Identifying the security issues in connected devices, and how to address them

The Internet is evolving. With every device that comes online its reach increases, and as those devices — or ’things’ — become more interconnected the Internet expands in not only reach but capability. This is really what the Internet of Things is all about.

With over 25 years of experience, the Internet’s backbone, the IT industry, is well practiced in identifying security risks and implementing effective protection. The same isn’t true of the IoT. Potential and actual security problems related to the IoT are increasing; identifying them isn’t the problem. Effective protection against security threats is, and compounding that problem is the fact that many (if not the majority) of OEMs developing connected products won’t have decades of IT-based security experience to draw from.

Indeed, even the IT industry would find it difficult to implement existing protection in IoT nodes, most of which will be highly embedded and possibly resource-limited devices that may bear little or no resemblance to devices found within an IT infrastructure. Could a connected car be equipped with the same level of protection as a cloud-based server?
Some believe that the sheer volume of connected devices expected to be deployed over the next five years will provide a level of protection against attack — there will simply be too many to target. But, given that many of the ‘things’ in question will be manufactured in very high numbers, and that the wireless footprint of a Wi-Fi connected lightbulb looks exactly the same as, say, a Wi-Fi connected server, then it’s clear that OEMs can’t really afford to be complacent about security.

Of course, the risk is still related to the potential value to the criminal element. In the case of a connected car the potential gain is obvious, but given that even a connected lightbulb could provide access to a home network or cloud services that may hold sensitive personal or financial information, is there really an acceptable level of risk in the IoT?


Part 1 — Protecting the Communications

In this section:
•    The challenge for embedded devices
•    The Man in the Middle
•    Common protocols and how to secure them

The challenge for embedded devices
Although the IT industry has over two decades of experience in combating malicious and unintended attacks on the Internet’s infrastructure, peripherals and access points, the IoT represents a much greater challenge. At the enterprise level, where a person is normally present, the use of black/white lists, two-factor authentication (2FA) or password protection are commonplace. In the IoT, where many of the devices will be small and probably headless, these security techniques are hard to implement.

The use of multiple levels of protection is common within the IT world; firewalls, authentication, encryption, intrusion detection and security protocols are all used at the enterprise level to provide protection. The important point here is that these techniques work together; no single technology is relied upon to provide all of the protection. In embedded devices, firewalls are conspicuous by their absence, removing a first line of defence.

In addition, the fact that IoT nodes may have multiple points of access, both wired (such as USB, Ethernet, CAN, or even simple serial ports such as I2C/SPI) and wireless (Bluetooth, ZigBee, WiFi, NFC) further increases the potential for malicious attack. In effect, IoT nodes are, by design, open to access. They exist to gather, transmit and receive data.

The Man in the Middle
Many IoT devices will employ wireless connectivity using one or several of the (now many) Wireless Personal- and Local-Area Network (WPAN/WLAN) technologies, including WiFi, Bluetooth, ZigBee and Thread. Perhaps the most prevalent of these is WiFi, which supports restricted access in the form password protection. Nevertheless, there seems to be no lack of cases where inadequate password protection has led to compromised network access. This would be bad enough if the WiFi network was simply used for internet access in a home, but today more and more high-value items — including connected cars — are part of that network.

Hacking into devices on an unsecured WiFi network can be achieved using the so-called Man in the Middle attack. Once access to a network is achieved, a WiFi sniffer can be used to analyse the network traffic to identify patterns. This could be a regular exchange between an IoT node either passing data or asking for updates, for example. These types of exchanges are all too frequently carried out using neither encryption or authentication. As such, it is relatively simple to hi-jack the data stream and replace it with instructions that, for example, initiate an over-the-air firmware update to the device, thereby allowing hackers to embed their own code and hence compromise the security of the entire network.

