It seems to be quite common to hear about security breaches and hacks through connected devices both in industrial and consumer environments. A common theme we hear from vendors who sell security solutions, whether it’s hardware or software, is that security is often an afterthought in the embedded systems development process, or the there is not enough security expertise among their design teams, particularly in terms of having the right knowledge and skills to implement security.
We recently highlighted how internet of things (IoT) device security is being neglected despite the huge growth in connected devices. A critical part of addressing this is to develop secure embedded code, as Matias Madou, co-founder and CTO of Secure Code Warrior, a firm that helps improve developers’ secure coding skills, noted recently. He commented, “Software is all around us, and it’s very easy to forget just how much we’re relying on lines of code to do all those clever things that provide us so much innovation and convenience. Much like web-based software, APIs, and mobile devices, vulnerable code in embedded systems can be exploited if it is discovered in the wild by an attacker.”
He argues that much like every other type of software, the code in IoT devices can be the breeding ground for insidious, common vulnerabilities that could go undetected before a product goes live. He said, “Developers are not security experts, nor should any company expect them to play that role, but they can be equipped with a far stronger arsenal to tackle the kind of threats that are relevant to them. Embedded systems – typically written in C and C++ – will be in more frequent use as our tech needs continue to evolve, and specialized security training for the developers on the tools in this environment is essential.”
A real-world example is the configuration server code vulnerability highlighted earlier this year, enabling a remote code execution attack on the Cosori smart air fryer, a WiFi-enabled kitchen appliance that allows a user to activate the device remotely, look up recipe guides and monitor cooking status via the mobile application. The risk is that a threat actor could remotely raise the temperature to dangerous levels.
It’s not just air fryers and Wi-Fi connected appliances where code security is vital. Vehicles, for example, are especially complex, with multiple embedded systems onboard to address multiple functions: everything from automatic wipers to engine and braking capabilities. On top of this is an ever-increasing stack of communication technologies like Wi-Fi, Bluetooth, and GPS; hence the connected vehicle represents a complex digital infrastructure that is exposed to multiple attack vectors.
Madou highlighted that while C and C++ programming languages “are geriatric by today’s standards”, they still remain widely used in most connected devices today. He comments, “Despite these languages having rather ancient roots – and displaying similar vulnerability behaviors in terms of common problems like injection flaws and buffer overflow – for developers to truly have success at mitigating security bugs in embedded systems, they must get hands-on with code that mimics the environments they work in. Generic C training in general security practices simply won’t be as potent and memorable as if extra time and care is spent working in an embedded C context.”
To address this need, Secure Code Warrior has released new training content for developers, allowing them to get hands-on with code vulnerabilities for embedded C and C++ languages, commonly used in the automotive, medical and defense industries. The company has added this to its learning platform, allowing organizations working with embedded systems to upskill their developer cohort, assisting them to code securely in their day-to-day tasks.
The platform aligns with guidelines as detailed by key embedded systems security organizations such as MISRA, to enable real-world secure coding skills and keep software security front of mind from the beginning of the development process.
Madou said, “Everything from connected fridges and toasters to the cars we drive, is powered by embedded systems. For this software to be vulnerable and potentially exploitable could have disastrous consequences, and we are so pleased to be able to offer hands-on, real solutions to reduce vulnerabilities as these applications are being coded. Developers are key to building great software with high-quality, secure code, and they need to be empowered to do just that”.
Secure Code Warrior’s embedded systems modules are now available, in addition to a range of security tooling aimed at the developer experience and building a positive security culture. “We’ve helped organizations worldwide leverage our flagship learning platform to empower their security-skilled developers, and we believe this is the most comprehensive solution for developers to get up close and personal with embedded systems security,” Madou concluded.
- MISRA C: Write safer, clearer C code
- Static code analysis tool adds security rules
- Separation kernels and VMs enable secure mission critical edge computing
- Develop new coding habits to reduce errors in embedded software
- DevSecOps brings defense in depth to embedded security