The keys to secure embedded software development

4 mins read

In the last decade billions of connected devices have been created and adopted presenting an endless number of security challenges each day.

With Internet of Things (IoT) devices being integrated into homes, businesses, healthcare, factories and wearable technologies, there are a growing number of risks to our connected modern economy. With billions of new connected devices expected to enter the market in the next decade, the number of security risks is growing at an exponential rate and we need to address them

The landscape has changed for embedded system developers who have to manage an increasing number and variety of embedded systems in the form of IoT devices that are connected to the network, internet or cloud.

With IoT devices being used in many different environments for different purposes, there are a host of use cases for embedded systems which provide a wealth of attractive opportunities for hackers. The opportunities are also present in vast quantities as IoT manufacturers are producing IoT devices at a rapid rate as they race to provide the best products to the market at competitive prices. This means that the consideration of security in the design often takes a back seat, creating an environment of growing, large quantities of connected devices with poor security levels.

As a result, a whole new class of attacks are now possible on smart home equipment such as home security systems and baby monitors which, while seemingly mundane, are a target for hackers. These types of devices present a vast array of risks to an opportunist who knows how and wants to gain access to private data on the network.

Smart connected fridges that automatically order the food vacant in a fridge, as well as home security cameras, have previously been a target for attackers to spy on victims or gain access to financial information. The only way to mitigate these risks is to ensure smart devices are properly secured and are reliable and safe to use. If embedded systems are not secured, they can easily become infected and used as a botnet for malicious purposes.

Learning from the past

Identifying what can go wrong in each use case of a device is key to understanding what is needed to increase security to prevent the attacks from happening in the first place.

With the use of technology growing at a rapid rate and with security developers struggling to keep up with the levels of protection needed, there have been multiple successful attacks over the years which we have learnt key lessons from. For example, the Stuxnet virus in 2010 was a serious attack on critical infrastructure which compromised computer software in the Programmable Logic Controllers in the Iranian nuclear programme.

Similarly, 5 years later in 2015 hackers gained access to the firmware within the Ukrainian power grid which resulted in a temporary loss of power to 225,000 individuals. In both cases, the security of the systems involved were adequate at the time of design, however when attacked the systems were compromised as they no longer matched the sophistication of these cyber-attacks. With significant consequences possible, it is vital to understand what is necessary to prevent these attacks from happening today and in years to come.

With attacks becoming more sophisticated and more devices providing more opportunities for hackers, embedded systems must stay up to date to be the most secure. In order to reduce these vulnerabilities, embedded systems need to have secure updates integrated into the lifecycle of the software to protect the integrity of the device now and into the future.

Overcoming challenges

Embedded software developers play a critical role in mitigating the many risks possible in IoT devices by managing and protecting the integrity of its embedded systems and components.

In order to properly secure embedded systems, those systems must be designed with consideration of the needs of the device and the potential risks in mind. The level of risk must be identified first because the greater the level of risk, the greater level of security is needed. With every device being unique, there is not one solution that can be applied to address the many types of attacks that are possible with IoT embedded systems. In addition, one solution cannot be relied on during an embedded system’s lifecycle. System updates will be needed throughout the life of the device and a process must be followed to ensure remote management of the integrity of the device.

An adaptive process

To secure software and firmware during the embedded system development process, there are a series of practices that Trusted Computing Group (TCG) recommends for a variety of unique devices.

Firstly, security must be built into all steps of the development process so that all potential weak points are considered. From there, a thorough threat analysis is recommended to identify which countermeasures will be needed during the design and maintenance of their embedded system. With new and emerging threats constantly appearing, a consistent approach to applying best practices for security and improving them over time will ensure the integrity of the device is maintained through its lifetime.

Using the latest technology and solutions, such as the TCG Trusted Platform Module (TPM), enables embedded system managers to identify the integrity of device software remotely with 100 commands in each TPM available to take appropriate action when needed. The TPM can safeguard cryptographic keys and decrypt payloads to symmetrically encrypt the transportation of data between the distribution server and the device. This is essential to performing secure firmware updates to maximise device integrity and ensure that a high level of security is provided.

Even when devices are compromised, they must still be capable of being updated to ensure the weakest link in the device at risk of exploitation can be detected and properly protected. The TPM also supports measurement and attestation capabilities when used alongside the CTRM (core root-of trust for measurement) or DICE. This enables both local and remote attestation to detect failed updates, for full transparency over device performance and integrity.

Based on a careful analysis of the present and future needs and risk levels of the device when deployed in the field, the right technology can be selected to provide secure software and firmware updates. Before installing software updates, the origin and integrity of the software must be verified by the recipient. A properly secured update signing system is key to achieve this but is often overlooked providing an opportunity for attackers to distribute malicious code by exploiting the defects in the signing process.

To avoid this, a secure update signing system should use separate keys and certificates for signing production code and development code. It is also best practice to use reliable and trustworthy cryptographic algorithms and tools throughout the whole process. During this process of investing in the right technologies, it is also critical to invest in security training of people so the best practices can be consistently implemented.

The trustworthiness of the tools and libraries used throughout each step of embedded system development must also be considered to avoid compromising on the integrity of the system throughout this journey.

Finally, a careful process of risk identification and incident response is key to quickly identifying and responding to new risks, thus mitigating their impact as much as possible.

Overall, by establishing a process of securing embedded system development and reacting to vulnerabilities when needed, developers can ensure that we protect our customers and employers from threats that may emerge now and in the future.

Author details: Steve Hanna is co-chair of TCG's embedded systems, IoT and Industrial Works Group