It’s In the Silicon

The software in so many embedded devices contains a potentially fatal original sin: it’s not signed. This means that attackers can reverse engineer the code, modify it, reflash the firmware, and reboot to execute arbitrary code -- see Ukraine’s incident above. So what can be done? After all, software on the device needs to be updateable so that vendors can apply security patches.

The answer is to ensure that the system boots up only if the software to execute is cryptographically signed by a trusted entity -- i.e. the vendor. It needs to match on the other side with a public key or certificate which is somehow hard-coded into hardware, so it is virtually irreplaceable. By anchoring this root of trust into the hardware, it becomes extremely difficult to tamper with firmware. A determined attacker might still be able to extract the original firmware via JTAG, for example, reverse engineer and modify it, but it won’t match the public key burned into the hardware, so the first stage of the boot up will fail, and the system will refuse to come to life.

It won’t be an easy feat, but it is possible, and once the root of trust has been established, that initial piece of software will make identity and integrity checks with the next piece in the boot chain and so on until the system is fully and securely operational -- the integrity check will eventually continue at runtime to make sure no modifications are applied after boot.

Security by Separation

Too many embedded systems allow for lateral movement within the hardware, allowing attackers to jump across non-critical and critical subsystems inside until they find a way to exploit what they’re really after. It’s understandable that manufacturers are trying to rationalize, collapsing as many functions as possible within one single piece of hardware -- i.e. board or SoC. But from a software perspective, there’s no reason why these separate functional domains should be visible to each other. It shouldn’t be possible to access an airplane flight control system via its on-board entertainment platform, for example, or a car’s brakes and assisted steering wheel from the car stereo unit.

Let’s make no mistake -- it’s a journey the industry must take if it has any hope of managing the potentially fatal security issues which have broken the Internet of Things.