Embedded systems are in millions of products that we use every day. It’s easy to take it for granted that I can unlock my front door from my phone while on vacation at the beach and that my watch keeps track of the number of steps I take and my heart rate profile. But I don’t want other people to be able to unlock my door or see my heart rate profile, or to hack into my home Wifi. In other embedded systems as well, such as medical devices or industrial control systems, security breaches can have more serious consequences.
In fact, it is so important that the White House recently released a National Cybersecurity Strategy where developing security into IoT devices is highlighted as one of the strategic objectives. Additionally, the strategy proposes to shift liability for insecure products and services from the consumer to “those entities that fail to take reasonable precautions to secure their software”. Europe, too, will soon release regulations to require manufacturers to protect internet connected devices from unauthorized access.
The motivation to consider security in all appropriate embedded devices couldn’t be clearer. Yet, security is an area that has been neglected for too long for embedded systems. And what exactly does security mean for embedded systems?
Security in embedded systems is the effort to protect embedded devices from malicious access and use. From a Samsung refrigerator that allowed hackers to steal owners’ Google credentials to a temperature sensor in a fish tank at a casino exposing a database of “high rollers”, to smart toys potentially endangering children’s privacy, embedded systems are increasingly becoming targets of attacks. It is more important than ever to be able to trust that data is valid, and to prevent threats that can modify the system or its data.
Implementation of security in an embedded system can involve a range of measures, including encryption, secure boot, access control, secure communication protocols, and intrusion detection. These measures are designed to protect the system from various types of attacks, such as man-in-the-middle attacks, denial of service (DoS) attacks, and other forms of exploitation.
The level of security required in an embedded system depends on the application and the potential consequences of a security breach. For example, a medical device that controls the delivery of medication may require a higher level of security than a simple temperature sensor in a home thermostat.
A couple things to keep in mind as we discuss embedded systems security:
- Security is never perfect. We have to assess the threats, risks, and costs associated with security and work to achieve a reasonable balance. And we have to continue to address security over the life of the product as the threat landscape evolves.
- Security is not free. While tools are improving and there are general best practices we’ll discuss below, it is necessary to do analysis for a specific product. This takes time, effort, and could have cost implications for the device itself.
Embedded systems present unique challenges to writing secure firmware. Security standards have been slow to provide guidance appropriate for embedded systems. Typical microprocessors used in embedded systems are constrained in memory and processing power and may not have the hardware required to perform the necessary encryption algorithms. Security features such as hardware accelerators and larger memory add cost to an already cost-constrained system.
In addition, embedded devices often connect directly to the internet but lack the firewalls and standard protections of your PC or phone. It is not always feasible to implement such features on an embedded system.
In summary, software engineers of embedded systems need to ensure reasonable security is in place. Security is an essential consideration in the design, development, and deployment of embedded systems to ensure that they are protected against potential threats and maintain the safety and integrity of the system and its users.
To go deeper into this important topic, read our whitepaper, “Best Practices for Developing Secure Embedded Systems” where we discuss in greater detail practical, cost-effective methods to provide appropriate security in embedded systems.
- Part 1: Incorporating security into embedded systems development
- Part 2: Threat modeling for embedded systems
- Part 3: Writing secure C code on embedded systems
If you are designing an innovative product and need help developing your embedded device with appropriate security measures, contact us to learn more about our capabilities.