Embedded systems power lots of technology around us, from microwave ovens to aircraft. The typical modern car contains around 100 control units, which are groups of embedded devices. Embedded systems are popular targets for hacking, as they provide hackers with access to all the data they generate, process, and transmit.
Protecting embedded systems is quite a challenge, however, because of their many limitations. To create effective and secure software for such systems, developers need deep knowledge of and extensive experience with embedded solutions.
In this article, we analyze the twelve most common techniques used to attack embedded systems and ways to mitigate these attacks. We also provide eleven best practices to improve the overall security of embedded systems.
An embedded system is a combination of embedded devices that are located within a larger mechanism. Such a system is dedicated to executing one specific task, which sets it apart from any other system of devices. For example, a laptop has lots of embedded systems that control its performance, but it isn’t an embedded system itself because a laptop can perform various tasks.
Generally, an embedded system consists of a CPU, memory, and a peripheral device. In modern systems, those are united into a microcontroller (all three components are on the same chip) or a microprocessor (which uses external memory and an external peripheral to save costs and reduce power consumption). The combination and capacity of devices vary depending on the purpose of each system.
An embedded system is governed by integrated software that determines the behavior of the embedded devices. Usually, developers can interact with embedded software via a user interface, but systems with severe limitations may not support this.
The key benefit of embedded systems is their ability to work in real time, solving their task with no or little delay. Such performance is achieved by optimizing system resources and hardware to perform one activity. Because of this optimization, using an embedded system is cheaper and less power-consuming than building a more complex device.
With the correct software, embedded systems can behave predictably and perform well in any environment. These systems are also convenient for hardware engineers, as embedded devices are small and need few external connections.
The drawbacks of embedded systems also arise from their compactness and dedication to a single task. First off, limited computing power and memory put developers in a challenging position. They need specific skills and experience to create software that makes an embedded system performant, stable, and secure.
Secondly, embedded systems virtually don’t scale, as they usually have computing power only sufficient for the current load.
Last but not least, power limitations, an emphasis on performance, and the very nature of embedded systems may create security vulnerabilities. We’ll investigate the root causes and types of these vulnerabilities below.
A vulnerability in embedded system security provides hackers a chance to gain access to confidential information, use an embedded system as a platform to execute further attacks, and even cause physical damage to devices that can potentially lead to human harm. Taking into account that embedded systems are components of extremely expensive and valuable machines, the possibility to hack these systems lures lots of hackers. That’s why securing embedded systems is extremely important.
Yet implementing security measures in embedded systems is connected with numerous challenges:
- Power and memory limitations narrow the number of cybersecurity applications an embedded system can run.
- Development expertise is required to create embedded software and design hardware with security in mind.
- Network connectivity and poor access control is common for embedded systems.
- Physical exposure allows hackers to study a system as long as they need.
Attacks on the security of an embedded system may have drastic results. Let’s take a look at several examples.
The most common examples of embedded system exploits are hacks of consumer electronics such as GPS devices, video cards, Wi-Fi routers, and gaming devices. These hacks are usually possible because manufacturers don’t protect their firmware. As a result, almost anyone with a little technical knowledge can gain access to premium features or overclock a device.
In 2018, ethical hackers found Meltdown and Spectre hardware vulnerabilities that affect all Intel x86 and some AMD processors. Both vulnerabilities mess up isolation between user applications, giving applications access to sensitive data and expanding the attack surface. Both Linux and Windows developers have issued patches for their operating systems that partially protect devices from Meltdown and Spectre. However, lots of devices (especially old ones) running on vulnerable processors are still unprotected.
As we mentioned above, machines of any size and complexity may become vulnerable because of unsecured embedded systems. For example, the firmware of the Crew Information System/Maintenance System and Onboard Networking System of the Boeing 787 is vulnerable to buffer overflow, memory corruption, stack overflow, and denial of service attacks. In case of a successful attack, a hacker could obtain personal information on pilots or compromise the avionics network.
Military equipment also can suffer from attacks on embedded systems. For example, hackers could shut down the Trusted Aircraft Information Download Station on the F-15 fighter jet. This embedded device collects data from video cameras and sensors during the flight, giving pilots navigation data.
Embedded systems are a great foundation for implanted medical devices. These devices have to be small, long-lasting, and operate in real time. But they’re also susceptible to hacking, as was discovered by a group of ethical hackers who researched devices produced by Medtronic. The vulnerabilities they discovered in Medtronic insulin pumps and pacemakers could interrupt or stop the devices or let a hacker control them.
With this in mind, let’s discuss the most common attacks on embedded software, networks, and devices as well as possible protection measures.
Attacks on embedded systems can be divided into three categories depending on their targets:
Let’s find out key characteristics of, common examples of, and possible countermeasures against these types of attacks.
Software-based attacks target the brains of the system — the application that manages the devices. A successful attack on software allows a hacker to access data or gain control over an embedded system.
