What security package(s) do I need?
This is probably Question #1 anengineer might ask when faced with security as a requirement for anembedded systems application.
Unfortunately, there are a large number of “security packages”available, and an embedded engineer new to security may only know ofsecurity as encryption or virus protection. While encryption is a toolused for security and virus scanners technically provide security,neither one likely provides what is needed.
Fortunately, these days security is integrated into manyapplications and the packages you need are usually dictated by whatyour application will interface with. If your application is Web-based,it probably will use SSL/TLS (Secure Sockets Layer, also known asTransport Layer Security).
Other applications use technologies like IPSEC (Internet ProtocolSecurity) or CCMP (WPA2 Wi-Fi encryption). Knowing what the acronymsmean isn't as important as knowing which protocols you need to support.Once you know what you need to support, then you can go shopping.
|Figure1: Common applications and potential security solutions|
Question #2: Howdo I implement a security package for my application? Dependingon the application, this may be as simple as running an executable withsecurity enabled. For example, if you are running embedded Linux orWindows CE, there are probably applications that provide a lot of thesecurity you need, like an SSH (Secure Shell) client. If binariesaren't available, then there may be source code available.
Open-source packages like OpenSSL and OpenSSH are considered amongthe best implementations of those security protocols available and thebest part is that they are free to use. Avoid implementing your ownsecurity protocol. Unless you are a cryptography expert, chances areyour implementation will be vulnerable.
Question #3:How secure is my system? Once you have implemented yourapplication and added in all of your security protocols, it is naturalto ask how secure the result is. This is where you need to startthinking like a criminal, or hire someone who does (though hiringactual criminals is not recommended).
Anything that can be exploited by an attacker will be if the gain issignificant enough. The purpose of security is to make the cost ofbreaking the security greater than the value of the gain for theattacker. Modern cryptography relies on mathematics that would takethousands of years to work out using modern computer hardware.
Unfortunately, any protocol or algorithm out there may have anundiscovered vulnerability that makes breaking it much easier, andhardware performance continues to improve at a fantastic pace, bringingthat “thousands of years” number down significantly.
The remaining questions address some of these issues and hopefullygive some insight into how to evaluate and deploy secure embeddedapplications.
Question #4: Whereis the application going to be deployed? For an embedded system,location is as important as any other factor in determining whatsecurity measures are needed. Many embedded applications may beinstalled in places where an attacker has unfettered access to thehardware.
When an attacker has physical access, software-based securitymechanisms fail, and hardware mechanisms don't fare much better. If youare implementing world-class security in your application, make surethe physical security employed is at least equivalent to the securityin the application.
Question #5:Who are the potential attackers? To come up with a list ofpotential attackers, think about everyone who would benefit fromcompromising your system. This might include business rivals,terrorists, secret illegal government agencies, or bored teenagers.
The people who stand to benefit the most from attacking your systemare usually the most likely to attack it, but the attacker may not beinterested in what you are most concerned about, which leads us to ournext question.
Question #6:What information is most valuable to attackers? (Hint: it might not bewhat you think it is) This is kind of a trick question, becausean attacker may not even be after information. It may be sufficient toshut down your application, as would be the case if a disgruntledcustomer could turn off his network-enabled electric meter to get freeelectricity.
In other cases, the attacker may just be interested in controllingthe hardware. Already we see PCs being hijacked and turned into zombiesthat flood victims' web sites with traffic or shut down entire systemswith loads of emails ” and the attackers can make money doing it. Asmore and more devices are networked, it is highly likely that someonewill see those devices as a huge pool of hardware resources ripe forexploitation.
Question #7:How is wireless network security different from wired network security? Wireless networks add a layer of vulnerability beyond that foundin a wired network ” the physical transmission medium.
For a wired network, the transmission medium is a wire. Wire-tappingto eavesdrop on communications requires physical contact with the wireor close physical proximity. Wires can be routed through securebuildings, underground, on top of telephone poles, or through concrete,thus limiting the physical contact possible.
With a wireless network, the transmission medium is the air. With awireless device broadcasting information in all directions, an attackerneeds only an antenna to gain access. For this reason, most wirelessprotocols employ some type of built-in encryption.
|Figure2: Wired versus wireless security|
Question #8:Can the hardware or software I choose affect security? Somesystems are going to be more secure by default, either due to higherquality software or through specific security enhancements.
Check with others who have deployed the systems you are evaluatingand try to find out what applications they have been used in before.Look for hardware security features that have proven records just asyou would when choosing a software security protocol for yourapplication.
Question #9:What are the known attacks against the security technology I am using? If you need high security for your application, keeping up withsecurity news is vital. Every day, thousands of hackers and researchersare working to break security.
Those that do their jobs well become famous (or infamous), so thereis plenty of incentive to derive new attacks against existing systems.Make sure that you know the current state of your security technologiesby learning all the known attacks, and keep up with the reports to besure that no new attacks have been discovered.
Question #10:Does my system really need the highest levels of security? Thisfinal question presents a different way of thinking about security. Itis very easy to fall into the philosophy that you need absolutely thebest, most robust, most powerful security available, but the truth isthat you probably don't need that much.
As an example, think about the electricity metering example ” do youreally care if anyone can eavesdrop and look at data being sent outfrom the meter?
With existing meters, all someone has to do is walk up and look atthe dial, so it probably doesn't matter if you have the highest levelof encryption for the networked version. You are mostly concerned thatthe information is collected properly and delivered without beingtampered with.
There are less expensive methods to achieve that result withoutresorting to comprehensive security implementations. When evaluatingsecurity for your application, think about how much security is reallyneeded ” you can save a lot of hardware cost and development time byavoiding security you don't need.
Timothy Stapko is lead software engineer for Digi International www.digi.com withfocus on the Rabbit line ofembedded products. Stapko has more than 8 years software industryexperience and is the author of Practical Embedded Security.