Embedded Systems Security issues

      

In 2013, Nissan, Honda, and Subaru have all announced deadly problems linked to faulty embedded systems and sensors in their cars; they triggered premature airbag deployment and hard breaking assit that are supposed to function in emergency only. For Subaru, "the remote-start fob started cars on its own". In 2005, Toyota announced recalls of more than 150,000 cars because of code errors that cause the Prius to stall unexpectedly. In 2010, the same car manufacturer was responsible of the death of many innocent people because of faulty embedded systems that caused an unexpected acceleration .

To be able to fix these errors in embedded systems, the car must be wirelessly connected to the Internet so that the manufactures can patch the code remotely, in other words, an open gate to viruses attacks and new way to hack a person on the way! Nevertheless, embedded systems can be hacked without Internet connection; it can be done with an"ADC Code Injector"

But what is an Embedded System? 

An embedded system is a small computer hardware and software designed to do specific and very limited tasks and is implemented as part of a large system. The embedded system is composed of a single microprocessor board with software stored in Read Only Memory (ROM). Technically, all devices that have digital interface such as watches, microwaves, cars, routers, refrigerators, dishwashers, heating, ventilation, home alarm, Blu-Ray, garage, and air conditioning... use embedded systems .

All the above information let us ask a common question, how an attacker could get the processor to execute his/her code instead? Based on the article "Security fundamentals for embedded software", the attack happens by causing an array overflow via some commands such as alloca() or malloca(). The attacker looks into the storage of the analog-to-digital-converter (ADC) array, if it is stored on a stack, an array overflow occurs as shown in figure 2 whereas a normal stack is shown in figure 1.

Resources:

Finnie, S. (2012). Stuxnet Was a Wake-up Call, But Don’t Fall Back Asleep. Computerworld, 46(12), 60–60.

Higgins, K. J. (2012). Flame Gives Spyware A Next-Gen Update. InformationWeek, (1336), 20.

Kalinsky, D. (2012, March 24). Security fundamentals for embedded software. Retrieved October 28, 2014, from http://www.embedded.com/design/safety-and-security/4304104/1/Security-fundamentals-for-embedded-software

Rivière, P. (2011, March). Worm creates diplomatic wiggle room; Iran’s Stuxnet affair. Le Monde Diplomatique, English Ed., p. n/a. Paris, France.

Stallings, W. (2014). Operating Systems: Internals and Design Principles (8th ed.).

Traenkenschuh, J. (2013). Secure Your Embedded Systems Now! Retrieved from http://www.informit.com/articles/article.aspx?p=2140093

Webopedia. (2014). Embedded System. Retrieved from http://www.webopedia.com/TERM/E/embedded_system.html