Security Solutions Target Ubiquitous Computing

Features within the PXA platform help to secure embedded designs.

By Lawrence Ricci and Chris Tacke

As more and more embedded devices incorporate powerful, 32-bit central-processing units (CPUs) and operating systems (OSs), security will become vitally important. Security can be central to a device’s function whether that device is a smartphone used by a stockbroker, an automation device controlling the power grid, or a remote camera/sensor system for homeland security. It should therefore be designed in. As the security “villains” morph into professionals with serious criminal or political agendas, the stakes are bound to grow larger. Unfortunately, the remedies are potentially difficult to implement.

The most serious threat will be from security exploits that co-opt a device for some “evil” purpose. PCs that have been co-opted by a Trojan and used for phishing, spamming, or distributed Denial of Service (dDOS) can be diagnosed and cleaned with popular and easy-to-use security software. If all else fails, PCs can be unplugged.

The same spam, phishing, or dDOS attack could be much harder to detect if it’s mounted from an embedded device, however. Examples of such devices include set-top boxes, home-automation controllers, cell phones, and electric-utility substation controllers. Once an attack is detected, it will be much harder to fix. For example, “unplugging” some of these devices might shut off the water supply to a city.

When discussing improved security for embedded devices, a quote from a high-ranking security professional in the government comes to mind: “Twenty percent of what we check here is that devices do what they are supposed to do in terms of encryption, biometrics, etc. Ninety percent of what we do is making sure the device cannot be co-opted to do something else.” As an example of a company working toward this goal, look to the security features that Intel is including in its PXA CPU series.

Current State of Security
The threat certainly is real. Dr. Markko Lasco of Oulu University, Secure Programming Group in Finland, has published a series of tests run in the year 2000. The tests were run on various basic cell phones and other mobile, networked devices. Lasco has seen between 75% and 100% of all tested devices fail various protocol attacks (see the Figure).

An emergent threat that’s now under investigation is called a “CODEC” attack. Here, malformed data is presented to a media CODEC with the intent of creating a buffer overflow and allowing the insertion of unwanted code. An alarming fact is that some of the vulnerabilities discovered aren’t “faults” in the software. The vulnerabilities may be embedded in and intrinsic to protocols that are as ubiquitous as HTTP, SMTP, and MP3.

In spite of the indicated device vulnerabilities, there have only been about four “cell-phone” virus-like attacks (all on simple text-messaging cell phones) in the “wild” as of December 2003. There have been three virus or Trojan attacks on the old Palm. Clearly, the relative peace and calm that users enjoy in the mobile/embedded environment isn’t because of the security within the devices.

To date, much embedded-device security rests on “security from obscurity.” In other words, the device builders hope that their arcane design twists and turns will keep the device secure. When the adversary is serious, however, experience has shown that security by obscurity works to the adversary’s advantage (i.e., against the interests of the device owner).

Most of the disruptive virus attacks on desktops and servers have been the products of second-rate programmers. Those individuals were looking for attention from either the “community” or their immediate peers. They found out how to make a virus only when a professional finds the vulnerability and issues a security patch. The hacker then figures out an exploit based on the patch. In the embedded/ RISC space, however, the threat is different. It will come from well-funded professionals who are able to buy sample “target” devices. They also will be able to find and co-opt sympathetic agents within the enterprise.

It’s assumed that these adversaries will pose specific threats that aren’t in the public’s interest. They’ll be more likely to develop covert Trojan/Backdoor exploits than dramatic, public, “viral” displays of their prowess. In addition, an exploit might be “multi- platform,” taking advantage of various programs on PCs and embedded devices. For example, MP3 players could be used to transport worms and Trojans around firewalls and to the core of some enterprise. Indeed, this recently happened--although accidentally. Some infected, PC-based, factory test equipment loaded a Trojan on a popular media player. Although the Trojan wouldn’t run on the media player, it could be transported to a host PC.

What Is the Solution?
To keep embedded systems secure, the first priority should be to implement the principles of the Trusted Computing Alliance (TCA). Strong identification of each device is central to this program. Security begins with that device identification. The PXA system reaches out from the hardware to the bootstrap to the OS and to the programs. In this way, it verifies that the device is what it’s supposed to be. It also makes sure that the device does not contain rogue code from some exploit.

These features are available in the PXA series now. The device and its bootstrap can be uniquely identified to each other by codes that are hidden from any other party. Once the “software realm” is tied to the hardware, identification can continue outward. The OS and application code are then allowed to run only on an authorized device. Within this cycle of security, networked devices could even establish a strong third-party certification of their identities. If an industrial controller tries to send an e-mail to an individual (for phishing) or access a government web site (for dDOS), the receiving party could therefore check with a trusted third party. They would then see that such communication is unauthorized and block it. The tools are there with PXA. Maintaining a secure embedded environment only requires applying them.

Lawrence Ricci, a Microsoft Windows Embedded MVP, works with Applied Data Systems to develop real-time and secure embedded applications.

Chris Tacke is a Microsoft MVP and recognized expert for managed code development. Tacke is author of “ Embedded Visual Basic: Windows CE and Pocket PC Mobile Applications.” He is the Director of Software Development for Applied Data Systems.