CHAPTER 13
Embedded Systems
In this chapter, you will
• Explain the security implications of embedded systems
• Explain the security implications of smart devices/IoT
• Explain the security implications of SCADA systems
Embedded systems is the name given to computers that are included as an integral part of a larger system, typically hardwired in. From computer peripherals like printers, to household devices like smart TVs and thermostats, to the car you drive, embedded systems are everywhere. Embedded systems can be as simple as a microcontroller with fully integrated interfaces (a system on a chip) or as complex as the tens of interconnected embedded systems in a modern automobile. Embedded systems are designed with a single control purpose in mind and have virtually no additional functionality, but this does not mean that they are free of risk or security concerns. The vast majority of security exploits involve getting a device or system to do something it is capable of doing, and technically designed to do, even if the resulting functionality was never an intended use of the device or system.
The designers of embedded systems typically are focused on minimizing costs, with security seldom seriously considered as part of either the design or the implementation. Because most embedded systems operate as isolated systems, the risks have not been significant. However, as capabilities have increased, and these devices have become networked together, the risks have increased significantly. For example, smart printers have been hacked as a way into enterprises, and as a way to hide from defenders. And when next-generation automobiles begin to talk to each other, passing traffic and other information between them, and begin to have navigation and other inputs being beamed into systems, the risks will increase and security will become an issue. This has already been seen in the airline industry, where the separation of in-flight Wi-Fi, in-flight entertainment, and cockpit digital flight control networks has become a security issue.
EXAM TIP Understand static environments, systems in which the hardware, OS, applications, and networks are configured for a specific function or purpose. These systems are designed to remain unaltered through their lifecycle, rarely requiring updates.
Certification Objective This chapter covers CompTIA Security+ exam objective 3.5, Explain the security implications of embedded systems.
SCADA/ICS
SCADA is an acronym for supervisory control and data acquisition, a system designed to control automated systems in cyber-physical environments. SCADA systems have their own smart components, each of which is an example of an embedded system. Together they form a SCADA system, which can control manufacturing plants, traffic lights, refineries, energy networks, water plants, building automation and environmental controls, and a host of other systems. A SCADA system is also known by names such as distributed control system (DCS) and industrial control system (ICS), the variations depending on the industry and the configuration. Where computers control a physical process directly, a SCADA system likely is involved.
Most SCADA systems involve multiple components networked together to achieve a set of functional objectives. These systems frequently include a human–machine interface (HMI), where an operator can exert a form of directive control over the operation of the system under control. SCADA systems historically have been isolated from other systems, but the isolation is decreasing as these systems are being connected across traditional networks to improve business functionality. Many older SCADA systems were air gapped from the corporate network; that is, they shared no direct network connections. This meant that data flows in and out were handled manually and took time to accomplish. Modern systems wished to remove this constraint and added direct network connections between the SCADA networks and the enterprise IT network. These connections increase the attack surface and the risk to the system, and the more they resemble an IT networked system, the greater the need for security functions.
SCADA systems have been drawn into the security spotlight with the Stuxnet attack on Iranian nuclear facilities, initially reported in 2010. Stuxnet is malware designed to attack a specific SCADA system and cause failures resulting in plant equipment damage. This attack was complex and well designed, crippling nuclear fuel processing in Iran for a significant period of time. This attack raised awareness of the risks associated with SCADA systems, whether connected to the Internet or not (Stuxnet crossed an air gap to hit its target).
Smart Devices/IoT
Smart devices and devices that comprise the Internet of Things (IoT) have taken the world’s markets by storm. From key fobs that can track the location of things via GPS, to cameras that can provide surveillance, to connected household appliances, TVs, dishwashers, refrigerators, crock pots, washers, and dryers—anything with a microcontroller now seems to be connected to the Web so that it can be controlled remotely. Artificial intelligence (AI) has also entered into the mix, enabling even greater functionality, embodied in products such as Amazon Echo, Google Home, Microsoft Cortana, and Apple Siri. Computer-controlled light switches, LED light bulbs, thermostats, and baby monitors—the smart home is also becoming a reality, connecting everything to the Internet. You can carry a key fob that your front door recognizes, unlocking before you get to it. Of course, the security camera sees you first and alerts the system that someone is coming up the driveway. The only thing that can be said with confidence about this revolution is someone will figure out a how and a why to connect virtually anything to the network.
