Embedded device security and the Internet of things
Embedded systems need firewall protection
BY ALAN GRAU, President
Icon Labs
www.iconlabs.com
The “Internet of things” could also be called the “Internet of embedded devices.” Factory control systems, medical devices, cars, the smart grid, and communication systems are among the 5 billion embedded devices now connected to the Internet. Information technology research firm IDC is predicting that number will rise to 15 billion by 2015.
Any device connected to the Internet is subject to attack. Hacking drones constantly scan ranges of IP addresses, probing for vulnerabilities. Hackers are targeting embedded devices with growing frequency, and researchers are publishing accounts showing just how easily embedded devices can be hacked. One study at the Intrusion Detection Systems Lab at Columbia University found that embedded devices were over 15 times more vulnerable to Internet-based threats than enterprise networks. Other reports have described successful attacks against cars, photocopiers, and pacemakers.
Security issues for the Internet of things
Despite existing security measures, successful attacks against embedded devices are regularly reported. A review of security breaches reveals weak or default passwords and insider attacks as common causes of security breaches. Many users make poor choices for passwords, leaving their device vulnerable to dictionary attacks or other brute force attacks. Other systems are compromised due to insider attacks by disgruntled employees with access to system passwords.
Defense-in-depth
Enterprise systems often use a defense-in-depth strategy in which multiple security layers protect against attacks. For embedded systems, this can be achieved by including a firewall, authentication, and encryption. The firewall protects the embedded device by controlling which packets are allowed to be processed. By blocking packets before they are processed by the device, attacks can be blocked before a connection is even established. The firewall can be thought of as enforcing a “don’t talk to strangers” rule, while authentication and encryption are like self-defense classes taught in case of attack. It’s good to be able to protect ourselves, but it’s better to avoid the fight.
Blocking attacks with an embedded firewall
The firewall achieves its goal by a filtering engine that compares packets to a set of rules that define trusted senders, supported protocols, and open ports. There are three types of filtering an embedded firewall may provide:
• Static filtering: filters packets based only on the information in the packet. This includes filtering based on port number, protocol, IP address, etc.
• Dynamic filtering or stateful packet inspection (SPI) : filters packets based on the state of the connection.
• Threshold-based filtering : keeps statistics on the packets received and monitors for threshold crossings based on configured time intervals and threshold levels. If the number of packets received from a specific IP address during any time interval exceeds the pre-configured high-water threshold, future packets from that address will be dropped, blocking packet floods and denial-of-service (DoS) attacks.
An embedded hacker using a dictionary attack on passwords, or even a known password obtained from an insider, would also be blocked by this embedded firewall.
A firewall designed for embedded systems
A desktop or enterprise firewall is just too big and requires too many resources to function in an embedded environment. An embedded firewall must be small, efficient and easily integrated with the operating system and TCP/IP stack of the embedded device. Ideally, the firewall would also support all three filtering methods, providing the engineer with the greatest number of options for protecting their device. A method for configuring filtering rules and criteria, and for reporting blocked packets and possible attacks are also important features.
One example of an available firewall designed to meet the requirements of embedded applications is called Floodgate and is a product from Icon Labs. Floodgate has a small footprint (as small as 24 Kbytes), low CPU processing impact, and is easily integrated with any embedded IP stack. It is delivered as a portable C library. The software package provides static filtering, threshold-based filtering, and stateful packet inspection. It can work with any embedded OS, and porting to a new OS and IP stack typically takes just a couple of days. ■
Learn more about Icon Labs