vege - Fotolia

What strategies are best to ensure a secure embedded system?

Planning ahead in security testing helps to ensure a secure embedded system.

What strategies can I use to ensure embedded software is as secure as traditional application software? Is there extra security testing that should be done when working with embedded software systems?

There can certainly be a lot more to lose when embedded systems are attacked, but that shouldn't change your approach to how the software is developed. Regardless of the language, OS or hardware platform, the same strategies apply for application security. It all starts with the design. Threat modeling is key. This means looking at the overall system and determining everything from attack points to the specific exploits that can be carried out against the application.

Don't get too far off in the weeds worrying about embedded specifics. In the end, embedded system vulnerabilities are no different from those we see in traditional computer systems, such as:

  • Weak communication channels (e.g., known vulnerable versions of SSL)
  • Weak password and authentication mechanisms
  • Weak data storage methods

Every minute you plan in advance for the resiliency of your embedded systems, you'll see payoffs of often five- or tenfold. Take your time and do it properly.

When testing for embedded system security flaws, the general hacking methodology still applies:

  • Locate
  • Enumerate
  • Identify vulnerabilities
  • Exploit/demonstrate

That said, the specific means for finding and testing for embedded security flaws can be different than they are in traditional application security testing. In the case of embedded systems, you might still use traditional network and Web vulnerability scanners. However, depending on the embedded system platform, you might need more niche tool set including such as network analyzers, Bluetooth scanners, and Wi-Fi analysis tools. Exploit tools such as Metasploit can be beneficial as well. Being comfortable with an OS command prompt will help.

In the end, embedded systems are fair game for security testing -- and malicious hacking. Do what you can to find (and fix) the flaws before someone calls you out on them and creates problems for others.

Next Steps

Learn more about embedded operating systems

Printer vulnerabilities shed light on embedded systems security

Discover the seven deadly sins of embedded software development and testing

Dig Deeper on Topics Archive