Common protocols and how to secure them
While WiFi may be common at a WLAN level, the most widely deployed WPAN technology must be Bluetooth. Because of its frequency hopping nature, many OEMs may believe it is inherently secure, however it has been shown that it is possible to determine the hopping sequence using low cost hardware and open source software.
The Bluetooth protocol does support authentication and encryption, but it is still up to the developer(s) to implement it correctly. There are four security modes specified; devices operating in Mode 1 are considered to be non-secure, as this mode doesn’t implement any authentication or encryption. Security Mode 4 is an enforced security mode with encrypted key exchange. Under this scheme, a so-called ‘trusted device’ is a paired device with unrestricted access to all services, while ‘untrusted devices’ may require authorisation and/or authentication to access services.

Hackers have also successfully accessed ZigBee devices on home networks, by showing that it is possible to use a network sniffer to grab the network key, transmitted in plain text, when a new device joins a network. The organisations behind these WPAN standards are, of course, constantly developing new security measures, but given that many IoT devices are already in the field and are expected to be there for many years, the security issues that may already exist should not be ignored.

Whatever protocol is used, if access is password-protected, devices on the same network will still need access to that password; it needs to be shared in a secure way. Given that many connected devices will not have the facility for a comprehensive user interface, manually entering a password will be cumbersome at best and, more likely, cost-prohibitive to implement. The solution is to design-in encryption and decryption at the hardware level, using a private master key that can be hardwired in to the device. This may involve including a secure, fused memory that once programmed cannot be changed. It could also be implemented using secure read-only memory like that found in a Trusted Platform Module (as standardised under ISO/IEC 11889).

Using a private master key allows encrypted data, such as a network password, to be stored in unsecure and potentially removable Flash memory without the fear of it being decrypted, unless the master key is used. The process of creating a private master key should also be approached with security in mind; simple methods such as basing it on the Real-Time Clock (RTC) have already been exposed as easily hacked (there have been cases of connected cars being hacked over their WiFi access points, simply because the password was derived from the RTC, which could be reset through power cycling). Security experts will always advocate the use of a true random number generator (RNG) when generating a master key.

Part 2 — Protecting the Resources

In this section:
•    Vulnerabilities in embedded systems
•    Software Solutions
•    Secure Boot

Vulnerabilities in embedded systems
Securing an embedded device from remote attack over a wireless protocol requires careful design and an understanding of the security features embedded within the protocol. Protecting devices from local attacks using standard ports or busses may prove more difficult. Eavesdropping on a CAN bus, which is used extensively in vehicles but also in industrial applications, is relatively simple using low cost hardware. Other interfaces, such as USB, are increasingly common in embedded devices, both for debugging and in-field upgrades. Securing a USB interface has, in theory, become simpler since the introduction of the USB Type-C authentication specification, which defined cryptographic-based authentication for devices with USB Type-C ports.

However, most embedded devices will feature either a standard-based or proprietary interface, often used for test and configuration during production. If access can be gained to such an interface the system becomes compromised. In the case of CAN, it would be possible to intercept bus traffic and replace it with instructions to, for example, initiate a firmware upgrade from a USB port. Clearly, this has significant security implications.

Software Solutions
It is apparent that for any software-defined application such as an embedded or IoT device, gaining access in any way (wired or wireless) could lead to the instigation of a firmware update. As such, this could represent one of the most common forms of attack in connected devices, but software could also be the solution. Operating systems are increasingly common in embedded devices, there is a wide range of embedded (real-time) operating systems available to embedded developers, but thanks to the increased availability of high-performance 32-bit processors in small and low power formats, many are also now able to run Linux.

While not a real-time operating system in its native form, Linux is very popular. However, its popularity could also represent a threat to developers, as hackers are very familiar with its security shortcomings. To address this threat and provide a higher level of security for Linux-based systems, developers can now employ a security module known as Security-Enhanced Linux, or SELinux. This set of kernel modifications implements a ‘mandatory access control’ architecture, and can be used to limit the access of processes and background tasks in a system with the aim of containing any malicious code that enters the system through one of these processes.
For systems running an embedded (Linux or non Linux-based) operating system, another solution would be to employ a hypervisor. This is technology that effectively divides a hardware platform in to multiple ‘virtual’ platforms, while maintaining strict separation between the host and guest systems. Note that virtualisation and hypervisor technology can now be installed on many microcontrollers (MCUs); the main requirement being the presence of a Memory Management Unit (MMU).

