Embedded devices have embedded their way into our daily lives. From printers to CPAP machines and even the cars we drive, Embedded devices are in constant use and impact the majority of our lives daily. Every day, both consumers and manufacturers use embedded devices on a global scale. These devices are used across a variety of industries, from the medical industry to the communication industry to manufacturing. Embedded devices allow these companies to achieve greater efficiency and, in some cases, automation by replacing normal functionality handled by a human with an embedded device. An example of this type of automation could be if a guard that stands at a security gate was replaced by an automated system where an embedded device is controlled through Bluetooth to lock and unlock said security gate.
Along with the advantages these devices offer, including the massive global acceptance and usage of embedded devices, some market research companies estimate that the industry’s market cap will grow to $116.2 billion by 2025.
Along with the global acceptance of embedded devices that power some of the world’s most critical infrastructure and medical equipment, attackers are also increasing their attention to these devices. The increased attacker awareness towards these devices makes it paramount that proper security is implemented within embedded systems that are used within specific hyper-critical infrastructure or that are used for critical operations.
In today’s global security landscape, proper testing and assessments are highly sought after and necessary. Security assessments can help protect both the organization who produce and use embedded devices as well as the consumers who rely on these devices in their daily lives, understand the current exposed attack surface and potential weakness of a given device.
VerSprite’s VS-Labs Research Team specializes in performing assessments targeting a range of embedded devices. Each assessment starts with performing a thorough attack surface analysis for each device, as some devices or models have multiple devices within them. VS-Labs Research Team believes this is among one of the most crucial stages during an assessment because an improper analysis of one or any of the embedded devices within a single product can lead to an incomplete assessment and can lead to potential consumers being exposed to vulnerabilities due of improper security.
This blog post will briefly look at what the common attack surface is for many embedded devices and IoT-based devices, with a focus on local and remote attack surfaces.
One of the main goals for attackers, when dealing with the local attack surface of embedded devices, is to gain access to the underlying operating system in an attempt to either retrieve sensitive data and or information stored within the device or to alter the device’s behavior to perform malicious activity. When approaching the concept of local attack surface for embedded devices, it is important to note the different contexts of the term “Local” exist. Local access to these devices can range from an attacker having direct physical access to a device or even gaining access within a local range of the devices itself.
When assessing local attacks from physical access to a device, it is important to remember that many different hardware interfaces can be potentially abused to lead to unauthorized access. Some of the most common interfaces are UART and JTAG.
Attacks within a local range, but that are still considered “local”, would be attacks targeting potential radio-based protocols such as Bluetooth, baseband, or potentially a proprietary protocol that is implemented to support certain “remote” communication between devices.
While Bluetooth and baseband may not seem like they would fall under the possibility of “local attack” surfaces, both still require an attacker to be local, or within a certain physical distance, to the embedded device itself. Examples of these attacks from recent years targeting embedded medical devices, such as the novel Bluetooth attacks targeting pacemakers and other medical devices that implement Bluetooth capabilities. These attacks are commonly due to vulnerabilities within a given Bluetooth implementation being exploited to then compromise the medical device.
Unlike the somewhat “remote” attack surface described within the “Local Attack Surface” section, a remote attack against an embedded device must be able to be performed while an attacker is truly “remote”. These types of attacks are commonly a greater threat because the attacker can be located anywhere in the world and are commonly abused via the Internet.
Some of these Internet-based attacks are possible because manufacturers of these devices offer free updates via the Internet. Updates like this require the device to either be connected to the Internet all the time or connected during the time of update to receive either regular updates or patches.
Embedded devices can also have embedded web application portals for authentication to provide access to databases and or sensitive information. These embedded web applications can commonly be attacked via the Internet and act as a potential foothold for attackers to gain access to the device.
These Internet-borne attacks can be prevented by simply limiting the exposed attack surface to potentially only physical and or local vicinity-based communication. This will effectively eliminate the remote attack vectors and significantly reduce the number of vulnerabilities consumers and organizations face.
With the rampant increase of embedded devices becoming more accessible, and more integrated into the daily global operations of the world, it is important to try and be as proactive as possible when it comes to securing these systems. Attackers are always looking for new ways to either exfiltrate sensitive data or cause disruption of potentially sensitive operations. One of the first steps to preventing attackers from being successful is by proper security assessments by teams like VerSprite’s VS-Labs. For more information on attack surface analysis, visit the VS-Labs resource center today.
Maintain awareness regarding unknown threats to your products, technologies, and enterprise networks. Organizations that are willing to take the next step in proactively securing their flagship product or environment can leverage our zero-day vulnerability research offering. Our subscription-based capability provides your organization with immediate access to zero-day vulnerabilities affecting your products and software. Contact VerSprite →