network logoeettechonlineembedded

CMP EMBEDDED.COM

All Articles Products Columns Courses VirtuaLabs Webinars
Search
Login | Register     Welcome Guest  
HOME DESIGN PRODUCTS COLUMNS E-LEARNING CONFERENCES CODE FORUMS/BLOGS NEWSLETTERS CONTACT FEATURES RSS RSS
Embedded.com > Design Articles

What you need to know about embedded systems security



By Timothy Stapko
Embedded.com
(11/19/08, 11:12:00 AM EST)

Non-Obvious questions
Question #4: Where is the application going to be deployed? For an embedded system, location is as important as any other factor in determining what security measures are needed. Many embedded applications may be installed in places where an attacker has unfettered access to the hardware.

When an attacker has physical access, software-based security mechanisms fail, and hardware mechanisms don't fare much better. If you are implementing world-class security in your application, make sure the physical security employed is at least equivalent to the security in the application.

Question #5: Who are the potential attackers? To come up with a list of potential attackers, think about everyone who would benefit from compromising your system. This might include business rivals, terrorists, secret illegal government agencies, or bored teenagers.

The people who stand to benefit the most from attacking your system are usually the most likely to attack it, but the attacker may not be interested in what you are most concerned about, which leads us to our next question.

Question #6: What information is most valuable to attackers? (Hint: it might not be what you think it is) This is kind of a trick question, because an attacker may not even be after information. It may be sufficient to shut down your application, as would be the case if a disgruntled customer could turn off his network-enabled electric meter to get free electricity.

In other cases, the attacker may just be interested in controlling the hardware. Already we see PCs being hijacked and turned into zombies that flood victims' web sites with traffic or shut down entire systems with loads of emails " and the attackers can make money doing it. As more and more devices are networked, it is highly likely that someone will see those devices as a huge pool of hardware resources ripe for exploitation.

Question #7: How is wireless network security different from wired network security? Wireless networks add a layer of vulnerability beyond that found in a wired network " the physical transmission medium.

For a wired network, the transmission medium is a wire. Wire-tapping to eavesdrop on communications requires physical contact with the wire or close physical proximity. Wires can be routed through secure buildings, underground, on top of telephone poles, or through concrete, thus limiting the physical contact possible.

With a wireless network, the transmission medium is the air. With a wireless device broadcasting information in all directions, an attacker needs only an antenna to gain access. For this reason, most wireless protocols employ some type of built-in encryption.

Figure 2: Wired versus wireless security

Question #8: Can the hardware or software I choose affect security? Some systems are going to be more secure by default, either due to higher quality software or through specific security enhancements.

Check with others who have deployed the systems you are evaluating and try to find out what applications they have been used in before. Look for hardware security features that have proven records just as you would when choosing a software security protocol for your application.

Question #9: What are the known attacks against the security technology I am using? If you need high security for your application, keeping up with security news is vital. Every day, thousands of hackers and researchers are working to break security.

Those that do their jobs well become famous (or infamous), so there is plenty of incentive to derive new attacks against existing systems. Make sure that you know the current state of your security technologies by learning all the known attacks, and keep up with the reports to be sure that no new attacks have been discovered.

Question #10: Does my system really need the highest levels of security? This final question presents a different way of thinking about security. It is very easy to fall into the philosophy that you need absolutely the best, most robust, most powerful security available, but the truth is that you probably don't need that much.

As an example, think about the electricity metering example " do you really care if anyone can eavesdrop and look at data being sent out from the meter?

With existing meters, all someone has to do is walk up and look at the dial, so it probably doesn't matter if you have the highest level of encryption for the networked version. You are mostly concerned that the information is collected properly and delivered without being tampered with.

There are less expensive methods to achieve that result without resorting to comprehensive security implementations. When evaluating security for your application, think about how much security is really needed " you can save a lot of hardware cost and development time by avoiding security you don't need.

Timothy Stapko is lead software engineer for Digi International www.digi.com with focus on the Rabbit line of embedded products. Stapko has more than 8 years software industry experience and is the author of Practical Embedded Security.

1 | 2

Rate this article: Low High
Current rating
  • .
Embedded.com Career Center
Looking for a new job?
SEARCH JOBS

Browse all jobs

SPONSOR
RECENT JOB POSTINGS
SEL seeking Business Development Manager in Pullman, WA

SEL seeking Integration / Automation Engineer in Charlotte, NC

ESRI seeking Business Manager - Support Services in Redlands, CA

Amcor PET Packaging seeking Facilities Engineer in Philadelphia, PA

Mentor Graphics seeking Embedded SW Tele-Sales in San Jose, CA

For more great jobs, career related news, features and services, please visit EETimes Career Center



Embedded.com Links
Site Map | About Us | Contact Us | Media Kit | Editorial Calendar | Conferences | ESD Europe | ESC on Demand | Subscriptions | Newsletter | Reprints
TechOnline Communities
Audio DesignLine | Automotive DesignLine | CommsDesign | Digital Home DesignLine | DSP DesignLine | EDA DesignLine
eeProductCenter | Green SupplyLine | Industrial Control DesignLine | Mobile Handset DesignLine | Planet Analog | Power Management DesignLine
Programmable Logic DesignLine | RF DesignLine | Teardown.com | TechOnline | Video/Imaging DesignLine | Wireless Net DesignLine
EE Times
United States | Asia | China | Europe | France | Germany | India | Japan | Korea | Taiwan | United Kingdom | EE Times Supply Network
Additional Network Sites
Analog Europe | Automotive Designline Europe | DeepChip | Design & Reuse | Electronik iNorden | Embedded.com
| Microwave Engineering Europe | Portelligent | Power Management Designline Europe
The RF Edge | Semiconductor Insights | Embedded-europe.com | Mechanical Design | TechOnline India
 
All materials on this site Copyright © 2009 TechInsights, a Division of United Business Media LLC All rights reserved.
Privacy Statement | Terms of Service
 
 :