All of these devices have a couple similarities. They all have a network interface, for their connectivity is their purpose as a smart device or a member of the Internet of Things club. On that network interface is some form of compute platform. With complete computer functionality now included on a system on a chip platform (covered in a later section), these tiny devices can have a complete working computer for a few dollars in cost. The use of a Linux-type kernel as the core engine makes programming easier, as the base of programmers is very large. These devices also can be mass produced and at relatively low cost. The scaling of the software development over literally millions of units makes costs scalable. Functionality is king, meaning that security or anything that might impact new expanded functionality has taken a back seat.
Wearable Technology
Wearable technologies include everything from biometric sensors measuring heart rate, to step counters measuring how far one walks, to smart watches that combine all these functions and more. By measuring biometric signals, such as pulse rate, and body movements, it is possible to measure fitness and even sleep. These wearable devices are built using very small computers that run a real-time operating system, usually built from a stripped-down Linux kernel. As with all information containing devices, how does one protect the data? As wearables learn more and more of your personal data, they become a source of interest for hackers. Protecting the data is the security objective for these devices.
Home Automation
Home automation is one of the driving factors behind the IoT movement. From programmable smart thermostats to electrical control devices that replace wall switches to enable voice-operated lights, the home environment is awash with tech. Other home automation technologies include locks that are operated electronically, allowing you to lock or unlock them remotely from your smartphone; surveillance cameras connected to your smartphone that tell you when someone is at your door and allow you to talk to them without even being home; appliances that can be set up to run when energy costs are lower, or to automatically order more food when you take the last of an item from the pantry or refrigerator. No longer the props of a futuristic TV show, these technologies are available today and at fairly reasonable costs.
The tech behind the home automation technologies is the same tech behind a lot of recent advances: a small system on a chip, a complete computer system, with a real-time operating system designed to accomplish a limited set of functions; a network connection, usually wireless; some sensors to measure light, heat, or sound; and an application to integrate the functionality. The security challenge is that most of these devices literally have no security. Poor networking software led to a legion of baby monitors and other home devices being exploited to become a large botnet called Mirai, which attacked Krebs on Security (among others) with a DDoS rate that exceeded 600 Gbps in the fall of 2016.
HVAC
Building-automation systems, climate control systems, HVAC (heating, ventilation, and air conditioning) systems, are examples of systems that are managed by embedded systems. Although these systems used to be independent and stand-alone systems, the rise of hyperconnectivity has shown value in integrating them. Having a “smart building” that reduces building resources in accordance with the number and distribution of people inside increases efficiency and reduces costs. Interconnecting these systems and adding in Internet-based central control mechanisms does increase the risk profile from outside attacks. These outside attacks could result in HVAC malfunction or failure, rendering a major office building uninhabitable due to heat and safety.
SoC
System on a chip (SoC) refers to a complete computer system miniaturized on a single integrated circuit, designed to provide the full functionality of a computing platform on a single chip. This includes networking and graphics display. Some SoC solutions come with memory, while others have the memory separate. SoCs are very common in the mobile computing market (both phones and tablets) because of their low power consumption and efficient design. Some SoC brands have become household names because mobile phone companies have advertised their inclusion in a system, such as the Snapdragon processor in Android devices. Quad-core and eight-core SoC systems are already in place, and they even have advanced designs such as quad plus one, where the fifth processor is slower and designed for simple processes and uses extremely small amounts of power. So when the quad cores are not needed, there is not significant energy usage.
The programming of SoC systems can occur at several different levels. Dedicated OSs and applications can be written for them, such as the Android fork of Linux, which is specific to the mobile device marketplace. Because these devices represent computing platforms with billions of devices worldwide, they have become a significant force in the marketplace. The security implications of SoC-based systems is associated not with the specifics of SoC, but in the fact that they are ubiquitous in our technology-driven lives. Security issues are handled by the device, not the specific SoC aspect itself.
