• Français
  • English

Article I Navigating (cyber)security challenges within embedded devices

A decade ago, embedded device security was primarily overlooked and confined to specific use cases such as payment, connectivity, and identification. However, the surge in embedded technology across various sectors, including IoT, automotive, and energy, has made security a critical issue for both consumers and manufacturers.

Cybersecurity discussions frequently focus on threats like viruses and ransomware, which dominate headlines. For instance, in August 2022, South Staffordshire PLC, a British water company, fell victim to a Cl0p ransomware attack. Although the water supply remained unaffected, the incident exposed the susceptibility of IoT devices in vital sectors to cyber extortion and data breaches. Similarly, in March 2021, a hack of 150,000 Verkada surveillance cameras revealed vulnerabilities at high-security sites, prompting calls for stronger security measures.

Beyond these visible threats lies a less discussed yet equally damaging risk: code theft. A Thales 2020 study revealed that 30% of cybercrime revenues stem from Intellectual Property (IP) theft. Losing or having this code copied can severely impact a company’s revenue and reputation.

The Sega versus Accolade case illustrates this issue. Accolade reverse-engineered Sega’s Genesis console to publish games without paying royalties. Initially, a court ruled in Sega’s favor, forcing Accolade to recall its games. However, Accolade’s appeal succeeded, arguing that their reverse engineering was fair use, leading to a decision questioning the enforcement of IP rights on innovations.

These incidents underline the urgent need for standardized security protocols and heightened awareness to combat the evolving landscape of cyber threats, protecting both the technology and the intellectual property that drives innovation.

The cybersecurity challenges of embedded devices

Embedded systems deployed across various sectors face four significant IT security challenges:

1. Intellectual property protection (code confidentiality)

Creating innovative devices without secure software makes them vulnerable to espionage and counterfeiting, risking your R&D efforts and investments. The possibility of competitors cloning or stealing your technology highlights the crucial need for IP protection. Once IP is stolen, it’s challenging to prove the theft. Launching a successful application not only puts you ahead of competitors but also attracts unwanted attention. Competitors, tech providers, and customers may try to access and reverse engineer your source code, potentially bypassing security measures or license checks for their benefit.

Your code faces greater risks in certain scenarios, necessitating heightened IP protection, especially when exporting your app, sharing it with third parties, publishing it on platforms like the AppStore or Google Play, or after significant R&D investment has made your app highly valuable.

2. Code integrity

Code integrity is vital for the security and reliability of embedded systems in critical areas like automotive, medical, industrial, and consumer electronics. The 2010 Stuxnet incident highlights this, showing how malware can target infrastructure by exploiting software vulnerabilities, in this case, within SCADA systems, Windows OS, and Siemens Step7 software. Stuxnet altered industrial machinery behavior, causing physical damage to Iran’s nuclear centrifuges. This example underscores the need for robust, multi-layered security measures to protect against sophisticated cyber threats.

3. Data confidentiality & integrity

Cybersecurity isn’t just about protecting data in transit; it’s also crucial to safeguard data on devices to prevent theft or tampering. For embedded devices, ensuring data confidentiality and integrity – keeping information secret and unchanged – is vital during transmission and storage.

Take a smart home system: encryption keys across devices like smart locks and cameras need secure management. If a hacker gets a key from one device, they could access data across the network, risking personal information.

Similarly, in a manufacturing plant, if a sensor is hacked to change its readings, it could lead to wrong decisions, damage, or safety hazards.

4. Secure channel authentication and authorization

The diversity in embedded devices’ capabilities makes a universal solution for security difficult. Devices vary in processing power and connectivity, affecting their support for advanced security. Throughout a device’s lifecycle—from manufacturing to decommissioning—each phase has its own security needs. Secure setup of credentials is crucial at the start, and managing updates and revocations is key during use. Devices in public places risk physical tampering, so security must also protect against physical threats to keep data and device integrity intact.

Conclusion

In the battle against the cyber vulnerabilities plaguing embedded devices, security measures like obfuscation, Runtime Application Self-Protection (RASP), and whitebox cryptography are at the forefront. These technologies shield devices from current threats and adapt to counter future vulnerabilities, ensuring the protection of intellectual property and the integrity of critical systems. As we navigate this ever-evolving cybersecurity landscape, one question remains: What will the next generation of threats look like, and are we prepared to defend against them?
Watch our webinar

Webinar replay

Resecuring an IoT fleet after its market release

Follow us