tive measure of security before a prod-
uct is deployed, who is to say how
much to spend on it?
Many embedded systems interact
with the real world. A security breach
thus can result in physical side effects,
including property damage, personal
Philip Koopman, Carnegie Mellon University
injury, and even death. Backing out
ﬁnancial transactions can repair some
enterprise security breaches, but revers-
ing a car crash isn’t possible.
rom cars to cell phones, video
equipment to MP3 players, and Security for embedded systems
dishwashers to home ther- involves issues beyond those
ers increasingly permeate our problems currently being
lives. But security for these systems is
an open question and could prove a
addressed for enterprise and
more difﬁcult long-term problem than desktop computing.
security does today for desktop and
Security issues are nothing new for Data Networks,’ Part 5, ‘Network Unlike transaction-oriented enter-
embedded systems. In 2001, Peter Interconnection Devices,’” AEEC prise computing, embedded systems
Shipley and Simson L. Garﬁnkel re- Letter 01-112/SAI/742, 2 May 2001). often perform periodic computations
ported ﬁnding an unprotected modem to run control loops with real-time
line to a system that controlled a high- WHAT’S DIFFERENT ABOUT deadlines. Speeds can easily reach 20
voltage power transmission line (“An EMBEDDED SECURITY? loops per second even for mundane
Analysis of Dial-Up Modems and Internet connections expose appli- tasks. When a delay of only a fraction
Vulnerabilities,” 2001; www.dis.org/ cations to intrusions and malicious of a second can cause a loss of control-
filez/Wardial_ShipleyGarfinkel.pdf). attacks. Unfortunately, security tech- loop stability, systems become vulner-
However, as more embedded systems niques developed for enterprise and able to attacks designed to disrupt
are connected to the Internet, the poten- desktop computing might not satisfy system timing.
tial damages from such vulnerabilities embedded application requirements. Embedded systems often have no
scale up dramatically. real system administrator. Who’s the
This issue is already upon us. Today Cost sensitivity sysadmin for an Internet-connected
you can buy Internet-enabled home Embedded systems are often highly washing machine? Who will ensure
appliances and security systems, and cost sensitive—even ﬁve cents can make that only strong passwords are used?
some hospitals use wireless IP net- a big difference when building millions How is a security update handled?
works for patient care equipment. Cars of units per year. For this reason, most What if an attacker takes over the
will inevitably have indirect Internet CPUs manufactured worldwide use 4- washing machine and uses it as a plat-
connections—via a ﬁrewall or two— and 8-bit processors, which have lim- form to launch distributed denial-of-
to safety-critical control systems. There ited room for security overhead. Many service (DoS) attacks against a govern-
have already been proposals for using 8-bit microcontrollers, for example, ment agency?
wireless roadside transmitters to send can’t store a big cryptographic key. This
real-time speed limit changes to engine can make best practices from the enter- Energy constraints
control computers. There is even a pro- prise world too expensive to be practi- Embedded systems often have sig-
posal for passenger jets to use IP for cal in embedded applications. niﬁcant energy constraints, and many
their primary ﬂight controls, just a few Cutting corners on security to reduce are battery powered. Some embedded
ﬁrewalls away from passengers cruis- hardware costs can give a competitor systems can get a fresh battery charge
ing the Web (Aeronautical Radio, Inc., a market advantage for price-sensitive daily, but others must last months or
“Draft 1 of Project Paper 664, ‘Aircraft products. And if there is no quantita- years on a single battery.
July 2004 95
By seeking to drain the battery, an This gives the thermostat time to reach But such a system creates potential
attacker can cause system failure even a comfortable temperature before the vulnerabilities. For example, someone
when breaking into the system is im- owner actually arrives. might trick a number of thermostats
possible. This vulnerability is critical, However, allowing Internet control into thinking that it is not a peak day,
for example, in battery-powered de- of a thermostat gives rise to several thereby increasing demand. If done on
vices that use power-hungry wireless potential attacks. a broad enough scale, this could cause
communication. power-grid failure, especially if the
Centralized control electricity provider has factored the
Development environment If the system permits transition only ability to change set points into its plan
Many embedded systems are created between a pair of “comfort” and for sizing its generating capacity.
by small development teams or even “saver” set points, an attacker could Centralized control for a power-sav-
lone engineers. Organizations that write send false “I’m coming home” mes- ing scheme can create even more seri-
only a few kilobytes of code per year sages to change set points and waste ous problems. Attacks that successfully
usually can’t afford a security specialist energy. If it permits arbitrarily chang- break into the central control com-
and often don’t realize they need one. puter for set point commands, or even
However, even seemingly trivial pro- just spoof commands, can attempt to
grams may need to provide some level coordinate power consumption among
control of a thermostat
of security assurance. Until standard many homes.
