In 2015, two cybersecurity researchers Charlie Miller and Chris Valasek demonstrated that a Jeep Cherokee could be hacked and its critical systems commandeered over the internet.
They were able to completely disable the vehicle in one scenario; later they showed how they could arbitrarily control the vehicle’s acceleration, steering and braking.
Chrysler recalled 1.4 million of the vehicles to patch the exposed vulnerabilities, at great expense (and embarrassment) to the company.
Miller and Valasek proved the incredible vulnerability of embedded systems and why hackers are particularly interested in Internet of Things (IoT) devices and other embedded systems and software as targets for hacking.
For one thing, embedded systems are accessible. If you want to hack into a device, you purchase one and go to work on it, with little or no chance of your activities being detected. It’s much easier and lower-risk than trying to get through layers of physical or electronic security to sneak into someone’s database server.
Also, patching an embedded systems can be challenging. Experts in this field say that the ability to field-update embedded software has to be designed into the system. If the designers fail to understand the importance of device security, they may implement this ability poorly or not at all. And, it’s not unheard of for designers (often under pressure) to eliminate that ability in the name of reducing development and production costs.
Additionally, the problem often comes down to there are just too many embedded devices to reliably patch. With the automotive industry, for example, the recall process may not be all that effective. Even where a patch is available and easily implemented, a huge number of devices can be counted on to go unrepaired, leaving vulnerabilities available to exploitation for years to come.
Given both the current ubiquity of embedded systems and their expected explosive growth, the cybersecurity risk is serious and growing. Security assumptions that sufficed when embedded systems were uncommon novelties no longer are relevant.
Want to learn more? Tonex offers Embedded Software Security Training, a 2-day course that explores the foundations of embedded software security. Participants learn about important embedded software vulnerabilities and attacks that exploit them.
For more information, questions, comments, contact us.