With the Internet of Things, we are seeing more and more devices that were traditionally “deep embedded” and isolated from the outside world becoming connected devices. Security needs to be designed into connected products from the outset as the risk of outside attacks is very real. This is especially true if you’re migrating from embedded RTOS systems to Linux and encountering a smorgasbord of “free” connectivity functionality for the first time.
Here we list 10 top tips to help make your connected device as secure as possible. Remember, in many cases, it may not be a question of ‘if’ but ‘when’ an attack occurs.
1. Keep your subsystems separate.
The Jeep Cherokee was chosen as a target for hacking by Charlie Miller and Chris Valasek following an assessment of the vulnerabilities of 24 models of vehicle to see if the internet-connected devices used primarily for communication and entertainment were properly isolated from the driving systems .
Most car driving systems are controlled using a CAN bus. You could access them via a diagnostic port – this is what happens when they are serviced in a garage. You would have to have physical access to the vehicle to do this. But if you are connecting to the comms/entertainment systems via the internet, and they’re connected to the driving systems, you could potentially access the driving systems from the internet.
With the explosion of devices being connected, consideration needs to be made to the criticality of functions and how to prevent remote access to a car’s brakes, steering, accelerator, power train and engine management controls. While it might be permissible to grant remote read access for instruments (e.g. mileage and fuel consumption), any control systems should only be accessible by the driver at the controls. And with things like heart monitors starting to become connected devices, the criticality of separation is likely to increase.
2. Secure Your Boot Code
One of the most effective ways of hijacking a system is via the boot code. Some of the earliest computer viruses, e.g. the Elk Cloner for Apple II , Brain and Stoned viruses for PCs, infected the boot sectors of removable media. Later viruses corrupted the operating system or even loaded their own. The same possibilities exist with computers and embedded devices today if the bootloader is well known, e.g, grub, u-boot or redboot.
Most devices designed with security in mind have a secure bootloader and a chain of trust. The bootloader will boot from a secure part of the processor and will have a digital signature, so that only a trusted version of it will run. The bootloader will then boot a signed main runtime image.
In many cases the bootloader will boot a signed second stage bootloader, which will only boot a signed main runtime. That way, the keys or encryption algorithms in the main runtime can be changed by changing the second stage bootloader.
3. Use Serialisation and Control Your Upgrade Path
When it comes to upgrading images in the field (to support new features, or to fix bugs or security flaws), this can be done using serialisation to target specific units in the field at particular times to reduce the risk of large numbers of units failing simultaneously after an upgrade.
Each runtime image should be signed with a version number so that only higher number versions can run. Upgrades can be controlled by a combination of different keys held in the unit’s FLASH.
4. Design for Disaster Recovery
Your box no longer boots in the field because the runtime image has become corrupted. What then? Truck rolls or recalls are very expensive and they deprive the user of their product. There are alternatives:
(i) Keep a copy of the runtime for disaster recovery. This can be stored in onboard FLASH as a mirror of the runtime itself, or in a recovery medium, e.g. a USB stick, which is favoured these days by PC manufacturers.
(ii) Alternatively, the bootloader can automatically try for an over-the-air download – this is often favoured with things like set top boxes where the connection is assumed good (it wouldn’t be much of a set top box if it couldn’t tune or access the internet). This saves on FLASH but deprives the user of their product while the new runtime image is being downloaded.
5. Switch off debug code
Don’t give out any information that might be of use to the outside world. The Jeep Cherokee hack was made possible by an IP address being passed back to the user. It’s hard to see what use this would be to a typical non-tech user.
6. Harden the Kernel
The Linux Kernel contains thousands of options, including various ports, shells and communication protocols. It almost goes without saying that any production build needs everything switched off except the features you need. But implementing this isn’t always so straightforward due to the inter-dependencies of some kernel features. Don’t use bash unless it’s unavoidable, use ash instead. The disclosure of the Shellshock, a 25-year-old vulnerability , in September 2014, triggered a tidal wave of hacks, mainly distributed denial of service attacks and vulnerability scanning.
