ProvenRun at Embedded World 2023
Not a week goes by without news of breaches and exploits that expose corporate networks and regular end-users to risks to data, identity, and more broadly, well-being. With the increasing sophistication of both computer systems and of the cybercrimes that plague them, no system or device is safe. Systems at risk span from enterprise and cloud servers to desktop computers to embedded and mobile/wireless devices to increasingly ubiquitous IoT “things” – vehicles, medical instruments, industrial equipment, infrastructure systems and other intelligent devices.
But while humans imbue more devices and machines with intelligence, it is important to understand the distinctions among those systems – how they are built, maintained and targeted – to be better able to defend current and future designs from malware and bad actors.
The focus of this blog is to compare the cybersecurity risk profiles of three system classes – data center and cloud servers, desktop computers, and embedded/wireless/IoT devices – and to highlight how security counter measures for each require different types of investment.
Best Practices for Device Manufacturers
The attack surface of enterprise servers is mostly limited to the software and services that interact with users over the internet – web servers and webapps, cloud storage and hosting, etc. Breaching those outward-facing services exposes the rest of the software stack to exploit (e.g., the ongoing vulnerability crisis around Log4j). Aside from actual vulnerabilities, enterprise servers suffer greatly from misconfiguration of existing security mechanisms and measures.
Desktop systems suffer from a multi-vector attack surface, where users are often the weakest link. The typical exploit narrative starts with users opening an email attachment or visiting a malware host site, opening an innocuous-looking file and in doing so, installing malware. An entire industry exists today around “endpoint security”, but despite the efforts of over 70 vendors and IT security organization, the desktop onslaught continues.
Intelligent devices share some security attributes of both servers and desktops: the greatest threats typically come through their network connections, but overall embedded systems fall into the category of network endpoints, with the added bonus to bad actors of variously unfettered physical access. Adding further insecurity to this unfortunate combination is the lack of attention by embedded developers to designing with security in mind. Legacy RTOS and embedded kernels, designed for size, efficiency and responsiveness, seldom even begin to address security. And while embedded Linux in theory can leverage enterprise capabilities, it is often misconfigured and/or not kept up to date. Worse yet, application-centric systems, especially Android, are vulnerable to poorly coded and malicious downloaded apps.
Attack Surface
The attack surface of enterprise servers is mostly limited to the software and services that interact with users over the internet – web servers and webapps, cloud storage and hosting, etc. Breaching those outward-facing services exposes the rest of the software stack to exploit (e.g., the ongoing vulnerability crisis around Log4j). Aside from actual vulnerabilities, enterprise servers suffer greatly from misconfiguration of existing security mechanisms and measures.
Desktop systems suffer from a multi-vector attack surface, where users are often the weakest link. The typical exploit narrative starts with users opening an email attachment or visiting a malware host site, opening an innocuous-looking file and in doing so, installing malware. An entire industry exists today around “endpoint security”, but despite the efforts of over 70 vendors and IT security organization, the desktop onslaught continues.
Intelligent devices share some security attributes of both servers and desktops: the greatest threats typically come through their network connections, but overall embedded systems fall into the category of network endpoints, with the added bonus to bad actors of variously unfettered physical access. Adding further insecurity to this unfortunate combination is the lack of attention by embedded developers to designing with security in mind. Legacy RTOS and embedded kernels, designed for size, efficiency and responsiveness, seldom even begin to address security. And while embedded Linux in theory can leverage enterprise capabilities, it is often misconfigured and/or not kept up to date. Worse yet, application-centric systems, especially Android, are vulnerable to poorly coded and malicious downloaded apps.
Operation
Types of system access are related to modes of operation: attended vs. autonomous.
In the enterprise, both servers and desktops are subject to monitoring via software agents, authentication protocols, threat-hunting software and other means. If a system exhibits aberrant behavior or experiences attempts at unauthorized access, alarms trigger and alerts make their way to an SoC (Security Operations Center), where trained staff initiate appropriate security responses.
Autonomous and remote systems can benefit from the same sort of monitoring, but most often do not. Instead, they are deployed and forgotten. Often they don’t receive or cannot receive updates to software with patches to address vulnerabilities, and so with time become increasingly vulnerable to attack. And when those devices have missions in transportation, defense, healthcare and other critical applications, such attacks can constitute real threats to national security and public safety.
Physical Access
Enterprise and cloud servers enjoy a greater degree of protection from physical attack – they are usually locked up in server rooms and on isolated server farms, limiting attack vectors to network access.
Enterprise desktop systems enjoy some level of physical security – locked offices and password-protected screen locks; notebook computers are far more vulnerable as they can “walk off” in the hands of bad actors. If physically stolen, all types of PCs can be dismantled, opening physical data storage to attack (encryption not withstanding). Such systems are also vulnerable to malware contained on removable media – USB memory sticks, external drives, etc.
Embedded systems – IoT devices, control systems, mobile/wireless handset/tablets, vehicle head units and myriad other devices – are most subject to direct physical attack. They can be unplugged in place or smashed; they often deploy weaker, prior-generation wireless encryption; many have exposed factory reset buttons; and they can be carried off and exposed to further mischief on a workbench. A particularly infamous hack[1] was carried out against a Jeep vehicle, accomplished first through updates to the head unit and then via access to the vehicle CAN bus. The hackers also discovered an embedded wireless modem onboard and were subsequently able to gain control of similar vehicles (and of multiple other car models) actually driving in traffic.
