Basics of embedded firewalls - Part 1: Exploding the myths

Today there are over 5 billion intelligent, connected devices. The leading technology analyst firm International Data Corporation (IDC) is predicting the number will rise to 15 billion by 2015¹. Our reliance on embedded devices is growing as embedded devices are showing up in almost every area imaginable.

The Smart Grid, networked cars, medical instrumentation and monitoring systems, factory control systems, and military and homeland security equipment are all examples of connected devices. While these devices make our lives easier and more productive, our reliance on them makes us increasingly vulnerable when they fail.

As embedded devices proliferate, new vulnerabilities continue to be exploited, and attacks against embedded devices are on the rise. Recently reported vulnerabilities include:

• Hacking a car's computer and disabling its brakes, stopping the engine, and controlling other functions; even overriding the driver's commands.
• More than 122 medical devices infected by malware at the U.S. Department of Veterans Affairs.
• Attacks against web servers controlling IP cameras and other web-enabled embedded devices.
• Embedded devices failing from packet floods and Denial of Service (DoS) attacks.
• Reprogramming printers with malicious firmware causing them to forward documents to a remote computer, or run continuously causing failure due to heat buildup.

Many embedded devices with Internet connectivity and advanced features, such as a web interface, lack a firewall, a key component of a comprehensive security framework. A firewall provides a basic, but critical level of security for an embedded device, allowing it to block unwanted packets. A home PC or enterprise network is not considered to be secure without a firewall, so the fact that so many embedded devices are deployed without a firewall is alarming.

But I don't need a firewall, do I?
Despite the growing number of vulnerabilities and increasing awareness of hacking dangers, very few embedded designs include a firewall. There are several common arguments given as to why embedded firewalls are not needed.

• As non-Windows devices, embedded devices are not vulnerable to Internet based threats.
• Embedded devices are not attractive targets for hackers; there is no incentive to attack embedded devices.
• Only authentication and encryption are required to ensure a device is secure.

Recent research and trends invalidate these arguments. In fact, researchers in one study reported that embedded devices were over 15 times more vulnerable to Internet-based threats than enterprise networks².

While embedded devices may not be vulnerable to Windows viruses, there are a growing number of other Internet-based threats to which they are susceptible. DoS attacks are on the rise and attacks against web services are proliferating. Because many embedded devices now utilize a web server for connectivity and management, common attacks on web services can be effective against these embedded devices. An Arbor Networks Security Report showed a 1000% increase in DoS attacks from 2005 to 2010 and a 102% increase just from 2009 to 2010. Many of these attacks targeted embedded devices.

Hacking drones constantly scan ranges of IP addresses, probing any device or computer it finds for vulnerabilities. Even devices without a public IP address or web domain are still subject to attack.

More importantly, embedded devices play an ever increasing role in our lives and our society, and the economic, political or personal gain from attacking these devices has grown dramatically. Attacks have been developed and launched that specifically target embedded devices. It is imperative embedded devices now include a firewall to protect against these attacks.