RTOS
Real-time operating systems (RTOSs) are designed for systems where the processing must occur in real time and data cannot be queued or buffered for any significant length of time. RTOSs are not general-purpose machines, but are programmed for a specific purpose. They still have to deal with contention, and they have scheduling algorithms to deal with timing collisions, but in general an RTOS processes each input as it is received, or within a specific time slice defined as the response time. Examples of RTOS are from something as common as an anti-lock braking computer in a car, to as complex as a robotic system used on an assembly line.
Most general-purpose computer operating systems are capable of multitasking by design. This includes Windows and Linux. Multitasking systems make poor real-time processors, primarily because of the overhead associated with separating tasks and processes. Windows and Linux may have interrupts, but these are the exception, not the rule, for the processor. RTOS-based software is written in a completely different fashion, designed to emphasize the thread in processing rather than handling multiple threads.
The security implications surrounding RTOS systems lie in their timing. Should an event do something that interferes with the system’s ability to respond within its time allotment, then the system itself can fail in its task. RTOS systems also tend to be specific to the degree that updates and patches tend not to be common as the manufacturer of the system does not provide that level of support. As items such as cars become more networked, these weaknesses are becoming apparent and one can expect this situation to change over time.
Printers/MFDs
Printers and multifunction devices (MFDs), which combine a printer, scanner, and fax, have embedded compute power to act as a print server, manage the actual printing or scanning process, and allow complete network connectivity. These devices communicate in a bidirectional fashion, accepting print jobs and sending back job status, printer status, and other information to the computer. This has decoupled printing from the computer, making it a stand-alone entity. The system that runs all these functions was designed to provide maximum functionality for the device, and security is more of an afterthought than a design element. As such, these devices have been shown to be hackable and capable of passing malware from the printer to the computer. These attacks still exist primarily as a proof of concept as opposed to a real-world threat, which is fortunate, because the current generation of security software does not monitor printer activity to and from the computer very well.
Camera Systems
Digital camera systems have entered the computing world through a couple of different portals. First, there is the world of high-end digital cameras that have networking stacks, image processors, and even 4K video feeds. These are used in enterprises such as news organizations, which rely on getting the data live without extra processing delays. What is important to note is that most of these devices, although they are networked into other networks, have built-in VPNs that are always on, because the content is considered valuable enough to protect as a feature.
The next set of cameras reverses the quantity and quality characteristics. Where the high-end devices are fairly small in number, there is a growing segment of video surveillance cameras, including cameras for household surveillance, baby monitoring, and the like. Hundreds of millions of these devices are sold and they all have a sensor, a processor, a network stack, and so forth. These are part of the Internet of Things revolution, where millions of devices connect together either on purpose or by happenstance. It was a network of these devices, along with a default username and password, that led to the Mirai botnet that actually broke the Internet for a while in the fall of 2016. The true root cause was a failure to follow a networking RFC concerning source addressing, coupled with the default username and password and remote configuration that enabled the devices to be taken over. Two sets of fails, working together, created weeks’ worth of problems.
Special Purpose
As the name indicates, special-purpose systems are systems designed for special purposes. Three primary types of special-purpose systems targeted by CompTIA are the systems in medical devices, vehicles, and aircraft/UAV. Each of these categories has significant computer systems providing much of the functionality control for the device, and each of these systems has its own security issues.
Medical Devices
Medical devices are a very diverse group, from small implantable devices, such as pacemakers, to multi-ton MRI machines. In between is a wide range of devices, from those that measure vital signs to those that actually control vital functions. Each of these has several interesting characteristics, and they all have an interesting caveat—they can have a direct effect on a human’s life. This makes security of these devices also a safety function.
Medical devices, such as lab equipment and infusion pumps and other computer-controlled equipment, have been running on computer controls for years. The standard of choice has been an embedded Linux kernel that has been stripped of excess functionality and pressed into service in the embedded device. One of the problems with this approach is how to patch this kernel when vulnerabilities are found. Another, related problem is that as the base system gets updated to a newer version, the embedded system stays trapped on the old version. This requires regression testing for problems, and most manufacturers will not undertake such labor-intensive chores.
