NUREMBURG, Germany – Put embedded applications and wireless connectivity together and what have you got? A hacker's paradise is the answer according to Stuart McClure, who provided a keynote speech on the opening day of the Embedded World conference here.
McClure, a former CTO of antivirus software company McAfee, now leads the security services startup Cylance Inc. (Irvine, Calif.), which has just announced $15 million in funding from Khosla Ventures and Fairhaven Capital.
McClure made the point that many companies are casual about secure design and then reluctant to close loop holes. He spoke of an insulin pump that Cylance was able to hack and alter the measured dosage delivered, with the obvious potential for harm to a user. "It's a feature," the vendor said when shown.
There are about 10 billion embedded devices worldwide McClure estimated, and many have been designed without much thought to security, he added. While in the early days of embedded systems this tended to be isolated, stand-alone items, increasingly devices are being created with multiple wireless and wired connections and that interconnectivity means that once security is breached there is the possibility to access more sensitive information.
"Security in embedded today is weatherproofing, resilience, availability and tamper-proofing. It's not enough. Even with encryption, which can often be easily bypassed," McClure said. "Right now we are just patching. Symptom management is what we are doing. We treat the symptoms because it's easy – but it's a fool's game. You are always chasing your tail."
McClure went on to recount some horror stories of hacks on automatic teller machines, on medical infusion pumps, on the tram service in Lodz, Poland, where in 2008 a 14-year old boy noticed the tram drivers were using an IR remote control to switch points ahead of the tram. "He probably brute-forced the codes on his TV remote but he derailed four trams," said McClure. Mobile phones are some of the most insecure devices and yet they are also devices where we are prepared to use credit card number details.
One of McClure's last examples is the smart TV. Cylance was eager to find if there was a way to hack the latest Samsung Smart TVs but generally found that the obvious connections such as Wi-Fi and Bluetooth were well protected. It was then discovered that to cope with legacy remote controls these latest smart TVs still have a legacy unauthenticated infrared sensor. McClure said that he plans to demonstrate that once in it is possible to gain access to the full system resources; to pose as a user and because smart TVs are a full internet terminal that could include access to email traffic and credit card numbers.
McClure denied that it is too difficult or expensive to secure embedded systems against hacks. As well as promoting his latest book "Hacking exposed" McClure gave a quick guide to where effort can be best deployed to close the security loop holes. Some 90 percent of the hacks are made using the conventional inputs of the system. About 8 percent are through faults in the embedded processing and software and a surprising 2 percent are done by attacking the system output.
However, McClure's message was that it is necessary to take an holistic approach to the security of embedded systems and to focus on prevention rather than cure. What was not included in McClure's keynote is how the costs and benefits stack up against the pros and cons of such an approach.
I would think that simple devices are easier to secure. They don't have the same horsepower available for encryption/decryption, but they have far fewer vulnerable spots than a complex system. I doubt that anyone knows how many points and methods of potential entry there are for a typical PC.
A blue tooth device may have only one point of entry and only one protocol to defend. If the 8-bit MCUs don't have enough power to be secure, even at that level, maybe the low-cost 32 bits will be able to make greater inroads by meeting that requirement.