embedded systems security - berkes
TRANSCRIPT
![Page 1: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/1.jpg)
Embedded Systems Security
Jem Berkes
ECE, University of Manitoba
![Page 2: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/2.jpg)
Basics
• Embedded/IoT are featurerich computers• Sit in the physical world• Attacks are very likely
– Automated worms & viruses– Curious or malicious people
![Page 3: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/3.jpg)
Example: Incident in 2016
• Thousands of security cameras compromised• Taken over by “Mirai” botnet software
![Page 4: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/4.jpg)
What an engineer sees
![Page 5: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/5.jpg)
Internet
There’s more around you!
![Page 6: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/6.jpg)
Types of Attacks
![Page 7: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/7.jpg)
Eavesdropping
• Someone intercepts or “sniffs” data packets• Can expose or steal sensitive data
Solution:
Encrypt your traffic, use SSL/TLS.Potential complication with Certificate Authorities (CAs)
![Page 8: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/8.jpg)
Denial of Services (DoS)
• Someone floods your devices with requests• Tries to slow down or disable the service
Solution:
Implement rate limiting, or auto-ban malfunctioning clients
![Page 9: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/9.jpg)
Device Tampering
• Someone accesses the disk and reads the files• Or covertly modifies the embedded software
See ‘Special Concerns At the Edge’
![Page 10: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/10.jpg)
Compromise or Hack
• The device is infiltrated• Someone (or software) takes control
See ‘Common Vulnerabilities’
![Page 11: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/11.jpg)
Special ConcernsAt the Edge
![Page 12: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/12.jpg)
Physical Tampering
• People have physical access• They could crack open device
– Remove SD card– Connect to disk interface
• Don’t want people tampering with your embedded sys
![Page 13: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/13.jpg)
Protecting System Integrity
• Generally requires more featurerich processors• Use full disk encryption (FDE)• “Encrypted at rest”
But the key is exposedand readable, right?
![Page 14: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/14.jpg)
Secure Cryptoprocessor (e.g. TPM)
Atmel TPM Development Kit (ARM)
![Page 15: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/15.jpg)
Secure Boot & TPM
Power Up
Boot Loader
Check systemintegrity
Decrypt diskSystem is live
(and authentic!)
• Detects tampering• Ensures integrity• Protects the key• “Root of Trust”
![Page 16: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/16.jpg)
Certificate Authorities (CA)
• Another special concern for embedded• SSL/TLS certificates are verified against CAs• But IoT devices can’t get certs from actual root CAs• Services like MQTT (devicetodevice) check Cas
– Hmm....
![Page 17: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/17.jpg)
CA Solutions
• Create your own Certificate Authority (using OpenSSL)• Install your own “root” CA cert on every device• Each of your devices can then recognize each other
![Page 18: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/18.jpg)
Common Vulnerabilities(And Solutions)
![Page 19: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/19.jpg)
Common vulnerability #1
• Open service ports allowing logins– ssh, telnet, http: login prompt
• Plus weak/default passwords
![Page 20: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/20.jpg)
Common vulnerability #1
• Open service ports allowing logins– ssh, telnet, http: login prompt
• Plus weak/default passwords
1. Discovers telnet service
2. Start trying default loginsadmin : (no password)admin : admin... brute-force search ...
3. If success, loads software
![Page 21: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/21.jpg)
Common vulnerability #2
• Unauthenticated open services• Anyone can connect!
Used within the home
Doll with Bluetooth
![Page 22: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/22.jpg)
Common vulnerability #2
• Unauthenticated open services• Anyone can connect!
Used within the home
Bluetooth range
Anyone can “pair” with it!(no password or code)
Doll with Bluetooth
![Page 23: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/23.jpg)
Common vulnerability #3
• Outdated OS and software• Everything needs patching eventually
– e.g. WiFi “Krack”, major bug in WiFi protocol• Can’t just leave a device alone for 5 years
![Page 24: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/24.jpg)
General:
Good Security Practices
![Page 25: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/25.jpg)
Layered Security
• Multiple protection measures; redundancy
Process running as user: nobody
Authenticate
Do stuffBlock non-local networks
![Page 26: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/26.jpg)
Layered Security
• Multiple protection measures; redundancy
Process running as user: nobody
Authenticate
Do stuffBlock non-local networks
![Page 27: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/27.jpg)
Wi-Fi Security
• Hot spot security modes– Open: no password, anyone can connect, unsafe– WEP: old standard, broken, unsafe– WPA: old standard, broken, unsafe– WPA2TKIP: uses old algorithm, unsafe– WPA2AES: currently best option (in 2021)
![Page 28: Embedded Systems Security - Berkes](https://reader030.vdocuments.us/reader030/viewer/2022020621/61e7c60f87789e25255afd4c/html5/thumbnails/28.jpg)
Wi-Fi: SSID
• SSID (Service Set Identifier) is hotspot name• Publicly broadcast and visible to all• Assume SSID is visible to everyone• Hiding SSID doesn’t enhance security
● In product, don’t use SSID to authenticate