Medical devices are manufactured under strict regulatory guidelines that are designed for static systems that do not need patching, updating, or changes. Any change would force a requalification, a lengthy, time-consuming, and expensive process. As such, these devices tend to never be patched. With the advent of several high-profile vulnerabilities, including Heartbleed and Bash shell attacks, most manufacturers simply recommended that the devices be isolated and never connected to an outside network. In concept, this is fine, but in reality this can never happen, as all the networks in a hospital or medical center are connected.
A recent recall of nearly a half million pacemakers in 2017 for a software vulnerability that would allow a hacker to access and change the performance characteristics of the device is proof of the problem. The good news is that the devices can be updated without removing them, but it will take a doctor’s visit to have the new firmware installed.
Vehicles
A modern vehicle has not a single computer in it, but actually hundreds of them, all interconnected on a bus. The controller area network (CAN) bus is designed to allow multiple microcontrollers to communicate with each other without a central host computer. Before the CAN bus was invented, individual microcontrollers were used to control the engine, emissions, transmission, braking, heating, electrical, and other systems, and the wiring harnesses used to interconnect everything became unwieldy. Robert Bosch developed the CAN bus for cars, specifically to address the wiring harness issue, and when first deployed in 1986 at BMW, the weight reduction was over 100 pounds.
As of 2008, all new U.S. and European cars must use a CAN bus, per SAE regulations, a mandate engineers have willingly embraced as they continue to add more and more subsystems. The CAN bus has a reference protocol specification, but recent auto hacking discoveries have shown several interesting things. First, in defending allegations that some of its vehicles could suddenly accelerate without driver action, Toyota’s claim that the only way to make a vehicle accelerate quickly is to step on the gas pedal, that software alone won’t do it, was proven to be false. Hackers have demonstrated almost complete control over all functions of their Prius using computers and CAN bus commands. Second, every automobile manufacturer has interpreted/ignored the reference protocol specification to varying degrees. Finally, as demonstrated by hackers at DEF CON, it is possible to disable cars in motion, over the Internet, as well as fool around with the entertainment console settings and other systems.
The bottom line is that, to function properly, newer vehicles rely on multiple computer systems, all operating semi-autonomously and with very little security. The U.S. Department of Transportation is pushing for vehicle-to-vehicle communication technology, so that vehicles can tell each other when traffic is changing ahead of them. Couple that with the advances in self-driving technology, and the importance of stronger security in the industry is clear. There is evidence that this is beginning, that security is improving, but the pace of improvement is slow when compared to typical computer innovation speeds.
Aircraft/UAV
Aircraft also have significant computer footprints inside, as most modern jets have what is called an “all-glass cockpit,” meaning the old individual gauges and switches have been replaced with a computer display that includes a touch screen. This enables greater functionality and is more reliable than the older systems. But as with vehicles, the connecting of all of this equipment onto busses that are then eventually connected to outside networks has led to a lot of security questions for the aviation industry. And, as is true of medical devices, patching the OS for aircraft systems is a difficult process because the industry is heavily regulated, with strict testing requirements. This makes for systems that, over time, will become vulnerable as the base OS has been thoroughly explored and every vulnerability mapped and exploited in non-aviation systems, and these use cases can port easily to aircraft.
Recent revelations have shown that the in-flight entertainment systems, on standard Linux distros, are separated from flight controls not by separate networks, but by a firewall. This has led hackers to sound the alarm over aviation computing safety.
Unmanned aerial vehicles (UAVs) represent the next frontier of flight. These machines range from the small drones that hobbyists can play with for under $300 to full-size aircraft that can fly across oceans. What makes these systems different from regular aircraft is that the pilot is on the ground, flying the device via remote control. UAVs have cameras, sensors, and processors to manage the information, and even the simple hobbyist versions have sophisticated autopilot functions. Because of the remote connection, UAVs are networked and operated either under direct radio control (rare) or via a networked system (much more common).