development practice includes rigor-
gives rise to several What if someone wrote a virus that
ous security analysis, developers may
potential attacks. took over computers for the purpose
overlook even the solutions already of launching attacks on all Internet-
available. ing set points, the attacker could sub- connected thermostats? The approach
ject the house to extremes of heat and could be subtle, such as bumping ther-
EXAMPLE: INTERNET cold or even turn off the system, caus- mostat temperature a bit hotter in the
THERMOSTATS ing pipes to freeze in the winter and winter or cooler in the summer to
Because embedded systems can pets to die of heat in the summer. increase energy consumption and
effect changes in the physical world, Of course, a properly designed sys- inﬂate utility bills.
the consequences of exploiting their tem with safety interlocks and a well- Or it could be not so subtle: If all the
security vulnerabilities can go beyond administered password policy could thermostats in a city suddenly acti-
mere annoyance to signiﬁcant societal prevent this from happening. But the vated their air conditioners simultane-
disruption. potential for it to occur makes it a ously during a peak load period, the
Let’s dispense with the most obvious threat that must be countered. power surge could cause a signiﬁcant
potential attack ﬁrst. Attackers that Internet thermostats also offer util- problem.
break into a computer and get complete ity companies the possibility of sug- Then there are pranks. What if some
control of it can do anything they want gesting or demanding changes in kid on the other side of the world
with the attached sensors and actua- thermostat operation during periods decided to change your thermostat set-
tors—send commands to trafﬁc lights, of peak demand. Some US electric ting by 20 degrees while you were
shut down power stations, and so on. power companies already use radio asleep every night? (Actually, using
We could argue that industrial- commands to disable or reduce the your home control system to flash
strength security approaches will take duty cycle of air conditioning units your lights on and off might be more
care of the really big systems, but during peak loads. Utility customers entertaining, but we’re talking about
smaller systems are less likely to receive volunteer to do this and are compen- thermostats.)
lavish attention. sated for the inconvenience.
Consider, for example, the household Internet thermostats can make this Battery attacks
thermostat, which controls heating and process more sophisticated. The utility Many thermostats, including at least
cooling. Many have an embedded com- could instruct each thermostat to one Internet brand, are battery pow-
puter that adjusts the set point a few change its set point a few degrees to ered. This is partly because line volt-
times each day to keep the house com- ease power requirements during peak age isn’t available and partly because
fortable when people are present and loads. Because air conditioners form a safely converting line voltage to a ther-
to save energy when they aren’t. significant part of peak electricity mostat’s needs takes a large converter
Some thermostats let a homeowner demand during hot summer days, this that costs money, requires extra wiring,
use the Internet, perhaps via cell phone, mechanism could make the difference and complicates electrical safety.
to communicate imminent arrival between a blackout and continued Some thermostats use wireless net-
home after a vacation or a day at work. operation of the power grid. working to avoid wiring costs, but too
many networking conversations can electric meters already report to utility compromised system components?
run the battery down quickly. If the companies via modem, so the infra- Can we create intrusion-detection sys-
thermostat is connected to the Internet, structure for automated utility moni- tems that can respond fast enough to
an attacker could run the battery down toring is already in place. restore a system to correct operation
simply by repeatedly querying the ther- before a 50-millisecond control loop
mostat’s status. loses stability?
A low-voltage detection circuit could thermostat controls only a lim- Can we securely upgrade unattended
disable the wireless connection before
the battery died, but the developer needs
to design this capability into the system.
A ited amount of energy release,
and people are often around to
notice it’s misbehaving. Other applica-
embedded systems without being vul-
nerable to attacks on the upgrading
mechanism? Can we detect and avoid
tion areas are more challenging—for attacks designed to drain batteries? Can
Privacy example, connecting vehicles to the we do all this on a $1 microcontroller?
A person who can monitor your Internet. We have made progress on some of
thermostat setting could also deter- In many ways, we aren’t ready to these problems, of course. But some
mine whether you’re likely to be deal with the security challenges we are important areas aren’t on enterprise-
asleep, at home, or out of the house. sure to face. Some involve simply focused research agendas, and the need
Even if an attacker can’t query the ther- ensuring that design teams acquire the for embedded security is already upon
mostat directly, simply monitoring right skills as they start making prod- us. I
trafﬁc for inbound packets talking to ucts that are exposed to security risks,
the thermostat can indicate whether but others involve signiﬁcant research Philip Koopman is an associate pro-
the house is vacant—and a potential before we can hope to address them. fessor in the Department of Electrical
burglary target. For example, how do we create and Computer Engineering at Carnegie
An Internet-enabled thermostat can impenetrable ﬁrewalls to keep attack- Mellon University, where he is also a
also let Big Brother monitor whether ers from manipulating safety-critical member of the Institute for Complex
you’re setting it properly to do your sensors and actuators? How can we Engineered Systems and the Institute
part for an energy crisis—and set it for ensure that real-time deadlines will be for Software Research International.
you if you’re not. Some gas, water, and met, even in the face of DoS attacks or Contact him at firstname.lastname@example.org.