“Attack him where he is unprepared, appear where you are not expected.”
Sun-Tzu, Art of War
For much of the history of embedded systems, many product designers and engineers have had the luxury of building rather closed loop systems with little to no interaction with other systems. A so-called “security through obscurity” was perhaps not an unreasonable strategy. These days, with the more and more devices communicating and interacting with each other, that strategy is increasingly unsound. Consumer grade products that make up the Internet of Things market have been particularly vulnerable. Those products are highly cost sensitive so minimizing use of higher end components and more robust software development practices is key to competing in the marketplace. In addition, the long-term support of these products, such as continuous firmware updates, can vary greatly amongst OEMs. Even the most reliable tend to not support products more than 2 to 3 years. For example, Google has promised three years of updates for devices running a “long-term support version” of its newly released Android Things 1.0 platform. In all likelihood devices will continue to be used long after support and firmware updates end. This means the device will be susceptible to any attacks discovered after updates end.
Security in embedded devices is increasingly getting the attention it is due. Best practices are merging that are beginning to be codified by industry standards. Eliminating use of simple default passwords used across devices, disabling interfaces (e.g. JTAG and UART) on production ready products, and ensuring use of encrypted communications between devices are some ways manufacturers are making IoT devices more secure. But as is true with all technology security, it’s a cat and mouse game between creators of products and those looking to abuse hidden vulnerabilities. Attackers have many techniques at their disposal to gain control of a system:
- Breaking the encryption by exploiting weaknesses of the underlying mathematics or software bugs.
- Brute force techniques.
- Using social engineering techniques to get user to unwittingly giving away the encryption keys.
- Power Analysis Attack: When a device under attack (DUA) is performing calculations, such as AES
encryption, transistors are constantly turning on and off. During the switching of states, power is consumed which can be monitored externally from the microprocessor. By monitoring power consumption over many cycles, it is possible to make educated guesses on the encryption key used as part of the AES encryption algorithm. - Timing Attack: A set of attacks that measures the amount of time it takes to perform each step of a calculation to gain insight of the original input.
- Electromagnetic Attack: Similar to power analysis attacks but instead of measure the power being consumed, the DUA is monitored for electromagnetic radiation that emanates from the transistors as they perform calculations. The time-varying intensity of the electromagnetic field can be analyzed to recover encryption keys as well.
- Differential Fault Analysis: Introducing faults or glitches into the power rail or timing signals to cause the DUA to perform in an erratic, faulty manner. The corrupted outputs can be used to reverse engineer the algorithms and internal device state.
C
Looking to reach an an engaged audience of embedded professionals and enthusiasts? Advertise with Gears of Resistance and find your audience.