Searching for vulnerabilities in software design and code is the most popular vector of attack because it’s possible to conduct such an attack remotely. Also, a software-based attack doesn’t require specific knowledge from hackers, as they can use typical attacks like deploying malware and brute-forcing.
The most widespread software-based attacks involve:
- Brute-forcing access
- Overflowing the memory buffer
- Exploiting a web service
Malware attacks on embedded systems work the same way as with any other system: a hacker deploys a piece of malicious code that tries to intercept the data stored inside the system, take control over the victim system, or harm it. Usually, hackers fake firmware updates, drivers, or security patches to deliver malware.
To prevent such attacks, you can implement one of these protective measures:
- Apply a blacklisting approach in which the developer creates a signature for any new piece of malicious software a system detects and adds those signatures to embedded system firmware. When the system detects software with a known signature, it will not run it.
- Use whitelist protection that creates a specific signature for all trusted software sources. This allows the system to run only software with the proper signature.
Honeypots as a Method of Malware Detection
Brute-forcing access credentials is, to put it simply, the process of guessing them. Most embedded systems provide remote access to a graphical user interface (GUI) that hackers can exploit. You can prevent brute-forcing attacks by using strong passwords and limiting the number of login attempts.
Memory buffer overflow is a type of attack when hackers manually overflow the buffer of memory allocated to contain data that moves inside an embedded system. Hackers deploy exploits that swamp the memory buffer with too much data. In this case, the embedded operating system will record some of that data to memory sections located next to the buffer. Recorded data may contain shellcode or other exploits that help hackers obtain credentials and elevate their access rights.
This issue is solved by creating a sandbox that isolates overflowing data from the system. Keep in mind that your sandbox has to be quite sophisticated, though, as lots of modern exploits use sandbox-evading techniques.
This type of attack exploits network infrastructure vulnerabilities and can also be performed remotely. Using these vulnerabilities, hackers can listen for, intercept, and modify traffic transmitted by an embedded system.
Let’s take a look at the most common network-based attacks:
- Man in the middle (MITM)
- Domain name system (DNS) poisoning
- Distributed denial of service (DDoS)
- Session hijacking
- Signal jamming
An MITM attack is used to intercept or alter data transmitted by an embedded system. To execute it, hackers change the connection parameters of two devices in order to place a third one between them. If hackers can obtain or alter the cryptographic keys used by both devices, they can eavesdrop in a way that’s very hard to detect as it causes no disruption in the network.
An MITM attack can be prevented or stopped by encrypting transmitted data and using the Internet Protocol Security (IPsec) to securely transmit keys and data.
DNS poisoning forces a local DNS server to modify its records according to a hacker’s needs. A DNS server converts human-memorable domain names and hostnames into corresponding IP addresses. By using a DNS server’s vulnerabilities and poisoning its cache, hackers can reroute traffic from a targeted website to any other address.
The Domain Name System Security Extensions (DNS SEC) protocol protects DNS servers from poisoning by digitally signing any data published or transmitted by a DNS.
DDoS is a well-known attack that makes a system unavailable by overflowing it with requests from various sources. Such attacks are hard to stop because requests come from a vast number of IPs. There’s no universal protection against DDoS attacks. However, adding a firewall along with traffic analysis and filtering algorithms to your embedded software will greatly increase the chances of preventing DDoS attacks or detecting them in a timely manner.
Session hijacking is similar to an MITM attack but has a different goal: the hacker listens to embedded system traffic to obtain authentication credentials. There are various ways to execute hijacking: fixating a user session identifier, stealing a session cache, cross-site scripting, and more.
The protection from this type of attack is classic: encrypt credentials and any data that may contain them, change credentials regularly, and dispose of any session-related data when a session is over.
Signal jamming is common for wireless networks. With this technique, hackers create interference in the network to jam or distort communication from a device. Depending on the type of jammer, it can jam any communication on the channel, start working when a targeted device transmits data, or be activated upon detection of specific packets. Such an attack can make an embedded system unavailable.
To stop signal jamming, deploy an anti-jamming mechanism [PDF] that suits your software. Keep in mind that this protection measure will also protect your embedded system from unintentional jamming caused by other devices.
Side-channel attacks intend to use hardware security flaws in embedded systems to hack them. A side-channel attack is the hardest and most expensive type of attack, as it requires precise knowledge of the hardware design and physical availability of the target system. To carry out a side-channel attack, hackers gather information on system power consumption, electromagnetic leakage, operation timing, etc.
As a result, they may work out the internal operation of a system and connected devices, steal cryptographic keys, or even gain control over the system.
Here’s a list of the most common side-channel attacks:
- Power analysis
- Timing attacks
- Electromagnetic analysis
A power analysis attack requires physical access to an embedded system in order to probe its connections and detect changes in power consumption. These changes depend on the data processed by the system, so hackers may detect when a system processes a particular type of information and intercept it. To prevent this attack, use data masking techniques to modify sensitive content and make it look like unimportant data.
