Embedded devices and hardware security - introduction

Filter by category:

September 12, 2016 by Lény Bueno
Lény Bueno

This article introduces a series of blog posts dealing with embedded systems security. This set of articles will mainly focus on Hardware but may also concern software security (e.g. firmware) or cryptography. Think of it as a selection of various resources, more or less technically accessible.

Embedded devices are now interconnected and omnipresent in our everdyday life. This is the Internet-of-Things (IoT) age. These systems are not anymore limited to routers, mobiles/tablets, printers or video surveillance systems. Today, they have expanded into our cars, our offices, our houses with home automation, our skin with the influx of wearables, and sometimes even our bodies (e.g. pacemaker, insulin pump). To give some idea of this growing phenomenon, Gartner estimates that 6.4 billion things will be connected in 2016, an increase of 30% from 2015. Therefore, it is becoming important to consider potential risks (i.e. information security, privacy, or safety). The security of these different systems, clients they interact with and cloud services must be taken into full account. Whether it concerns the software, the network or the hardware!

While processes, methods and tools have been developed in order to improve the software security, the hardware aspect was often forgotten, even discarded. Indeed, only few manufacturers or IT security experts have the adequate means and technical knowledge to assess the hardware security level. Electronics may sound hard, equipment can be cost-effective, information may be missing and it involves a long process of learning.

On this basis, we often take it for granted that hardware is "secured" and there are many black-boxes. This is a form of security through obscurity...

However, regardless of its maturity level, an application is only as secure as the hardware it is running on... It is for example possible - from the hardware - to communicate with storage memory, embedded system, microprocessor or microcontroller. Can you imagine the risks from these new attack vectors? :)

Attackers have clearly got it. Their attacks are now more and more sophisticated and low-level. Therefore, we will share - in this set of articles - many information relating to electronics and various methods used to assess the hardware security level of an embedded system. In the program:

  • tools and materials needed to analyze and exploit the hardware;
  • various electronic components on a printed circuit board (PCB) and their role;
  • how to interface with them;
  • data interception, writing / fuzzing;
  • extraction of sensitive information, file-system or firmware;
  • firmware reverse engineering, research and exploitation of software vulnerabilities;
  • advanced hardware exploitation techniques like side channel attacks (e.g. power analysis or timing attacks), fault injections, etc.;
  • protection techniques used by manufacturers, difficulties that might be involved and bypass walkthroughs;
  • etc.

See you soon for the first part!