Secure Boot
A common form of attack involves changing the firmware and rebooting the system. Examples of this type of attack can be difficult to detect initially, such as reprogramming the CAN bus to transmit data rather than just receive it. Systems with multiple points of access in the form of hardware or wireless interfaces may be vulnerable to this kind of non-authorised firmware update in the field, but they can still employ effective security features which are now available as hardwired blocks in many embedded processors.

Embedded systems strive to minimise the number of components used and many microcontrollers (MCUs) now offer sufficient on-chip Flash memory to hold all of the application software. In such cases, the MCU vendor will likely include a method for protecting the contents of the Flash memory from tampering and introducing malware after the product is placed in the field. This is normally achieved by blowing security fuses, thereby inhibiting the Flash memory to be read from or written to by an outside agent. Systems that employ off-chip memory are, potentially, more vulnerable to attack, the solution in this scenario is to employ a method of Secure Boot. One such solution is NXP’s High Assurance Boot (HAB); a software library executed in internal ROM at boot time, which is able to authenticate the software stored in external memory using a digital signature that complies with a Command Sequence File.

Authentication is achieved using cryptography based on the Public Key Infrastructure (PKI) methodology, in which the file is signed offline with a private key, and verified by the processor using a public key. The HAB provided in the i.MX processors from NXP (formerly Freescale Semiconductor) uses a table of public Super Root Keys (SRKs) with corresponding hashes e-fused on the target device. If table verification is successful at boot time, a root of trust is established and the rest of the signature is processed to authenticate the firmware. The fact that hashes of the SRK are e-fused on the device avoids SRK replacement by a malicious SRK and thus always guarantees the root of trust: only the firmware signed with the appropriate private key can be booted on the device.


Part 3 — Protecting the System

In this section:
•    Intrusion Detection Systems in the IoT
•    Authentication & Encryption
•    Hardware Helpers

Intrusion Detection Systems in the IoT
An Intrusion Detection System (IDS) in the IT world works by monitoring, validating and checking activity in a system or on a network. It effectively assumes that all other security measures can be bypassed or defeated, and that any activity could therefore be malicious or unauthorised.

The implementation of an IDS is essentially platform-specific and should be appropriate for the level of assessed risk. There is a lot more diversification in connected devices than in the IT domain, and an IoT device will most likely be much more resource-limited than, say, a server. As a result, employing IDS techniques in the IoT isn’t as simple as buying or licensing a solution from a provider, each device will have to be assessed and have IDS designed in at its core. This may include countermeasures, such as erasing all or large parts of stored data if an intrusion is detected, or implementing some way of shutting down/closing off accessible ports, including wired buses such as CAN or USB, and wireless interfaces.

The Open Web Application Security Project (OWASP) IoT Project has identified a number of IoT Attack Surface Areas, including device memory, device physical interfaces, device firmware and authentication (for more information, visit The vulnerabilities identified include missing or poorly implemented encryption, and lack of two-factor authentication.

Authentication & Encryption
As the majority of IoT devices will be intended to be sold in large volumes, possibly from multiple retailers, this creates a scenario in which one design may be present in many hundreds or thousands of networks. Reverse-engineering that design would allow attackers to use a single hack to access many networks. IoT devices will take many forms, consumer items being high on the list. Acquiring an IoT device for reverse-engineering will not be difficult, and once achieved the hack may even be distributed freely around the internet. Protecting against this kind of wide scale attack is potentially best achieved through the use of authentication and encryption. Authentication will require a root of trust to be established between two parts of a system (for example the host MCU and removable storage, or even a sensor) before data are exchanged, for example by using secure boot mechanisms as previously discussed. Encryption will ensure that data are not readable to any unauthorised devices on the network. Unlike many forms of IDS, both authentication and encryption are readily implementable in embedded systems, even resource-constrained devices.

Hardware Helpers
Many manufactures now integrate hardware-based functions to support security, in the form of authentication and encryption. Perhaps first among these is ARM’s TrustZone technology which isolates execution of critical code from possible malware and provides a hardware firewall between CPU (and DMA masters) and the other peripherals, including memory.

