Over the past few years, cybersecurity has entered the public consciousness thanks to attacks that had direct effects on consumers privacy. Attacking traditional Information Technology (IT) systems such as desktop computers and servers can almost be a trivial matter for attackers with even moderate skills. Thanks to the plethora of software tools available and the standardization of software languages, applications, and networking protocols; attacking IT systems and networks has become more science and less art (albeit there is always room for creativity and innovation for new ideas). In fact, one of the hottest new emerging software categories is attack simulation software that defenders can use to test their defensive countermeasures.
Embedded system security is much more nascent than its traditional IT system counterparts. Embedded systems have long benefitted from a few unique properties as security mechanisms. First, embedded systems often use more obscure communications protocols, relatively speaking, than traditional IT networks. The internet and intranets utilize protocols such as TCP/IP or UDP which have many software and hardware tools to automate their analysis and exploitation. Embedded protocols such as I2C, SPI, JTAG, CAN and others are only now becoming easier to exploit thanks to increasingly available and inexpensive tools. Prior to the mass availability of exploit tools embedded developers could rely on the comfort of a security through obscurity mindset.
Furthermore, the lack of remote access connectivity has meant that attackers would often need physical access to embedded systems to exploit them. The emerging era of the Internet of Things is changing that. More and more embedded devices have the processing horsepower and network connectivity to make them attractive targets even from afar.
So how can we as engineers and security professionals guard our IoT devices against the onslaught of cyber threats? Using the latest embedded hardware that includes security-centric features is a great start. But what if you want to test products that are already fielded? In either case, the best way to safeguard is to think like an adversary and use the tools they would use to see what vulnerabilities are exploitable. Furthermore, during so during the development phase is ideal as security can still be baked into the product vice bolting on a security apparatus afterward. Here is a look at some hardware tools security researchers are using that embedded developers might consider incorporating into test plans:
The Internet of Things heavily relies on wireless protocols. An unfortunate reality (from a security perspective) of anything involving radio waves is that all signals broadcast can be heard by not only the intended receiver but also unintended receivers. If an endpoint device relies on wireless signals to receive commands, then adversaries can insert themselves as seemingly legitimate transmitters of those control signals. The HackRF One is a Software Defined Radio (SDR) transceiver meaning that it can both receive and transmit signals. Furthermore, most of the signal demodulation and processing occurs in the software of a host computer. The HackRF hardware itself is really nothing more than a generic interface between an antenna and the central processing unit (CPU) of a laptop computer. Since the HackRF is a single piece of hardware and dynamically software reprogrammable then it can be used for testing a variety of wireless protocols. Aside from the need for different antennas based on the frequencies of interest, the HackRF one allows one to send and receive any signal between 1MHz and 6GHz. This means many popular bands (433MHz, 900MHz, 2.4GHz, and 5.8GHz) are open to engineers and security professionals to explore with only a few settings changes needed in the SDR software (such as GNU Radio).
IEEE 802.11 (colloquially referred to as Wi-Fi) is the de facto wireless networking protocol for IT. Many embedded devices, especially in the home automation space, still prefer mesh protocols like Zigbee or Z-Wave for device-to-device communication. Still, these products often rely on an Internet-connected hub to allow for remote control of the devices. Ultimately this means the devices are still vulnerable from IP-based attacks, albeit they are one step removed from a direct attack. These hubs often connect over Wi-Fi to make them convenient for the user both from a setup perspective (often via smartphone app) and convenience of placing the hub anywhere in the physical space.
Being able to sniff the traffic coming in and out of the hubs or inserting Man-in-the-Middle (MitM) attacks is possible with devices such as the Wi-Fi Pineapple. From a security perspective, being able to see what is contained in the wireless packet emanating from an IoT device, from an adversary’s perspective, is invaluable to ensure appropriate safeguards (e.g. encryption) are being utilized.
As with Wi-Fi, Bluetooth is a mainstay communications protocol of many modern consumer devices. Thus, provides a wireless attack vector for an adversary, though it is one that limited by the fact that proximity to the device under attack is required. The Ubertooth One is to Bluetooth communications as the Wi-Fi Pineapple is 802.11 Wi-Fi communications. The Ubertooth can sniff and inject Bluetooth packets to allow researchers to look for and potentially exploit vulnerabilities associated with the technology.
Near Field Communications (NFC) is a popular technology for wireless payments and access control devices. Their increasing ubiquity masks a reality that there are a vast number of different RFID and NFC protocols in use. Being able to quickly and easily move between different standards is crucial for security professionals and product developers who are supporting multiple vendors products. Being able to sniff the wireless communication between RFID reader and RFID tags allows us to reveal the underlying communication protocols and cryptographic algorithms. In turn, they can be studied to determine if there are any exploitable shortcomings in a vendor’s implementation in those protocols and algorithms. This can be very useful when vendors choose to implement custom, proprietary algorithms that are otherwise not well documented.
Black Magic Probe:
The first three tools were useful in situations where an adversary could get close but not necessarily in physical contact with an embedded device of interest. In general, physical access is game over for a would-be attacker as it opens a whole new set of potential vulnerabilities to exploit. The Black Magic Probe (BMP) lets us peek into the brains of a variety of microcontrollers. The BMP is extremely useful for system development and debugging but also has security implications as well. It’s debugging functionality (the GNU debugger GDB) allows a security researcher to see if a device’s firmware and/or memory contents can be dumped via the GDB dump command. Obviously, if possible then an adversary could use this to examine the firmware and look potential exploitable features such as hardcoded passwords.
“Side-channel attacks” are class of vulnerabilities that are in reality not so much “attacks” as they are exploits that take advantage of the physics that governs how a device works. As an example, if an adversary can monitor the power consumption of a device while it is performing encryption calculations it is possible to extract the encryption keys being used. This attack, known as Power Analysis Attack, gives an attacker a way to attack a device in a way that is very difficult to engineer away. On the flipside, this attack does require physical or near-physical access to the hardware. These attacks have been known and exploited for many years but until recently required hardware that cost tens of thousands of dollars. The Chip Whisperer Lite brings embedded developers and security researchers this capability for a few hundred dollars.
Looking to reach an an engaged audience of embedded professionals and enthusiasts? Advertise with Gears of Resistance and find your audience.
Michael Parks, P.E. is the owner of Green Shoe Garage, a custom electronics design studio and technology consultancy located in Southern Maryland. He produces the Gears of Resistance podcast to help raise public awareness of technical and scientific matters. Michael is also a licensed Professional Engineer in the state of Maryland and holds a Master’s degree in systems engineering from Johns Hopkins University.