CompTIA Security+: Embedded Systems

This chapter is finally something my speed, after lots of very abstract topics.  Embedded systems are computer systems that have a dedicated purpose and exist within a larger mechanical and/or electrical system.  They range from IoT devices to cars to industrial systems.

Embedded system design often focuses on minimizing costs.  As a result, security often isn’t prioritized.  Most embedded systems have existed as isolated systems, which has covered these security gaps.  However, as more systems are connected to the internet, these security issues become more pressing.

This is a continuation of my blog post series on the CompTIA Security+ exam, where I share my studying and connect it to real-world events.

SCADA and ICS

SCADA stands for supervisory control and data acquisition.  It refers to systems designed to control automated systems in cyber-physical environments.  This means manufacturing plants, traffic lights, refineries, energy networks, water plants, building automation, and so on.  It might also be referred to as ICS, or industrial control system.

They’ve historically been pretty isolated, even air-gapped, but now are being connected for convenience and business goal purposes.

One famous example of a SCADA attack was Stuxnet.

Smart Devices and the Internet of Things

IoT, or internet of things, is such a common phrase that it’s practically a buzzword.  IoT means anything that has a microcontroller that’s connected to the web so that it can be controlled remotely.  There’s also some AI in the mix (Amazon Echo, Apple Siri, etc.).  All of these IoT devices have a network interface and a computing platform (either on the device itself or in the cloud).  “Functionality is king,” as the book says, and as manufacturers cut costs to mass produce these devices, security is an afterthought.

One class of smart devices is wearable technology.  Think FitBits, and other biometric trackers.  These devices usually are running RTOS systems on some kind of stripped-down Linux kernel.

There’s also home automation… you can turn lights on/off, turn on music, close the garage door, and have home surveillance.  Unprotected devices have found themselves as unwitting participants in botnet attacks.  The 2016 Dyn attack included a botnet comprised partly of “smart” baby monitors.

HVAC

HVAC stands for heating, ventilation and air conditioning services.  Why connect this to the internet?  Having “smart” buildings allows businesses to turn on or off HVAC systems based on occupancy and use.  This helps save millions of dollars, but connecting things to the internet is not without risk.

SoC

Systems on a Chip, or SoCs, are used in a variety of embedded systems and smart devices.  A SoC is “a complete computer system miniaturized on a single integrated circuit”.  It is designed to provide the full functionality of a computing platform on a single chip (memory may be located elsewhere).  This includes networking and graphics display capabilities.

SoCs are very common in the mobile computing market and are on billions of devices worldwide.

RTOS

Real-time operating systems are “designed for systems where the processing must occur in real time and data cannot be queued or buffered for any significant length of time.”  Of course, these hard time constraints can be at odds with security functionality.  By contrast, most general purpose operating systems are multitasking by design.

Printers and MFDs

Printers and multifunction devices (printer/faxer/scanner…) have much more computing power and responsibility, thanks to their embedded systems.  They can open bidirectional channels of communication with computers, which means they’re a possible vector for attack (spreading malware).

Camera Systems

There are two big categories of camera systems.  The first is very high-end cameras that have a lot of features, and often connect to networks through built-in VPNs to protect their content.  The others are cheap, ubitiquous security cameras used for surveillance at home and in public.

Special Purpose

Lastly, the chapter lists three “special purpose” categories.

The first is medical devices.  This is a large group and covers everything from small implantable devices to tools for measuring vital signs to MRI machines.  One of the issues with medical devices is how to patch discovered vulnerabilities.  Medical devices must undergo lots of testing to be certified, so manufacturers are hesitant to make updates.  One big consideration for medical devices is that they have direct effects on human life.

Vehicles are another special purpose category.  Modern day vehicles contain hundreds of embedded microcontrollers and millions of lines of code.  All of these microcontrollers communicate via a CAN bus (controller area network).  This allows them to communicate with each other without a central host.  CAN buses have been found to have security vulnerabilities, however.  Cars are also increasingly connected to the internet for “infotainment” purposes.  This problem will likely only get worse as manufacturers and the DoT try to add vehicle-to-vehicle communications.

Finally, aircraft and UAVs (unmanned aerial vehicles).  Aircraft, like medical devices, have issues with updating software due to the highly regulated nature of their industry.  Aircraft also are at risk for attacks through seemingly unrelated systems, like the in-flight wifi.  UAVs are a particular security risk because they must be controlled through remote network access.