Embedded system security: Get it right or pay mega bucks
29-03-2017 | By Paul Whytock
The major contributing factor jeopardizing embedded security is the prolific surge of IoT related products and systems that are hitting the market.
So why can’t all these new connectivity products that are going to brighten our lives be secure? And who is going to take responsibility for designing in robust security features?
You have the chip manufacturers that are supplying components to the original device manufacturers who in turn integrate their own design elements into the finished product. Then, providing the whole things works and has been created at a cost that means it will be competitively priced from the consumer perspective, it’s off to market.
So who is taking responsibility for system security during that process? By the time the product goes to market the chip manufacturer is already involved in creating their next IC design and cannot be asked to go back and make sure an older chip is secure. And as for the original device manufacturer well many of them don’t like to get too involved in costly engineering complexities.
The result is that security concerns often get the cold shoulder treatment.
£Billions Spent on Product Recalls
But a word of caution here. It may well pay manufacturers of embedded products to have a chat with car makers that have had to finance enormous product recalls because of design safety issues. Take the Toyota recall because of accelerator pedal problems. It involved 9 million cars and is estimated to have cost the company $5 billion!
However, given the apparent disregard for embedded security its not surprising a recent survey by embedded systems specialist, the Barr Group, uncovered some very worrying attitudes impacting safety critical device designs.
The astonishing headline fact from the survey was that over 20% of designers of potentially hazardous Internet related products are paying zilch attention to security issues.
Approximately 28% of the 1,700 qualified survey respondents (50% from North America, 27% from Europe, 14% from Asia, and 9% from other geographies) indicated the products they are designing now are capable in the event of a malfunction of causing injury or death to one or more people. This is particularly worrying because approximately half of these products will always or sometimes be connected to the Internet.
The Inevitable Hack
This connectivity immediately raises the question of hacking. It is unquestionably a fact that hackers are now turning their attention to all the devices and consumer products that make up the majority of the products driving the great IoT connectivity splurge. Only last week a very well known Germen manufacturer of high quality kitchen equipment admitted that one of its IoT-enabled designs had been successfully hacked. And car manufacturers are already deeply concerned that as vehicles become increasingly reliant on internet-connected systems they will be targeted by malicious hackers.
But despite these well recognised security vulnerabilities 22% of embedded systems engineers surveyed that were working on safety-critical products that would operate online said security was not even on their design requirements list for the product.
Survey findings also revealed that of the designers working on Internet-connected safety-critical projects 19% did not adhere to any coding standards, 36% used no static analysis tools and only 42% conducted occasional code reviews and some didn’t bother at all.
So if the industry creating all these IoT breakthrough products is not entirely motivated to ensure product security then who will be? I suspect that as the inevitable hacking issues that impact on safety issues hit the headlines there will be the product recall costs to pay coupled with plenty of pressure from consumer protection agencies that have the ability to seriously damage a product manufacturers market reputation.