Follow @jack_ganssle

Embedded Cyberrisks

Summary: Embedded security? Few care, though the Feds are waving warning flags.

A recent article in eWeek (http://www.eweek.com/c/a/Mobile-and-Wireless/DHS-Claims-Foreign-Suppliers-Have-Embedded-Malware-in-USElectronics-832422/#user_comments) claims that the acting deputy undersecretary of the National Protection and Programs Directorate of the Department of Homeland Security (who makes up these titles?) testified before Congress that certain consumer products supplied by foreign companies are "embedded" with "spyware, malware and security-compromising components."

I have found the acting deputy undersecretary's prepared statement, which makes no mention of consumer devices, but can't find a transcript of the Q&A. However, the Administration appears to have some concerns; one document on the White House's server specifically addresses these: http://www.whitehouse.gov/files/documents/cyber/ISA%20-%20Securing%20the%20Supply%20Chain%20for%20Electronic%20Equipment.pdf.

Alas, that document shows a complete lack of understanding about embedded systems. For instance, here are two excerpts: "These hostile agents could alter the circuitry of the electronic components or substitute counterfeit components with altered circuitry. The altered circuitry could contain "malicious firmware" that would function in much the same way as malicious software." And: "Once malicious firmware has been inserted into electronic components, it can be almost impossible to detect. Because it is in the hardware, the malware will remain in place even when all the software has been upgraded or replaced."

Obviously, the author is quite confused about the nature of firmware.

The document goes on to propose some general solutions like maintaining alternative sources and the use of tamper-proof seals, as well as logging every operation and the responsible parties. Wow. Second sources disappeared decades ago, and the proliferation of parts means it's pretty much impossible to go back to those easier times. Microchip alone sells around 800 different microcontrollers; perhaps a Huge Federal Program can create a vast array of factories to generate duplicates of every part we use in embedded products. And logging employee names is surely načve if a nation-state were behind the infection effort.

None of the proposed solutions will limit alien intelligence agencies' abilities to subtly alter firmware or hardware to exploit their nefarious needs.

The fact is that companies have no incentive to add security of any sort to the vast majority of embedded products. That electric toothbrush poses no security threat. or at least none that will affect the company's bottom line. Add a USB connector and suddenly it could become a point of intrusion into a network. But from a business standpoint, why spend money to harden the product when there's no financial incentive?

Some interesting approaches do exist; Green Hills has some intriguing ways to insure parts aren't counterfeited. But even those require a management commitment to run checks on incoming components and products. How many toy manufacturers will? And will these approaches work on large-scale systems, like the Siemens SCADA systems compromised by Stuxnet, that undergo continual software updates?

Only when there's a financial or regulatory incentive will businesses focus on security. Gaming machines in Nevada, for instance, are required to pass through a certification process that includes State lab analysis of the software as well as field trials. The reason, of course, is that casinos have lost money on poorly-engineered machines. There is a financial incentive, and that's bolstered by regulatory requirements.

Highly technological societies are fragile. They depend on increasing amounts of entropy to succeed. One wonders if some Dr. Evil or a nation-state could be cyber-hollowing out the increasingly-overloaded legs that support our society. Alas, we remain willingly-ignorant, responding with patches to the occasional e-earthquake that shakes us up from time to time, while ignoring that huge fault line that runs through our infrastructure.

Published August 10, 2011