We don’t talk about embedded or IoT devices as much as we are surrounded by such devices these days, right from mobile phones, front-door cameras, sensor networks and so on. However, we still have a long way to go to securing these embedded devices. Be it in components selection, implementation or maintenance, there is a need to necessitate stronger security measures as embedded devices are real world things that affect us.
Jon Szymaniak, Principal Security Consultant – NCC Group joined Swapnil Bhartiya, TFiR CEO and Founder, to talk about the state of security in the embedded space and why embedded community people should take the security of embedded/IoT devices more seriously as it has than ever that have seemingly lagged behind other technologies.
Here are some of the topics we covered in our discussion:
- Unlike the cloud native world where security is becoming a priority, it’s no longer an afterthought, the embedded community is still lagging behind. Considering the growth and adoption of embedded technologies, has the community started taking security seriously? If not, why they should.
- The traditional business model of embedded systems is around selling more hardware. Companies sell one version of the hardware and move to the next. There is no financial reason or legal responsibility for them to update the older systems, which leaves the previous generations vulnerable to attacks. Even companies like Samsung or LG don’t promise for long their refrigerators of TVs will get software updates. So should there be some incentives for vendors so they keep their devices up-to-date for the entirety of the product life cycle?
- In addition to financial incentives, legal obligations can also help with security. FCC can make it mandatory for vendors to keep updating their hardware for the lifespan of their products. Also, once updates are not available the device should reach end of life or work with limited capabilities such as no connectivity to the internet.
- What is uboot, how does it work and how is it being used?
- Open Source is more secure than proprietary technologies because anyone can see and audit the code and create fixes. That doesn’t mean it’s fully secure. Bugs are part of the software development process and there are bugs in open source software too. These bugs become vulnerabilities. So just because someone is using open source doesn’t make their products secure. We looked into the potential vulnerabilities/weaknesses in uboot and how they can be mitigated. Security is a cat and mouse game. Good guys have to be right all the time whereas the bad guys have to be right only once.
- The risks that users, vendors and developers should be aware of so that they can prioritize security.
- Embedded device security is a supply chain problem. There are many stakeholders involved in the whole supply chain. Let’s talk about the role each one plays and where does the buck actually stop? Who is really responsible for the security of such devices?
- Traditional wisdom says ‘don’t fix if it’s not broken’ and at times operators refrain from pushing updates as it may break some untested functionality. They don’t want downtime. Jon talked about the Depthcharge toolkit that helps figure out how we can work more effectively and efficiently to perform security audits of uboot based systems, or systems that include uboot.
- Jon also offered some tips for users to make their embedded devices more secure.