Vol.6: Embedded Security: Security Embedded!

Cybersecurity for Embedded Computers has gained attention due to CRA, ransomware attacks and infrastructure sabotage. Yet, it’s not a new topic. There are many measures that can be implemented today with little effort but big impact.

Naturally, risk assessment will identify potential vulnerabilities as critical which may expose access to boot devices. Although a PC’s BIOS boot code is not active at runtime, a wanted or unwanted restart of a computer will always go through that code. So, it is key to reduce the attack surface of the BIOS as much as possible. Disabling features such as network boot which might allow a hacker to boot from another computer on the network is an obvious one. Moreover, BIOSes tend to have remote console features, i.e. the BIOS UI may be redirected over a network port. That feature should also be disabled or strong passwords should be used to enter the BIOS. At Advantech, we also offer additional features such as hiding BIOS configuration options that should not be accessible in the field or strictly fixing the boot order, e.g. to only boot from the integrated drive of the computer. You cannot corrupt a setting you don’t see or that is read-only.

However, stringent BIOS configurations may also restrict serviceability. It may be desirable that a service technician may boot a diagnostic image for troubleshooting and diagnosis in the field. One way to support this is via a special supervisor role & password in the BIOS, which may allow for a one time change of the boot order, e.g. from a USB stick. By requiring physical presence and special passwords, the attack probability is extremely reduced.

It’s fair to question if an attacker would mess around with the BIOS or rather try to install an alternate software from OS level or corrupt the existing installation. Well, most operating systems have quite good boot media/image protection features. Commercially supported OSes, compared to embedded, roll-your own OSes, also come with regular security updates, helping to keep the platform secure. And if that protection does not suffice, a secure BIOS can assure that only signed images are booted. Secure boot is supported on all our BIOSes but by default disabled as it complicates the manufacturing and logistic processes. But also there, we have come up with smart solutions, e.g. that Secure Boot will be automatically enabled once the customer installs the related keys in the platform’s TPM. That way, we do not need to take extra manufacturing steps, do not need to know customer’s keys and do not keep them updated on devices we stock for them.

Besides that, the BIOS exposes only very little attack surface as only some ACPI code related to handling some legacy platform features is active. Yet, some silicon platforms have additional management engines which support out-of-band management such as Intel’s Management Engine (ME). Here, there are also a few simple actions that apply: of course, keep the ME code up to date, leveraging latest security patches. Next, also disable unwanted features. For intel’s ME, there are various versions with different feature sets: there’s a full-blown version with a wealth of features but also a feature restricted version that only has the basic code to configure and bring up the silicon platform itself. Only deploy the version you need. If you deploy a featured version but then to fail to disable or properly configure the engine, you’ll leave latent backdoors into a system.

Talking about backdoors, network connectivity is the most obvious entry path into a platform. Here, comparably simple “IP whitelisting” can effectively restrict to which computers and networks a computer may connect. Why is this effective? Well, because most cyberattacks are multistage processes where hackers first breach into a computer and then establish a connection to infrastructure under their control to then break the next level of protection on the device. If you block the network access to that infrastructure, you stop the attack. A good example of a professional whitelisting solution is Trellix Endpoint Security, a package licensable through Advantech.

#EmbeddedSecurity #CRA #Cybersecurity #Embedded #EmbeddedComputing