Who Needs Embedded Security?

The era of IoT has changed embedded systems forever. In most cases the benefits of connecting a product are incredibly productive. Software updates, connection to cloud services and analytics are just a few great benefits to the world of IoT. On the other hand, connecting embedded devices has also exposed many products and systems to security threats, just like the security threats our home computers went through when the internet was launched back in 1983.

To protect us from these threats, huge organisations were formed who specialised in protecting our computers from internet hackers. We are now entering into a world where companies building embedded products have to think about this same security threat, just like we all did in 1983. The microcontrollers used in today’s embedded products are far more powerful than our computers in 1983, think of the damage that can be caused by hackers hacking into a connected product that is within a home network.

So how do we deal with IoT or embedded security? An embedded system isn’t like a home computer, where we can just download the latest anti-virus software from the internet. The answer is that security has to be built into an embedded product from the beginning of its life, the engineers building our embedded products need to build in security from the outset.

You might be considering what damage can a hacker do to my toaster, hair-dryer or e-scooter, to name just a few examples. These 3 examples all use significant levels of power and it’s not uncommon for them to be connected to a cloud service, for example, so that you can start your toaster from your bed, how nice is that when you get up in a morning! What wouldn’t be so nice is that a hacker had managed to hack into the microcontroller of the toaster, change its control to the heating element and subsequently managed to create a fire in your kitchen. Yes, this can happen if the company who built it didn’t secure the microcontroller. Think about the hair-dryer and e-scooter applications, unfortunately a very similar outcome.

To solve such a problem, there are two fundamental things which can be done. Firstly, make sure that the communication is secure. This starts by putting an authenticated identity into the microcontroller. This means that only people that know this identity can connect to it. Think about it like a driving license, where you have a driving license number which has been authenticated by the driving authorities. The same applies to an embedded products identity. It has to be authenticated by something that is trusted. Secondly, make the firmware of the microcontroller unreadable by encrypting it. If a hacker can’t determine what the original code is doing, then they can’t modify it.

So far, we’ve only talked about connected products, IoT. There are also significant risks appearing in non-connected products, for example, in the supply chain. Embedded products are often made in developing countries where security isn’t a prime consideration. How easy would it be for a maliciously damaged firmware file to be programmed into a microcontroller on the production line? In many cases, unfortunately the answer to this is fairly easy. The good news is, that the same tools that are used to protect IoT devices, can also protect the supply chain. If encrypted files are used to program the microcontroller, then fraudulent versions cannot be created. The same tools can be used to protect a companies IP in exactly the same way. If the IP is encrypted, it can’t be stolen.

To conclude, if you are a company manufacturing an embedded product that is connected to a network or the internet, has valuable IP stored in the microcontroller or has a complex manufacturing supply chain, embedded security can protect your products from malicious attacks causing malicious damage to your customers and stop IP theft, enabling your competition to build copies of your product.