The rise of the Internet of Things will drive a rethink in security, Green Hills Software CTO David Kleidermacher claimed in his keynote speech at Embedded World 2014 in Nürnberg, Germany this week (25 February 2014). He cited the recent hack attack on retailer Target as an example of how vulnerable embedded devices are.
“If you think we have a big security problem with a billion smartphones, think what will happen when we have a trillion autonomous objects,” said Kleidermacher. “It’s going to be a very big challenge for security.”
Kleidermacher argued that the tendency to secure servers rather than embedded devices – “the centralisation myth” – is misplaced. “People think if only we lock down the server really well that will solve the problem. If we fail to protect the things, attackers will go after the things. The second part of the myth is that there isn’t valuable information on the edge. That isn’t true,” he said, pointing to the recent attack on US retailer Target.
“If you are an attacker and you are going after Target, do you go after Target’s centralised systems or do you go after the endpoints, the point-of-sale systems? The attackers went after the point-of-sale systems and installed malware on them.”
Kleidermacher identified five elements that embedded systems designers need to implement to make their designs secure. The first is to reverse the trend to give software too many privileges by default – potentially removing any privileges unless they provide a valid key. The second is to componentize the environment, using microkernel-based operating systems to reduce the amount of software that runs at system rather than user level.
Using software structures that reduce complexity is important to both security and maintainability, he said. Developers should employ secure development processes that make use of automated test and verification strategies. Finally, he said, expert validation is needed to check that the final implementation is indeed secure.
“This is a call to action. We can’t wait around for the next breach,” said Kleidermacher.