alex_aldo - Fotolia

Embedded systems security a growing concern amid rise of IoT

As more devices become Internet-enabled, experts fear an embedded systems security worst-case scenario for enterprises, many of which are unaware of the risks or unable to mitigate them.

Some fear the rapid increase in nontraditional Internet-enabled devices could mean more potential enterprise entry points for attackers. Many of these devices fall into the category of embedded systems, and experts in that field fear a worst-case security scenario for organizations because of embedded technology's troubling security history.

Traditionally, an embedded system device is a type of appliance with a minimal chipset and a "lite" version of an operating system, often Linux. The most popular examples for enterprise would be USB sticks, which were used to intitially load the infamous Stuxnet malware, networked printers, and even now hard drive firmware, which is where the recently revealed Equation spyware lived.

However, the devices in that category are expanding rapidly with the arrival of the Internet of Things (IoT), which bestows networking capability to a broad spectrum of devices that have never had that capability before, such as office appliances like thermostats and refrigerators. As a result, enterprises may soon find they have a whole host of new attack points on their networks, but experts aren't sure that the new generation of embedded devices has overcome the security flaws of their predecessors.

According to Benjamin Jun, CTO of San Francisco-based security consultancy firm Chosen Plaintext Partners, embedded systems have historically used a lot of proprietary components and not shared much common circuitry with other systems, meaning when bugs were found, they were less likely to be fixed due to cost or resource restraints.

Modern embedded systems have moved away from this paradigm by sharing some of the same internal systems components, such as ARM chips, with other popular mobile devices, Jun said, but embedded devices must often be supported for years or even decades, which causes a new set of problems.

"Mobile phones iterate quickly, but embedded systems tend to live much longer," Jun said. "The process of rapid obsolescence in mobile doesn't translate to devices that are expected to last 10 to 20 years. The teams that debug these things move on, so the security process is limited."

Beyond the level of support that embedded systems need, Jun said that even when there are software updates available, enterprises may overlook these devices because the cost per node is much lower in terms of support and upgrading.

"Laptop costs are pretty high, but those costs can be justified, because you have the idea that productivity will rise with more laptops. But, what about printers, or smart thermostats?" Jun said. "How much are you going to spend to secure something where the incremental value is assumed to be low?"

According to Jun, one of the more overlooked embedded threats are VoIP conference phones and other devices with microphones, where the mic can be turned on to record sensitive information without notice.

But that's just the beginning, Jun added. The prevalence of the IoT will mean that enterprises will face security concerns related to a much wider variety of devices. This means that in addition to devices like USB sticks and printers, wearables and other cutting-edge devices may find their way onto corporate networks, often without built-in security controls.

Similarly, it also means new risks from devices like smart thermostats or refrigerators, where the responsibility for support can be blurry, according to Jun, because they may be owned by a building manager and not under the purview of the corporate IT department.

Secure design

Experts noted that only time will tell if new embedded devices will be better supported over the long term than past embedded systems have been, but the key to secure embedded devices is in securely designing them from the beginning.

"You have to design the hardware and firmware from the ground up to prevent access from malware or physical tampering," said Ken Jones, vice president of engineering and product management at IronKey, a division of Oakdale, Minn.-based Imation Inc. "It's extremely common that firmware can be updated in the field to fix bugs and security vulnerabilities, but once you have that process and don't think it through fully, you've opened a Pandora's box of problems."

According to Jones, secure design includes protection against physical tampering of the device, encryption and firmware digital signatures.

Many older embedded systems require updates be performed in the field, said Jones, so enterprises should prefer systems that use digitally signed firmware that is not only checked prior to installation, but also before it runs for the first time. This can be difficult though, Jones noted, so organizations may need to crack down on embedded device policy.

"From an enterprise perspective, it is all about what you allow to connect to your network, using endpoint protection that can block everything except whitelisted products," Jones said. "It behooves companies to be very restrictive about what can be connected. I think we'll see a lockdown on what will be allowed on the network."

Alexander Damisch, senior director of IoT Solutions at Alameda, Calif.-based Wind River Systems Inc., agreed with this assessment. Damisch recommended that enterprises securely design their infrastructure, which would include requiring devices be authenticated before sending or receiving data on the corporate network; because it can be difficult to detect malware in embedded firmware, monitoring traffic is key.

"This would mean that IT takes over personal devices to an extent, which people don't like," said Damisch, "but the other option is that they simply don't get access. The key is that it isn't personal blocking, the system is designed that way," which Damisch said could help employees accept the practice easier.

Damisch also advocated isolating vulnerable embedded systems behind gateways or on a virtual system, which he said is often a more cost-effective option, and allows for updating gateway rules to stop new threats where embedded systems may falter, because they aren't designed to be updated that often.

"Redesigning is difficult, so you find the weak point and either put it on the virtual system, or put gateways in front so all traffic is monitored and encrypted," Damisch said. "Security is something that starts with the development process."

Next Steps

Contributor Ajay Kumar examines seven Internet of Things risks that enterprises must consider.

Learn more about printer security best practices.

Dig Deeper on Internet of Things (IoT) Security Threats