If the classic 1960s movie “The Graduate” were made now, thecareer advice that one of his father's friends would give to DustinHoffman's character might well have been “Security, son, security,”rather than “Plastics, son, plastics.”
Given the increasing complexity of embedded devices and theirubiquitous connectivity, making designs secure from malicious hackingis becoming more difficult, it is the view of Christof Paar, KaiSchramm and Andre Weimerskirch of encrypt Inc., that security willbecome one of the most intensively researched areas in embedded systemsdesign in future years.
In their class at the Embedded Systems Conference on “Challenges of and solutions for embeddeddata security (ESC-228),” Paar, Schramm and Weimerskirchlook at the trend toward ubiquitously connected embedded devices andthe impact that is having on how these devices are designed anddeployed. In the class, they attempt to give an overview of thechallenges but also of the opportunities which strong pervasivesecurity solutions can offer.
“We are already surrounded by embedded devices. A typical householdalready has dozens of them in cell phones, home entertainment,printers, household appliances, cars, etc.,” said Paar, a founder ofencrypt and is the holder of the chair for Communication Security atthe Electrical Engineering Department of the University of Bochum.”Once all these devices are equipped with a wireless communicationchannel, we have arrived in the area of pervasive computing.”
And with ubiquitous embedded devices becoming the backbone of thepervasive computing world, he said, new security issues arise, notingthat there is not just one single threat against pervasive computingsystems. “Rather, due to the extremely diverse nature of embeddedapplications, there is a wide range of damage that can be done throughabuse in a pervasive world,” said Paar.
According to Schramm, ecrypt's chief technology officer, thepotential threats, ranging from privacy violation to financial loss oreven bodily harm. “We argue thatpervasive security is needed due to following developments: riskpotential, financial aspects, new business models, privacy, reliabilityand legislation.”
Pervasive computing will introduce new security threats, rangingfrom a loss of privacy, over reduced revenues, to bodily injuries. Someof the new security threats are well known from conventional ITsystems, whereas others are unique to the pervasiveness of the devices.
At the same time, said Weimerskirch, encrypt's chief executiveofficer, strong security in pervasive applications, e.g., fee-basedfeature activation in products, offers new opportunities for businessesand users. Pervasive security is an emerging discipline and there is anactive academic and industrial community working on strong securitysolutions
While embedded systems have become a centrally important aspect in awide variety of applications, ranging from hand-held devices tohousehold appliances and RFID tags and constitute 98 percent of theglobal processor market, Parr points out that many solutions developedfor securing general IT systems, such as computer networks ordatabases, are not applicable or not sufficient for embedded security.
“For instance, in many pervasive applications, communications mustbe kept to a minimum due to the mobile nature of applications,” hesaid, “the target systems are often computationally extremely weak(8-bit processors are by far the most common embedded platform), anattacker often has physical control over the device, and there is alack of IT infrastructure such as a public key infrastructure (PKI). “
In addition to those technical boundary conditions, Weimerskirchsaid embedded applications tend to be extremely cost-sensitive becausethey are more often than not extremely highvolume devices in verycompetitive markets. It is important to note, he said, that pervasivesecurity serves not only the purpose of assuring the smooth functioningof applications, but is also an enabling technology for new businessmodels, such as fee-based feature activation in embedded systems.
Fortunately, said Schramm, although there are significant challengesahead, “most of the technologies needed for embedded security arecurrently under development in industry and academia, and embeddedsecurity is arguably one of the most active areas within appliedsecurity and cryptography.”