Demystifying Hardware Security – Part I

By Alain Iamburg ·

The Risk

Competent information security professionals are constantly learning and adapting to the changing threat landscape. However, embedded device security is the elephant in the room that many seem to ignore. These devices generally take a back seat to the security concerns of the software running on servers and workstation machines, but they are becoming one of the leading information security concerns of our time. An embedded device can generally be categorized as an application-specific electronic device that is controlled by one or more microprocessors executing machine code.

It can be seen all around us. Humans are increasingly relying on embedded devices to assist us with daily tasks, often critical ones. Here is a brief list of things people use which are controlled by embedded devices:

  • Commercial Devices
    • Point-of-Sale Machines
    • Automatic Teller Machines
    • Vending Machines
    • Parking Meters
    • Utility Meters
    • Hotel Room Doors
    • X-Ray Machines
  • Consumer Devices
    • Cellular Phones
    • Televisions/Set Top Boxes
    • Gaming Consoles
    • Wireless Headsets/Keyboards/Mice
    • Home Security Systems
    • Printers
    • Wireless Access Points/Routers/Modems
  • Medical Devices
    • Pacemakers
    • Insulin Pumps
    • Glucose Monitors
  • Vehicles
    • Automobiles, Aircraft, etc.

Exploitable vulnerabilities in automobiles, printers, hotel room doors, pacemakers, televisions, utility meters, insulin pumps, cell phones, networking equipment, gaming consoles and other network-enabled devices have been publicly demonstrated. Some are local attacks while others can be conducted remotely. The consequences of these exploits include compromise of functionality, unauthorized physical access, theft of intellectual property, disclosure of personal information, financial loss and even injury or death to the user. These are negative outcomes for the end user as well as the company that produced the device, and they are reflections of the poor state of embedded device security.

Introducing PVED

The biggest hurdle for information security practitioners wanting to get involved with embedded device security is the steep learning curve in understanding the concepts. The barrier to entry is high compared to conventional information security assessment because the levels of abstraction that exist in general-purpose computers are simply not applicable to most embedded devices.

Working with embedded device security requires knowledge of low-level computer engineering concepts, the specifics of which vary from device to device. This is the security by obscurity that some vendors rely on instead of investing resources to properly secure their devices throughout their development lifecycles. Vendors may not even be aware of how certain design decisions will affect the security of the device. To make matters worse, it is far more difficult to deploy large-scale security patches to embedded devices as compared to traditional computers.

It is crucial that we as information security professionals have the skills to meet the needs of our society. To help address this problem, I created an open-source learning tool called Purposely Vulnerable Embedded Device (PVED). This device is intended to assist in learning hardware security assessment techniques that are used for low-level auditing of other devices with embedded software. These skills can be used to master the inner-workings of embedded devices and uncover the security vulnerabilities they may contain.

  

Some of the skills that can be taught with PVED include:

  • Basic circuit theory and analysis
  • Use of a microcontroller programmer
  • Use of a Saleae logic analyzer
  • Use of the multipurpose interfacing tool known as a Bus Pirate

In the next part of this series, I will demonstrate the use of the Saleae logic analyzer on the PVED. The analyzer will be used to intercept low-level communications within the hardware to expose stored user credentials.