With the ARMv8-M architecture, ARM has extended its TrustZone technology to MCUs based on its Cortex-M cores. It effectively divides an application into ‘trusted’ and ‘non-trusted’ worlds. Each world contains software, hardware and data, and the Secure Attribution Unit (SAU) ensures the two remain isolated. Unlike the TrustZone used in ARM’s Application class processors, the transition between trusted and non-trusted worlds in a Cortex-M MCU is hardware based, allowing the device to retain its real-time attributes.

At a system level, TrustZone combined with secure boot and a trusted operating system make up what ARM refers to as a Trusted Execution Environment (TEE). When implemented by ARM’s licensees, the TEE is normally accessed using APIs. In addition to this, many ARM licensees developing embedded silicon have implemented their own hardware security helper blocks. For example Texas Instruments has developed a hardware based solution, which it calls the Security Accelerator (SA); a hardware engine that provides encryption/decryption and authentication on packet-based protocols. SA also provides hardware for generating public keys and random numbers. NXP (formerly Freescale Semiconductor) has a similar but not compatible technology called CAAM (Cryptographic Acceleration and Assurance Module), which provides the same kind of functionality.

The CAAM supports the encryption of any kind of secrets using a unique per-device secret key, which can be e-fused in to a device. Once fused, the device’s secret key cannot be read back by software. Any sensitive information can then be encrypted and authenticated using this key, into an opaque structure called ‘Blob’; the information can then be stored safely in any non-secure memory or media (DDR, filesystem, flash). Only the SoC that encrypted the data is able to decrypt the Blob and retrieve the corresponding secrets. This is particularly useful to protect encrypted communications initiated by a two-factor authentication, as described in Part 1 of this document.

These hardware features can be used to deliver high levels of security in resource-limited embedded designs. As such they can be effective when employing countermeasures to many of the security threats identified in this white paper, while consuming minimal core processing cycles.

With billions of new devices coming online within the next decade, the Internet of Things massively increases the attack surface of our networks. Existing security solutions forged in the IT domain will not necessarily or easily provide the level of security needed for all connected devices. And as more devices become connected, the potential for introducing a device that doesn’t offer adequate security protection becomes an inevitability.

Reports about high-value items being hacked are becoming more frequent, while the reality is that for every report of a hacked car, a thousand smart sensors could have also been quietly compromised. There is a threat that the issue of security could negatively influence the growth of the IoT, with very real economical and even ecological implications.
The IoT isn’t just a trend, it is the direction in which society needs to move in order to secure the future of food and energy production. Mass transport, medical care and education will all rely on connected devices in the near future. Adding security to the devices that form the IoT is not an option. Fortunately, experts in embedded development like Adeneo Embedded are well placed to ensure your next project includes the kind of security needed to succeed in the IoT.


Best practices for safer systems

Hear industry expert and Barr Group CTO Michael Barr discuss the latest startling statistics concerning embedded systems safety from Barr Group’s newly released 2018 Embedded Systems Safety ...

The Benefits of C and C++ Compiler Qualification

In embedded application development, the correct operation of the compilation toolset is critical to the functional safety of the application. Two options are available to build trust in the corre...

An introduction to the SuperTest MISRA suites

The SuperTest MISRA suites are created to verify the conformance of MISRA checking software. The aim of a, so-called, MISRA checker is to check application software for its compliance with the MIS...



Silicon Labs Wireless Solutions at Embedded World 2018

At Embedded World 2018, Silicon Labs hosted a variety of demonstrations for their wireless portfolio. From Wi-Fi, to Bluetooth, to multiprotocol, their products are built to be robust and easy-to-impl...

Aetina shows intelligent Jetson and Pascal GPGPU solutions at Embedded World 2018

At this year’s Embedded World, Aetina has presented NVIDIA® Pascal™ GPU driven lineup on MXM, XMC, VPX, PCI- Express graphics cards and multi-displays variants. Their new rugged 3U ...

Arrow: Your Solution for the Future

Arrow doesn’t just offer components that customers use to build their designs – we offer engineering support, customized systems and technology platform solutions, and so much more. The pr...

