A Primer for Embedded Systems Security in 2019

Experts in computer and network security might be surprised to learn that embedded systems have significantly different security requirements than they are used to implementing. Embedded systems that are deployed into the field and expected to function for long periods of time with infrequent service need robust and reliable security features.

To get you thinking about how to secure your embedded system, we've highlighted some of the most important and commonly implemented embedded security features below. Secure boot, embedded firewalls, device intrusion detection and device tampering detection offer protection from many different types of physical, hardware-based and software-based attacks.

Secure Boot

Establishing a secure boot process is one of the first and most important steps towards securing any embedded system. In a secure boot, OS boot images and code are first authenticated against the hardware before they can be used in the boot process. This is achieved using a cryptographically signed code that can be implemented by the device manufacturer - read our page about signed and unsigned drivers to learn more about security signatures.

To establish a secure boot, engineers configure the embedded hardware such that it will only authenticate code that is generated using the desired security credentials. Even if someone were to write alternate software to interfere with the device, that software could not be initiated on the device hardware because of the secure boot feature.

Some embedded processors offer a one-time programmable system for establishing a secure boot feature. In this system, root keys are generated from an SSL certificate, hashed and burned into the CPU. Once a secure root key has been burned into the processor, it can never be changed, ensuring that the system will always be protected. Boot images are also signed against the burned key, and the generated data is combined with the boot image. This creates a perfect one-to-one match between the boot image and processor that must be satisfied to initiate a secure boot.

When the system boots, the processor conducts a series of checks between the burned key, your image key, and the boot image. If everything matches, the bootloader is initiated and the device can launch its operating system - otherwise, the device will fail to boot.

Embedded Firewalls

An embedded firewall sounds a lot like the kind of network security protocol you might use to protect personal or enterprise assets from cyber attacks, however the firewalls we are most familiar with are not designed for embedded systems - they protect against enterprise-specific threats, not industrial or commercial protocols.

Many embedded systems lack at least some essential operating system security features, often to reduce memory or power consumption, or for simplicity, but that's why it can be doubly important to implement a firewall. A firewall is anything that prevents unauthorized access to your embedded device - it can block certain services, drop unauthorized traffic, and generally controls what devices or servers can communicate with your embedded device.

Packet filter firewalls operate in the network layer of the TCP/IP protocol stack, examining the header of every packet and ensuring that only packets which conform to the established policies can be transmitted between devices. Engineers must establish policies or rules, to ensure that the correct packets can be transmitted while nefarious packets are detected and blocked from being transmitted.

Application-layer firewalls operate in the application layer of the TCP/IP protocol stack. A firewall in this layer can intercept packets sent to or from a specific application while blocking other packets that are not application-related. When engineers fail to implement application-kernel separation as a security feature, application-layer firewalls can prevent the transmission of packets to the kernel. Unfortunately, application-layer firewalls demand a lot of processing power, so they may not be suitable for all embedded devices.

This image represents a packet filter firewall that functions in the network layer of the TCP/IP protocol. This type of firewall ensures that only packets which conform to established policies can be transmitted on the network. All communications and devices on the network can be protected by a packet filter firewall, preventing nefarious external actors from transmitting packets on the network.

Device Tampering Detection

Device tampering detection is an embedded systems security feature that can actively detect threats against the device. Tamper detection features enable a device to sense an active attempt to physically open the device, steal data from the device, or otherwise attack the device using software, radiation, or other methods.

Embedded systems engineers design tamper detection systems based on their perceptions of threats and risks to the device. These systems consist of a suite of sensors each attuned to a specific type of threat. Embedded systems can be attacked through numerous vectors, including changing the input frequency or voltage, using radiation or by changing the external temperature. These attacks are generally intended to make the device malfunction, which could make it fall back to a command prompt and give the attacker unfettered device access.

Embedded systems may also be vulnerable to physical penetration - where an attacker actually opens the device to alter it or steal data. Engineers can protect against physical penetration of their devices by using obscure fasteners or strong-adhesive glue in assembly, ensuring that devices are difficult to open.

When a device tampering detection system senses a threat, the device may be able to initiate a response before the tampering is successful. If the device is connected to a network, including through the IoT, it may be able to send a notification or some data indicating that tampering has been detected. The device owner can then review the notification and inspect or repair the device.

Intrusion Detection and Security Monitoring

Intrusion detection systems are used to alert the device owner when a nefarious actor is attempting to bypass the security mechanisms of a device by exploiting a hardware or software vulnerability. Intrusion detection works by monitoring the embedded system and its associated networks for suspicious activity that doesn't match up with normal operations. Unexpected access, activity, changes to the code, irregular data transmissions or the presence of new hardware could all trigger intrusion detection system and indicate an attack on the device.

Intrusion detection systems can be either host-based or network-based. A network-based IDS monitors all incoming and outgoing data traffic on the network, protecting all of the connected devices. A host-based intrusion detection system is installed directly onto the device and monitors what applications are doing on the device, communications between applications on the device and communications between applications and the device operating system.

There are three techniques commonly used for intrusion detection:

Signature-based Intrusion Detection - Signature-based detection relies on a predefined model of attacks, including information like the sequence of events and size of packets that constitute a specific type of attack. These systems are useful for protecting from certain types of attacks for which models can be established, but the system must be updated with new models to retain their effectiveness in detecting attacks.

Anomaly-based Intrusion Detection - Anomaly-based systems use statistical analysis to identify abnormal activities or communications within the system. Anomaly-based systems do not depend on predefined models of attacks, rather they compare the system's state to a predefined model of system normalcy and detect a threat when activities on the system are deemed "anomalous".

Specification-based Intrusion Detection - Specification-based intrusion detection systems are based on specifying the normal behavior of the system. When the system's behavior is incongruous with its design and implementation, this serves as an indicator that an intrusion has occurred. Specification-based models can use up an excessive amount of memory, but they are effective at detecting new attacks and do not require updates. Engineers use programmers and host adapters to program specification-based intrusion detection systems.

Summary

These are just a few of the most important security features that can be implemented on embedded systems, but there's still so much more to learn. Encrypted data storage, encrypted communication, secure code updates, and authentication are all important additional tools for ensuring that your devices, and the data contained within them, are protected from nefarious actors.

Total Phase products can help engineers throughout the product life cycle, including the development of functional and effective security features.