Disable telnet. Disable SSH unless you have an essential usage requirement. Disable HTTP. If there is any way a user might form a connection with the box, especially using a method well-used on other boxes, that’s a door into the box that needs locking.
With the growing capabilities and connected nature of embedded RTOS systems approaching that of embedded Linux in Machine to Machine communications and the Internet of Things, similar “hardening” processes need to be followed.
7. Use a Trusted Execution Environment
Most of the main processors used in connected devices (smart phones, tablets, smart TVs, set top boxes) now contain a secure area known as a Trusted Execution Environment (TEE).
A TEE provides isolated execution environment where confidential assets (e.g. video content, banking information) can be accessed in isolation. Four popular uses are: (i) premium content protection, especially 4k UHD content (ii) mobile financial services (iii) authentication (facial recognition, fingerprints and voice) (iv) secure handling of commercially sensitive or government-classified information on devices.
TEEs have two security levels: Profile 1 is intended to prevent software attacks. Profile 2 is intended to prevent hardware and software attacks.
8. Use a Container Architecture
If you are designing a system with a processor that doesn’t use a TEE, you can still design a reasonably safe solution using a container architecture to isolate your key processes.
Linux Containers have been around since August 2008 and rely on Kernel cgroups functionality that first appeared in Kernel version 2.6.24. LXC 1.0, which appeared in February 2014, is considerably more secure than earlier implementations, allowing regular users to run “unprivileged containers”.
Alternatives to LXC are virtualization technologies such as OpenVZ and Linux-Vserver. Other operating systems contain similar technologies such as FreeBSD jails, Solaris Containers, AIX Workload Partitions. Apple’s iOS also uses containers.
9. Lock your JTAG port
Quihoo360 Unicorn Team’s hack of Zigbee  was made possible by dumping the contents of the FLASH from the board of the IoT gateway. This enabled them to identify the keys used on the network. The fact that the keys themselves were stored in a format that enabled them to be decoded made the hack easier.
If your JTAG port is unlocked, and hackers have access to the development tools used for the target processor, then they could potentially overwrite any insecure boot code with their own, allowing them to take control of the system and its upgrades.
10. Encrypt Communications Channels and any Key Data
If all the above steps are taken, a device can still be vulnerable to a man-in-the middle attack if the payload is sent unencrypted.
If you have a phone, table, smart TV or set top box accessing video on demand (VOD), the user commands need to be encrypted, otherwise it is possible to get free access to the VOD server by spoofing the server to capture box commands, and then spoofing the box to capture the server responses. It might even be possible to hack the server to grant access to multiple devices in the field, or mount a denial of service attack.
GPS spoofing by Quihoo 360 was demonstrated at DEF CON 23, where signals were recorded and re-broadcast . It’s not the first time GPS spoofing has happened. Spoofing / MoM attacks on any user-connected system are commonplace.
Bonus Extra Tip: Get a Third Party to Break It
This is probably the most useful advice of all. As with software testing in general, engineers shouldn’t rely on marking their own homework: the same blind spots missed in a design will be missed in testing. Engineers designing systems won’t have the same mentality as those trying to hack them. An extra pair of eyes going over the system trying to break it will expose vulnerabilities you never thought existed.
Security is a vast subject and we’ve only scratched the surface in this blog. Feabhas offer a course EL-402 in Secure Linux Programming, for more information click here.
Fiat Chrysler Jeep Cherokee hack http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
Elk Cloner http://www.theregister.co.uk/2012/12/14/first_virus_elk_cloner_creator_interviewed/
Zigbee hack Def Con 23
GPS Spoofing Def Con 23
- 2016 – The Year of the Hack - January 27, 2017
- An Introduction to Hypervisors - October 19, 2016
- Off to the Embedded Linux Conference Europe and Open IoT Summit, Berlin 11th-13th October 2016 - October 5, 2016
I provide expertise and training for Embedded Linux courses.
I have over 20 years of experience in the embedded sector, gained at companies such as Pace, Open TV and Sony Semiconductor Europe.
I've led work on numerous projects at all stages in the design cycle with comprehensive expertise in software engineering design, support and integration.
Pingback: Sticky Bits » Security and Connected Devices | Freedom Embedded