potential damage from such flaws grows dramatically. Internet connections make Embedded Systems vulnerable to intrusion and malicious attacks. Unfortunately, security strategies designed for business and desktop computing are insufficient for Embedded Systems. [4]

The primary causes of this lack of security for Embedded Systems are on the part of the manufacturer. They have limited hardware and software options, cut investments in security research to reduce production costs in order to compete in the market (security is expensive), and are resistant to sharing intellectual property (i.e., software) with independent third-party security analysts. Ensuring advanced security techniques for Embedded Systems results in higher costs, and customers are frequently looking for cheaper products and are unaware of and concerned about the potential security threats to the products they purchase. The lack of security analysis and the manufacturing companies’ low-cost market mentality is leading hackers to the exact environment they expect. [2]

The known attacks and hacks against Embedded Systems represent only a small portion of the overall threat landscape, and the main reasons for this are the researchers’ lack of specific skill, the high costs of security testing, and the non-disclosure agreement imposed by the vendors of these systems. Hardware, firmware/OS, communication stack, and embedded applications are the most common targets of Embedded System attacks. The main causes of Embedded System vulnerabilities are programming errors, infrequent firmware, and operating system security patch updates, a lack of access and authentication control, improper cryptography use, and a lack of secure configuration (hardening). The main effects of the attacks on Embedded Systems include denial of service, information leakage, financial loss, code execution, integrity violation, illegitimate access, degradation of the level of protection. [1]

Who controls information can control people

There is one more sneaky and extremely dangerous possibility why Embedded Systems cannot be secure and is the deliberate intent of manufacturers or service providers to illegally collect and manipulate our private and sensitive information.

“Knowledge is power. Information is power. The secreting or hoarding of knowledge or information may be an act of tyranny camouflaged as humility.” (Robin Morgan).

“The control of information is something the elite always does, particularly in a despotic form of government. Information, knowledge, is power. If you can control information, you can control people.” (Tom Clancy).

These famous words perfectly anticipated what we observed and observe every day. The Facebook – Cambridge Analytica scandal, the Russian interference in the 2016 US election, the US-China struggle for the new generation of telecommunications networks (named 5G), and the fake news, are just the tip of the iceberg of the worldwide disputes to dominate and manage information. These words also constitute the essence and meaning of Information Security, Cyber Security, and the National Privacy Acts. If we do not want to polarize or to concentrate power, and we do not want to be unnecessarily controlled, then we need our personal information is protected wherever they reside or pass through like Embedded Systems.

Conclusions

Embedded Systems are all part of our lives (from critical infrastructure to home appliances) and securing them is also a must in order to preserve our freedom. National governments and regulators should ensure that manufacturers producing Embedded Systems and service providers using Embedded Systems take all necessary measures to protect the information collected and managed by Embedded Systems. The European Community is moving (slowly) in this direction, but many other countries producing Embedded Systems that we continue to use are still very far away.

References

[1] Embedded Systems Security: Threats, Vulnerabilities, and Attack Taxonomy – Dorottya Papp, Zhendong Ma, Levente Buttyan – 2015.
[2] Embedded Systems: Security Threats and Solutions – Anik Barua, Mohammad Minhazul Hoque, Rubina Akter – 2014.
[3] Embedded Systems: Hardware, Design and Implementation – Krzysztof Iniewski – 2012.
[4] Embedded Security for Internet of Things – Arijit Ukil, Jaydip Sen, Sripad Koilakonda – 2014.
[5] Software Security – Andrea Desantis – 2020.