SoMs & Engineering Solutions: What Arrow has to Offer

Arrow doesn’t just offer components that customers use to build their designs – we offer engineering support, customized systems and technology platform solutions, and so much more. The pr...

Arrow: The 5 Pillars of IoT

There are five pillars of IoT solutions, according to Ashish Parikh, VP of Global IoT Platforms & Solutions, Supplier Marketing. These pillars are Create, Connect, Analyze, Manage, and Sustain, an...

Arrow: Your Technology Provider

David Spragg has been with Arrow for the past three decades, and walks us through the company’s evolution from distributor to technology provider at Embedded World 2018. Watch the video to see h...

Sensor to Cloud – SimpleLink™ MCU Platform demo – embedded world 2018

At embedded world 2018, we showcased our interactive Sensor-to-Cloud demo, which utilizes a SimpleLink™ MSP432™ Ethernet-based gateway and allows us to interface with various cloud service...

mmWave people counting demo – embedded world 2018

Check out our demo on how TI’s mmWave sensors are enabling a smarter world. These devices can give us detection information about the range, velocity and angle information about the objects. Thi...

mmWave imaging radar for automotive applications – embedded world 2018

As OEMs are preparing for fully autonomous driving, the requirements for high angular resolution and high performance increase. This demo shows 4 cascaded mmWave sensors to achieve angular resolution ...

Capacitive touch with TI CapTIvate™ technology – embedded world 2018

Experience how capacitive touch sensing can enhance your design using the flexibility and robust performance of MSP430™ MCUs with CapTIvate™ technology. These demos showcase capacitive tou...

IOT/Industrie 4.0 – Edge to Fog to Cloud – TSN & OPC UA enabled

Kontron as a part of the S&T group offers a wide portfolio of IOT ready /Microsoft Azure certified platforms with Kontron Security solution APPROTECT on SMARC 2.0, COM Express®, Q7 modules and...

Secure Programming with SPARK

SPARK is a proven solution for developing advanced, verifiably secure software systems. Through the use of formal methods, SPARK Pro prevents, detects and eliminates defects early in the software life...

MEN Micro stands for flexible multicore solutions for mission-critical IIoT applications!

At Embedded World they presented their brand new cPCI Serial card with ARM Cortex A72, the Rugged COM Express module with AMD V1000. Klaus Weinert from MEN also explained the flexible system soluti...

Wind River Makes the Reality of a Software Defined World Safe, Secure, and Reliable

Wind River is a world leader in delivering software for IoT. The company offers the industry's most comprehensive embedded software portfolio, supported by world-class global professional services...

UDE brings new features for multicore debugging and smart system analysis

The new version 4.10 of PLS’s Universal Debug Engine (UDE) features a numerous completely new and improved functions for debugging, testing and system analysis of multicore applications. Trace d...

SECO at Embedded World 2018 - Cutting-Edge Embedded Solutions

At EW 2018 Michael Park presents SECO’s latest embedded products. SECO has 39+ years of experience in designing and manufacturing embedded systems: from standard products (Qseven®, COM Expre...

HCC WiFi Networking & Encryption for Embedded

HCC’s Director of Marketing David Brook discusses the role of software quality in development of HCCs EAP-TLS and CrytpoCore Suite. A strong development process is the key to low defect software...

ADLINK´s IoT Vision

A tour of the ADLINK booth at EW2018 with Steve Jennis, Head of Global Marketing. From the latest embedded boards to AI-at-the-Edge, Steve explains how ADLINK is enabling its customers to deploy indus...

ADLINK´s understanding of Leading EDGE COMPUTING

ADLINK’s Head of Global Marketing, Steve Jennis, interviewed on the technology and demonstrations on show at Embedded World 2018...covering Embedded, Edge, Fog and Cloud Computing and, in partic...

One specialization is not enough – Bonding technologies by DATA MODUL

More display variations and higher requirements in industrial applications present a challenge to display refiners. Today, mastering a single bonding process is not enough. Due to the generally rising...

Advantech at Embedded World, executive talk with HP Nüdling

Advantech, global leader in the Embedded IoT business is emphasizing on its global presence and its local know how. The new Competence center in Munich with its Design-in capabilities will help custom...