EXAM TIP This chapter presented a cornucopia of different embedded systems. For the exam, remember three main elements: the technology components, SoC and RTOS; the connectivity component—Internet of Things; and the different marketplaces, home automation, wearables, medical devices, vehicles, and aviation. Read the question for clues as to what the specific question is being asked.
Chapter Review
In this chapter, you became acquainted with the security implications of embedded systems, which have become ubiquitous in our everyday lives. The chapter opened with a discussion of the SCADA/ICS space and how operational technology is its own world and one of significant size. The chapter then moved to the world of smart devices and the Internet of Things, including wearable technology and home automation. It then discussed HVAC systems. Examples of security implications are provided in each of these topics.
The chapter moved into system on a chip (SoC) solutions and real-time operating systems (RTOSs). It briefly examined printers and MFDs, as well as camera systems. The chapter closed with an examination of some special-purpose ecosystems, including medical devices, vehicles, and aircraft/UAVs. As these systems are in our lives almost every day, understanding them and the security implications associated with the nature of their system’s operation is important.
Questions
To help you prepare further for the exam, and to test your level of preparedness, answer the following questions and then check your answers against the correct answers at the end of the chapter.
1. Which of the following statements is not true?
A. Embedded systems are designed with a single control purpose in mind and typically have no additional functionality.
B. Embedded systems are free of risk or security concerns.
C. Embedded is the name given to a computer that is included as an integral part of a larger system.
D. Embedded systems can be as complex as the tens of interconnected embedded systems in a modern automobile.
2. Which of the following is true regarding risk of next-generation vehicles?
A. There are minimal risks when next-generation automobiles share information.
B. Passing traffic and other information between vehicles does not increase security risks.
C. The sharing of navigation and other inputs between vehicles presents a potential security issue.
D. Time-to-market and cost minimization have minimal impact on potential risks being exploited.
3. Which of the following is true about in-flight networks?
A. Wi-Fi, in-flight entertainment, and cockpit digital flight control networks are segregated.
B. The integration of Wi-Fi, in-flight entertainment, and cockpit digital flight control networks does not introduce potential security risks.
C. Wi-Fi and cockpit digital flight control networks can be integrated without increasing potential security risks.
D. Wi-Fi, in-flight entertainment, and cockpit digital flight control networks can present potential security risks.
4. Which of the following is true about static environments?
A. They are often designed to be fully integrated into a company’s network security strategy.
B. They are designed to remain unaltered through their lifecycle.
C. Because they perform a very specific function, they have no need for security updates.
D. They cannot be exploited because hackers can’t find them on a network.
5. Which of the following is true about building-automation systems, climate control systems, HVAC systems, elevator control systems, and alarm systems?
A. They are independent and stand-alone systems that offer little integration value.
B. Interconnecting these systems and adding Internet-based central control mechanisms doesn’t increase the risk profile from outside attacks.
C. These systems are being integrated to increase efficiency and reduce costs.
D. Integrating these systems into building management systems introduces minimal risk.
6. Which of the following properly defines supervisory control and data acquisition (SCADA)?
A. A scaled-down version of Linux designed for use in an embedded system
B. The standard used for communicating between intelligent car systems
C. The risk created by connecting control systems in buildings
D. A system designed to control automated systems in cyber-physical environments
7. Which of the following is true about SCADA systems?
A. SCADA systems continue to be air-gapped from other systems.
B. The ongoing integration of SCADA environments has reduced potential risks.
C. The introduction of human machine interfaces to manage SCADA systems has eliminated potential risks.
D. The historical isolation of SCADA systems from other systems is decreasing as SCADA systems are being connected across traditional networks to improve business functionality.
8. Which of the following is true about smart devices and the Internet of Things (IoT)?
A. The use of a Linux-type kernel as the core engine makes programming more complex.
B. Mass production introduces significant security risks.
C. The scaling of the software development over large numbers of units makes costs scalable, and functionality is paramount.
D. Security or anything that might impact new expanded functionality is considered early and gets the focus and resources necessary.
