Four Tips for Securing Embedded Systems

August 26, 2021

Blog

More people worldwide are using devices with embedded systems, especially as Internet of Things (IoT) products become increasingly popular for consumer and industrial use. However, news of major security issues could make potential customers less willing to purchase those gadgets.

Designers, developers, and others who work with embedded systems must prioritize security from the start. Here are four actionable suggestions.

1. Assess the System’s Vulnerabilities and Overall Risk

A good starting point is to identify all the components or features that could make it easier for hackers to compromise an embedded system. Doing that could mean answering a series of relevant questions, such as:

• How does the system function? A system that only sends data to the cloud for processing is likely less at risk than one a person can control remotely.
• How secure is the surrounding environment? Where a person uses a device with an embedded system could also uncover risks. For example, some people have smart home devices on insecure Wi-Fi networks, meaning cybercriminals could more easily orchestrate attacks.
• What could hackers do after gaining access? This consideration allows assessing the risks associated with an unaddressed vulnerability. For example, could perpetrators change how an embedded system functions, steal associated data or, achieve another aim?

Relatedly, it's necessary to examine the parties potentially affected by an attack. Does a vulnerability only affect the company, or does it harm community members, suppliers and others? Questions like these spotlight the problems to fix before a product reaches the market. However, they also stimulate conversations about the identified issues

2. Consider Subjecting Embedded Systems to Penetration Tests

Penetration (pen) tests can also reveal the overall security of an embedded system or its associated network. These simulated cyberattacks show how swiftly a hacker could cause a compromise and what approaches they might take.

Cybersecurity experts recommend focusing on command and code injections and input validation when running a pen test on IoT devices. That examination alone is not enough to tackle embedded system security. After all, a hacker could gain access to another device linked to the IoT product in question and compromise it that way.

However, a pen test could show vulnerabilities developers previously missed. Plus, if a product with an embedded system passes, that achievement could become a selling point. Today’s business leaders are increasingly concerned with security requirements when overseeing IT transformation projects. They’re ready to work with high-tech projects, but not necessarily at the expense of making a cyberattack more likely to happen.

3. Use Rules-Based Filtering

People commonly use rules-based filtering with services like Gmail to ensure messages from certain senders reach the inbox rather than the spam folder. Similar parameters can also bolster embedded systems’ security.

For example, an IoT device could have a firewall policy with five to 20 rules that dictate how it handles certain requests. In a connected printer, one rule could say the product will only process administrative commands from another device on the list. However, the printer might never accept commands with embedded firmware updates, ensuring that malicious actors cannot affect the machine’s behavior.

Companies like Intel, Green Hills, and Wind River are already building such capabilities into the hardware and software components comprising many IoT devices, including processors and operating systems. That shows notable forethought on a matter that could become more widely discussed as people keep insisting on embedded systems with baked-in security.

4. Choose a Secure Coding Language Subset

Research indicates that when people use the C or C+ coding languages during development, 80% of software defects arise from almost 20% of instances where people misuse the language. An alternative is to select coding language subsets that are more secure because they don’t allow potentially risky constructs.

MISRA C is a common example. Using it typically makes the resulting code more secure because it has stricter rules.

Besides enhancing the code’s quality, MISRA C or a similar subset can speed the time to deployment because developers don’t need to retroactively apply code rules. Instead, they can reference the MISRA C coding standards throughout development.

Plus, since a coding error could make an embedded system more likely to have a bug after release, prioritizing security at this early stage is a quality control measure. It’s not feasible to catch all issues, but a secure coding language subset could substantially reduce them.

Treat Security With an Ongoing Concern

As embedded systems become more present in society, hackers will likely continue to target them and look for weaknesses. However, when professionals take security seriously from the beginning, problems are less likely to occur during or after development.