Staying one step ahead in embedded security at ESC/EELive! 2014
At the ESC/EELive! Conference in two weeks, embedded developers concerned about protecting their increasingly networked systems should register to attend an intensive three day track of classes on security.
The reason is simple: never before have embedded systems designers been face with security challenges on the scale that now are emerging. Not only is there physical hacking of devices to get at key design information, but as devices become more and more connected, they are no longer "islands unto themselves."
While embedded systems have always been connected, those installations used to be relatively isolated, using their own network protocols and often their own wiring with no connection to the outside world. Now embedded systems are driven by the enthusiasm for the "Internet of Things," where it is theoretically possible for every "thing" to be connected to every other "thing," - and to human beings - by a common IPv6 and 6LoWPAN set of protocols. And security concerns have expanded commensurately.
As noted in this week’s Tech Focus newsletter, considerable efforts have already been made in improving security in embedded systems, but much more needs to be done. Fortunately initial steps in that direction are being taken. A big part of the Industrial IoT framework that Echelon has proposed deals with security. And in Europe, KFKI and Wibu AG are working together on a security mechanism for the proposed Industry 4.0 initiative. In the automotive segment, the adoption of the Autosar standard has gone a long way in improving both security and safety specifications in vehicles.
But the problem in an Internet of Things environment is that because all devices are connected by the same IPv6 mechanism, all devices and systems that use it have to be equally secure, which is currently far from the case. For example, a big new market for embedded systems is the Smart Grid, where wireless connectivity is key in making sure that power companies know exactly what demand is and will be and where additional load can be expected. But as noted by several of the articles in this week's newsletter, the system is still largely insecure.
Another hole in the IoT security blanket is that represented by the wireless consumer and mobile markets. While there are individual company efforts being made, most successfully by Apple’s iPhone and RIM’s Blackberry, there does not seem to be any set of industry security standards comparable in rigor to those now used in industrial control, medical devices, military/aerospace, or even automotive.
According to Robert Dolin of Echelon, what makes consumer IoT different than other segments is that humans - and their devices - are a part of the chain of causality. Unlike industrial IoT, where it is mostly a matter of devices talking to devices, consumer IoT is characterized by a human interacting with a device, usually a smartphone or tablet - turning on the TV in the front room, controlling the lights and other appliances in the home, interacting with the Smart Power Grid, turning on the engine in your auto, or downloading instructions to the infotainment system.
The problem is that the smartphone is also a source of hacks, security breaches, and intrusions and is getting worse. According to a Malware Report put together by Alcatel-Lucent's Kindsight Security Lab, more than 11.6 million mobile devices are infected worldwide, and 60% of them are Android smartphones. By applying this percentage to 2.1 billion smartphones currently in use (according to ITU estimates), Kindsight Security Labs estimated that 11.6 million mobile devices are infected at any one time.
They also report that the number of Android malware samples in Alcatel-Lucent’s database increased 20 times in 2013 and doubled in the fourth quarter alone. Until such security holes are filled, any IoT application – embedded or otherwise - with an smartphone in the loop should be avoided.. And developers should speed a lot more time educating themselves on what can be done.
One good place to start is at ESC/EELive!, March 31 to April 3, where there a number of classes and presentations that could be useful, including;
In addition to the collection of recent articles included in this week’s Tech Focus Newsletter, another source of information is Embedded.com's collection of security articles. In addition, some recent articles I found especially useful in understanding the problems and some of the possible solutions include:
Embedded.com Site Editor Bernard Cole is also editor of the twice-a-week Embedded.com newsletters as well as a partner in the TechRite Associates editorial services consultancy. He welcomes your feedback. Send an email to firstname.lastname@example.org, or call 928-525-9087.