Timing attacks are based on the timing of embedded system operations. They’re used to gain information such as applied cryptographic algorithms, data-dependent differences in instruction times and code branches, cache access times, and more. This type of attack also requires physical access to a device and deep knowledge of embedded system architectures.
As timing attacks strongly depend on linear and predictable software operation, you can prevent such attacks by using randomizers to shuffle activities in the idle cycle. This will make analysis of embedded systems based on timing extremely challenging.
Electromagnetic analysis provides hackers another way to look inside embedded software without hacking it. Hackers can use electromagnetic analysis to record and analyze emissions from a device, figure out its cryptographic operations, and even extract secret keys. This is the most time-consuming and costly type of attack as it requires:
- physical proximity to an embedded system
- information on the layout of the device the system is embedded into
- isolation from other devices to protect the system from electromagnetic interference
A hardware designer can make collecting an electromagnetic signal difficult by reducing the signal strength or adding physical protection (e.g. using certain types of glue or circuit and wire shielding). Randomization and interruptions of encryption processes are also effective countermeasures against electromagnetic analysis.
IoT Toys: A New Vector for Cyber Attacks
The cybersecurity measures for embedded systems we discussed above can help you prevent or stop particular types of attacks. But you can never be too careful, right? In the next section, we offer eleven recommendations for effectively protecting embedded hardware and software.
Before you start coding, study industry standards for embedded software development to discover effective security measures and development practices. For example, pay attention to:
- OWASP Embedded Application Security
- IEEE standards
- Foundational Cybersecurity Activities for IoT Device Manufacturers [PDF] by NIST
- Embedded System development Process Reference guide [PDF] by IPA
It’s possible to make your protection even more reliable at all stages of development from design to support by following these practices:
Design and software configuration
- Use safe languages. Research the embedded software development standards for the language of your choice before writing the first line of code. For example, if you’re going to use C or C++, study MISRA-C/C++ first.
- Enable secure boot. This feature allows a microprocessor to verify the cryptographic key and location of the firmware before executing it. To enhance this protection, you can also enable a processor’s trusted execution environment feature, which creates a secure region in the microprocessor to store firmware.
- Disable insecure and non-essential services. To define such services, you need to analyze the operation of your system. Usually, the list of such services includes Telnet and Trivial File Transfer protocols, the debug agent, open ports, etc.
Memory and application security
- Restrict memory allocation. Implement a memory management unit to allocate a sufficient amount of memory for the buffer, operating system, and applications. A memory management unit helps to maintain the balance of the embedded system’s operation and prevents memory buffer overflow. Also, switch memory to read-only mode wherever possible.
- Create partitions. Separating important parts of the embedded system like the operating system, GUI, and security applications into different partitions helps to isolate them from each other and contain an attack. Partitions can be both physical and virtual [PDF].
- Implement access control. Unprotected access to any part of an embedded system is an open invitation for a hacker. To secure your access points, use strong credentials and encrypt them, implement the principle of least privilege, and enable identity verification wherever possible.
- Secure communication channels. Implement IPsec, DNS SEC, SSH, or SSL protocols, and use a VPN to protect any communications with embedded systems. It’s also a good practice to deploy a firewall to filter traffic.
- Encrypt everything. All firmware updates, transmitted and handled data, and stored credentials have to be encrypted. Use cryptographic signatures to verify files obtained from trusted sources and detect suspicious modifications.
- Obfuscate object code. Obfuscation is the process of making your code entangled and unclear for hackers yet executable for an embedded system. It’s even possible to speed up code execution by obfuscating it. This measure will make it harder for hackers to reverse engineer your code.
Release and support
- Conduct an end-to-end threat assessment. A complete security assessment includes:
- performing a complete lifecycle analysis and identifying potential threats from the viewpoints of the device manufacturer, software developer, and end user
- creating a risk matrix and estimating the likelihood of and success rate of an attack via each possible channel
- simulating a hacker attack on your own or performing black-box penetration testing
- Update the software regularly. No matter how hard it is to develop software for old embedded systems, it’s always beneficial to do so. In new software versions, you can roll out additional security measures to counteract new types of attacks or patch a vulnerability (if you discover one after the product is released). Don’t forget to add blacklisting and whitelisting protection as discussed above. These approaches will prevent the installation of software from untrusted sources.
With these practices in place, you can make it much harder for a cybercriminal to compromise your software for embedded systems.
Developing software for embedded systems is quite a challenge. A developer has to implement all the required functionality while taking into account multiple device limitations and securing the software from attacks. Threats may come from various sources and channels, so fitting protection against all of them into a microprocessor and a tiny amount of memory may seem impossible.
At Apriorit, we have over 10 years of experience in embedded software development. During that time, our team has worked with a variety of devices and platforms, assuring fast and secure operations for all of them. Do you think you have an impossible project in mind? Challenge us with it!