The Heartbleed security bug is a really big deal, especially given today’s hyper-connected, information obsessed society. This nasty bug, which has been characterized as “catastrophic” by industry gurus, permits anyone on the Internet to access the memory of systems using various versions of OpenSSL software. This is ironic since that very software was specifically designed to protect data.
Nevertheless, Heartbleed exposes secret keys used for authentication and encryption, which are the two primary foundations of how security is generally ensured. By exposing keys Heartbleed thus exposes actual data, user names, and user passwords to anyone. This is virtually everything. Ouch! Attackers (i.e. hackers, cybercriminals, spies, state-sponsored electronic armies, and others with malevolent intent) can observe and steal data without a trace, which is virtually the literal industry definition of the term “man-in-the-middle” attack.
The threat that Heartbleed represents has rightly gained widespread attention. Fortunately, such attention has stimulated a major market reaction and lead to whole scale changing of user passwords, proliferation of patches, and other fixes. It has also brought the need for more extensive code testing into the open. Heartbleed and other major security revelations are making people look at security much more seriously, which also extends to embedded systems.
Frankly, it is about time. Embedded system insecurity gained major notoriety recently with the revelation that commercial WiFi routers have old and buggy firmware that can be used as a back door into home and commercial networks. Such loopholes were in fact used by a criminal organization in Eastern Europe to steal cash. The risk was amplified by the revelation that mischievous “agencies” tasked with collecting and processing information without permission can exploit the vulnerabilities at will.
Embedded system firmware insecurity affects individuals, institutions, governments, and corporations—which is pretty much everyone. Highly respected market researchers have noted that bad behavior and bad actors are running rampant. For example, the number of active threat groups being tracked has risen to over 300, which is more than 400% higher than in 2011. Nation-states have become hyper-active in cyber-espionage and hacking. This is because it is now possible to literally upload damage to a target, which is kind of a science fiction scenario come true.
In the same vein, secret information is easily downloaded, especially with security vulnerabilities from Heartbleed, router back-doors, and others. More than 95% of networks have become compromised in some way, and directed attacks will only get worse as mobile platforms continue to expand worldwide. An unnerving figure is that vulnerable systems placed on the Internet are being compromised now in less than 15 minutes. That is not really a surprise given the wildly disproportionate cost / ”benefit” of cyber meddling, which is devilishly tempting to malicious operators.
The security situation is extremely complicated for embedded systems because embedded firmware is highly fragmented, difficult to update, hard to track, often obsolete, hard to access, and employs a wide range of processors and code languages. The router loopholes mentioned above are in fact a direct expression of the vulnerabilities endemic to embedded systems and the severe damage those vulnerabilities can cause downstream. It is now clear that embedded system vulnerabilities affect everyone. So, the question becomes, “What can be done to increase security in embedded systems?”
As Heartbleed and cyber attacks have illustrated, encryption and authentication keys must be protected. There is no other option. Cryptography may be mathematically and systematically ultra-detailed and uber-complicated, but the most important and fundamental security concept is beyond simple: namely, “Keep the secret keys secret.” The best way to do that is to lock the secret keys in protected hardware devices.
Hardware key storage beats software key storage every time, which is one of the “key” lessons of the recent vulnerability revelations. But how does an embedded system manufacturer ensure their products are secure and protected from attack? Fortunately, the solution is simple, available, and cost effective, and that is to use hardware key storage devices such as Atmel’s ATSHA204A, ATECC108A and ATAES132.
These products are all designed to secure authentication by providing a hardware-based storage location with an impressive range of proven physical defense mechanisms, as well as secure cryptographic algorithms and processes. Go to the links above for more details or the introduction page CryptoAuthentication.
Future Bits & Pieces posts will describe the different types of authentication and the various steps that the devices and associated processors implement.
For those looking for a way to use Atmel’s CryptoAuthentication chips, plus Atmel’s TPM, from embedded Linux, check out the CryptoCape available from SparkFun Electronics: https://www.sparkfun.com/products/12773