Why Are We Still Having This Conversation?
Embedded Systems Still Not Secure
by lg0p89
Our computer systems run on software. Without this, the industry has a vast inventory of boat anchors, paperweights, and expensive equipment to prop doors open. With this, we have finely tuned equipment that works through miraculous tasks. With our dependency on these systems, seemingly, as a culture and industry we could learn from our oversights and mistakes. This begins in 2015 with the infamous Miller and Valasek Jeep hack. At this point in time, the embedded systems industry thought passwords made the products secure, no one would be interested in attacking wireless sensors or cellular, and a device with a singular function would never be a target. These faulty beliefs were clearly wrong and our industry was built on curing these issues.
Embedded systems continue to be excessively insecure, unfortunately. And these systems continue to be very accessible. There is no license required to purchase these. The cybersecurity researcher simply has to drive to an auto parts store, log into eBay, or call a junkyard to secure one or more of these units to test. Once secured, there are numerous online resources available to assist the researcher through the hardware configuration and operating system (e.g. CAN bus).
These systems are often not secured. The researcher simply has to connect to these and begin the attack. This is the case, especially with the CAN bus. Other systems may use Linux or Android for certain systems within a vehicle. These, while an improvement with regards to cybersecurity, still have ample vulnerabilities based on the version and other factors.
With these systems, due to their importance in our lives, security should be built in from the beginning phases through production. Adding this in as part of the last phase of the project has not and will not work. We've seen this repeatedly. Cybersecurity needs to be incorporated from the beginning and not bolted on at the end of the project, unless you enjoy the opportunity to fix the bug or vulnerability for your product located across the globe.
One of the crown jewels for the attackers is the data. This has to be secured at rest and when this is between the sender and receiver (in transit). When you don't have this in place with the appropriate measures working, there will be issues.
Finally, you should think like the attacker would. The person attacking your system isn't going to care about the project gates or deadlines and why the cybersecurity issues are not fully addressed or the thousandth of a penny you saved by not fully implementing adequate security. The attacker is focused on how to break into your system using present or past tools, or creating new ones to ensure their success.