Difference between revisions of "Embedded systems security and IoT"
| Line 1: | Line 1: | ||
==Introduction== | ==Introduction== | ||
| − | Some weeks ago DAVE Embedded Systems Technical support service was addressed by a customer reporting a problem he was experiencing on old ARM7-based product running Linux kernel 2.4 | + | Some weeks ago DAVE Embedded Systems Technical support service was addressed by a customer reporting a problem he was experiencing on old ARM7-based product running Linux kernel 2.4: even if the machine configuration was not changed, it suddenly became very slow when performing ordinary tasks. |
| − | A specific support ticket was created and a failure analysis was conducted in order to determine the root cause of this behavior, apparently unexplainable. It was found out that a virus - in the form of an ELF executable - was uploaded by an attacker [1]. Two instances of this executable were running when the machine | + | A specific support ticket was created and a failure analysis was conducted in order to determine the root cause of this behavior, apparently unexplainable. It was found out that a virus - in the form of an ELF executable - was uploaded by an attacker [1]. Two instances of this executable were running when the machine was analyzed. These processes overloaded the processor, causing the overall slowing down of the machine, as reported by the customer. Likely this virus had been used to perform illegitimate actions on the Internet such as [https://en.wikipedia.org/wiki/Denial-of-service_attack DDoS attacks]. |
| − | The machine was initially installed in a severely controlled private LAN with no access to the Internet. Then it was configured with a public static IP address and was moved to public network connected to the Internet. However, it was not verified that the original configuration is suited for such a use. From the security perspective, the system was affected by clear vulnerabilities such as the use of <code>telnet</code> service, combined with a weak <code>root</code> password. Thus it was trivial for the attacker to get access to the machine with <code>root</code> privileges. The protection level was so low, that maybe the attack was even carried out by an automatic hacking tool. | + | The machine was initially installed in a severely controlled private LAN with no access to the Internet. Then it was configured with a public static IP address and was moved to public network connected to the Internet. However, it was not verified that the original configuration is suited for such a use. From the security perspective, the system was affected by clear vulnerabilities such as the use of <code>telnet</code> service, combined with a weak <code>root</code> password. Thus it was trivial for the attacker to get access to the machine with <code>root</code> privileges. The protection level was so low, that maybe the attack was even carried out by an automatic hacking tool without human intervention. |
| − | This anecdote proves one again that, when it comes to security in Internet-based applications, embedded systems are very similar to traditional IT equipments. However, embedded systems | + | This anecdote proves one again that, when it comes to security in Internet-based applications, embedded systems are very similar to traditional IT equipments. However, they are much more complex because of their heterogeneity in terms of hardware/software configurations. Also, network-related security is just one of the facets of the overall security that the system integrator needs to deal with. It is worth pointing out that the huge group of embedded systems include so-called IoT devices. As such, the general security principles and practices are valid for this class of devices as well. |
| − | This document aims to raise system integrators awareness of these issues and to provide some general guidelines. | + | This document aims to raise system integrators awareness of these issues and to provide some general guidelines based on real-world applications. It is not intended to be an exhaustive guide to embedded systems security. Interested readers are encouraged to deepen their own understanding of these issues by independent reading in the relevant technical literature (see for example <ref name="name">D. Kleidermacher, M. Kleidermacher, ''Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development'', https://www.amazon.com/Embedded-Systems-Security-Practical-Development/dp/0123868866</ref>). |
| − | |||
| − | |||
| − | |||
[1] See also https://www.virustotal.com/en/file/1917f27f64fe8770e43a8087ad4529593dfb3cc4d9317ababb91e3bfea60a179/analysis/. | [1] See also https://www.virustotal.com/en/file/1917f27f64fe8770e43a8087ad4529593dfb3cc4d9317ababb91e3bfea60a179/analysis/. | ||
| − | + | ==Exmaples== | |
| − | Security is a process, not a feature <ref name="PRQA1">PRQA, ''Addressing security vulnerabilities in embedded applications using best practice software development processes and standards'', 2016</ref> | + | {{quote|Security is a process, not a feature|PRQA<ref name="PRQA1">PRQA, ''Addressing security vulnerabilities in embedded applications using best practice software development processes and standards'', 2016</ref>}} |
| + | |||
Revision as of 13:16, 5 July 2016
| HOME | SOMs | SBCs | ToloMEO Embedded Assistant |  GET A QUOTE
|
 ONLINE HELPDESK
|
| Roadmap | IoT Services | ML/AI services | Embedded Design Services |
Introduction[edit | edit source]
Some weeks ago DAVE Embedded Systems Technical support service was addressed by a customer reporting a problem he was experiencing on old ARM7-based product running Linux kernel 2.4: even if the machine configuration was not changed, it suddenly became very slow when performing ordinary tasks.
A specific support ticket was created and a failure analysis was conducted in order to determine the root cause of this behavior, apparently unexplainable. It was found out that a virus - in the form of an ELF executable - was uploaded by an attacker [1]. Two instances of this executable were running when the machine was analyzed. These processes overloaded the processor, causing the overall slowing down of the machine, as reported by the customer. Likely this virus had been used to perform illegitimate actions on the Internet such as DDoS attacks.
The machine was initially installed in a severely controlled private LAN with no access to the Internet. Then it was configured with a public static IP address and was moved to public network connected to the Internet. However, it was not verified that the original configuration is suited for such a use. From the security perspective, the system was affected by clear vulnerabilities such as the use of telnet service, combined with a weak root password. Thus it was trivial for the attacker to get access to the machine with root privileges. The protection level was so low, that maybe the attack was even carried out by an automatic hacking tool without human intervention.
This anecdote proves one again that, when it comes to security in Internet-based applications, embedded systems are very similar to traditional IT equipments. However, they are much more complex because of their heterogeneity in terms of hardware/software configurations. Also, network-related security is just one of the facets of the overall security that the system integrator needs to deal with. It is worth pointing out that the huge group of embedded systems include so-called IoT devices. As such, the general security principles and practices are valid for this class of devices as well.
This document aims to raise system integrators awareness of these issues and to provide some general guidelines based on real-world applications. It is not intended to be an exhaustive guide to embedded systems security. Interested readers are encouraged to deepen their own understanding of these issues by independent reading in the relevant technical literature (see for example [1]).
[1] See also https://www.virustotal.com/en/file/1917f27f64fe8770e43a8087ad4529593dfb3cc4d9317ababb91e3bfea60a179/analysis/.
Exmaples[edit | edit source]
Holistic approach
analisi static del codice
- ↑ D. Kleidermacher, M. Kleidermacher, Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development, https://www.amazon.com/Embedded-Systems-Security-Practical-Development/dp/0123868866