9. Which of the following is true about home automation devices?
A. They have been used in botnet exploitations with significant impacts.
B. They don’t impose significant potential risks as they are isolated on the home network.
C. Because home automation systems are exploding in use, they have been designed with security in mind from the very beginning.
D. Their network connection is usually wireless, which is not easily exploited.
10. Which of the following is true about HVAC and building automation systems?
A. They have not been exploited to any significant degree yet.
B. Interconnecting these systems and using Internet-based central control mechanisms increases the risk profile from outside attacks.
C. Having a “smart building” that reduces building resources in accordance with the number and distribution of people inside has not increased efficiency or reduced costs.
D. The rise of hyperconnectivity has introduced no additional security concerns.
11. Which of the following is not true about systems on a chip?
A. They provide the full functionality of a computing platform on a single chip.
B. They typically have low power consumption and efficient design.
C. Programming of SoC systems can occur at several different levels and thus potential risks are easily mitigated.
D. Because these devices represent computing platforms with billions of devices worldwide, they have become a significant force in the marketplace.
12. What distinguishes real-time operating systems (RTOSs) from general-purpose operating systems?
A. Unlike RTOSs, most general-purpose operating systems handle interrupts within defined time constraints.
B. Unlike general-purpose OSs, most RTOSs are capable of multitasking by design.
C. Unlike RTOSs, most general-purpose operating systems are multitasking by design.
D. Unlike general-purpose OSs, RTOSs are designed to handle multiple threads.
13. Which of the following is true about printers and multifunction devices?
A. They rely on the computer to manage the printing and scanning processes.
B. Because of their long history and widespread use, security is designed into these products.
C. These devices communicate in a bidirectional fashion, accepting print jobs and sending back job status, printer status, and so forth.
D. So far, they have not been shown to be hackable or capable of passing malware from the printer to the computer.
14. Which of the following is a very important aspect to always remember when dealing with security of medical devices?
A. They are still relatively new in their usage.
B. They can directly affect human life.
C. Security is not related to safety.
D. They are almost exclusively stand-alone devices, without Internet connectivity.
15. Which of the following poses a significant potential risk of unmanned aerial vehicles?
A. They have sophisticated autopilot functions.
B. They have cameras, sensors, and payloads.
C. Low prices for some models.
D. Because they are pilotless, their remote-control systems may be networked and vulnerable to potential risks.
Answers
1. B. Embedded systems are not free of risk or security concerns, as hackers have demonstrated.
2. C. The sharing of navigation and other inputs presents a potential security issue for next-generation vehicles. False information when shared can cause problems.
3. D. Wi-Fi, in-flight entertainment, and cockpit digital flight control networks can present potential security risks.
4. B. Static environments are designed to remain unaltered through their lifecycle.
5. C. Building-automation systems, climate control systems, HVAC systems, elevator control systems, and alarm systems are being integrated to increase efficiency and reduce costs.
6. D. SCADA is a system designed to control automated systems in cyber-physical environments.
7. D. Historical isolation of SCADA systems is decreasing as these systems are being connected across traditional networks to improve business functionality.
8. C. The scaling of the software development over large numbers of units makes costs scalable, and functionality is paramount in smart devices and IoT.
9. A. Home automation devices have been used in botnet exploitations with significant impacts.
10. B. Interconnecting HVAC and building automation systems and using Internet-based central control mechanisms to manage them increases the risk profile from outside attacks.
11. C. Programming of SoC systems can occur at several different levels and thus potential risks are difficult to mitigate.
12. C. One thing that distinguishes real-time operating systems (RTOSs) from general-purpose operating systems is that most general-purpose operating systems are designed for multitasking.
13. C. Printers and multifunction devices communicate in a bidirectional fashion, accepting print jobs and sending back job status, printer status, and so forth.
14. B. A very important aspect to always remember when dealing with security of medical devices is that they can directly affect human life.
15. D. A significant potential risk of unmanned aerial vehicles is that, because they are pilotless, their remote-control systems may be networked and thus vulnerable to potential risks.