adam's notes

Embedded Security

An embedded device is a computer contained inside in another device that typically performs a single function.

  • E.g., computer controlling a car, insulin pump, etc.

Uses for Embedded Devices

Industrial Control Systems

Industrial control systems and supervisory control and data acquisition systems commonly use embedded devices.

Industrial control system is any system controlling an industrial process.

  • often run on proprietary real-time operating systems (RTOS)
    • similar to a baseband OS
  • typically operate on air-gapped networks
    • no direct connections to the outside

Supervisory control and data acquisition system is a kind of industrial control system that specifically monitors and controls systems over long distances.

  • often related to utilities and other infrastructure

Medical Devices

  • Medical devices often run RTOSs with minimal user interfaces or specialized interface devices required to communicate with them
  • Vulnerabilities come from:
    • lack of standardization
    • secretive and proprietary nature of devices

Cars

  • Cars can have as many as 70 embedded devices communicating over a network to run a vehicle

Controller area network bus (CAN) is the network on which embedded devices in cars communicate.

  • aka canbus
  • developed in 1980s as crash sensors all over the car to watch for impacts and communicates across the network to the airbag control system
  • Vulnerable to attacks from hackers
  • Resources
    • The Car Hacker’s Handbook by Craig Smith

Areas of Embedded Security

  • Firmware Security
    • Ensuring firmware is not tampered with
  • Data Encryption
    • Encrypting data at rest and in transit
  • Hardware-Based Security
    • TPM chips and secure boot features

Embedded Device Security Issues

  • Upgrading embedded devices
  • Physical impacts

Upgrading Embedded Devices

  • The process of upgrading embedded devices can pose an interesting set of challenges:
    • Often can’t upgrade device at all
      • Difficult to do if you can
    • not typically networked, so can’t update them automatically

Physical Impacts

  • Many devices might impact human safety
  • can’t do much to protect the physical world from the impacts of embedded devices other than updates or fixes from manufacturer
  • try to fit a compensating control of some type to a specific situation
    • E.g., adding intervening layers of security, such as a firewall

Graph View

Backlinks