Avoiding an Embedded Security Disaster: What vendors, OEMs and developers need to know about embedded security

Abstract

For many years, embedded systems have been quietly working behind the scenes of almost all modern technologies, from automobiles to factory floors to space exploration missions. Increasingly, these critical embedded systems are built from COTS software, and often incorporate standards-based network connectivity. Just as the early networked desktop PC' s and server' s were unprepared to address the new security implications of network connectivity, today' s embedded systems present a significant new security concern, which must be addressed immediately and systematically. This paper will examine several significant embedded systems security concerns, and where possible outline recommended courses of remedial action.

Embedded systems are responsible for the availability and functionality of many critical systems, from factory automation to gas pipeline monitors to networking equipment. Unfortunately, the critical importance of embedded systems is seldom matched with a strong, comprehensive security infrastructure. Some of the critical security issues presented by modern embedded systems are:

• Diverse network-connected embedded systems use combinations of custom and COTS software, the details of which are typically known only to the vendor of each embedded device, making vulnerability assessment, risk analysis, and patch management difficult
• Many embedded protocol implementations derive from older versions of opensource software like OpenSSL and the BSD TCP/IP stack, resulting in vulnerabilities to known attacks, which have since been patched in the main software distributions
• Many other protocol implementations are built entirely from scratch, and have not benefited from years of public analysis and repeated attack, resulting in unproven protocol implementations that may be vulnerable to attack
• Even when vulnerabilities are identified, patches must be developed for each device or device family by the vendor, requiring tight collaboration between embedded software developers and the OEM' s building devices based on the developers' software
• Deployment of software patches is even more difficult, expensive, and timeconsuming than the most elaborate mobile/remote patch management systems for PCs and PDAs, making the total cost of a vulnerability in an embedded system much higher, and the motivation to patch that vulnerability much lower
• Most network-aware embedded devices lack sufficient management and auditing functionality, making centralized configuration and monitoring difficult and costly, and severely limiting the data available for attack pattern detection and afterattack forensic analysis
• Embedded systems are not always considered an IT responsibility, and thus often fall outside IT control, resulting in lax policy enforcement, minimal configuration management and auditing, distorted risk analyses, and little or no integration with enterprise security tools

Remediation of these issues will require a concerted effort on the part of commercial and custom embedded software developers, OEM' s building embedded systems, vendors selling them, and customers purchasing and implementing products based on network-aware embedded software. Until information security becomes a strategic technology for embedded systems developers, their products will continue to be characterized by complacency and vulnerability.