2.6 - Embedded and Specialized Systems Flashcards

Security Implications of Embedded and Specialized Systems

1
Q

Embedded Systems

A
  • Hardware and software designed for a SPECIFI function
  • Or to operate as part of a larger system
  • Created with single goal in mind, often with specific hardware to fit a specific size or cost
  • Ex: traffic light controllers, digital watch, medical imaging system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

SoC

A
  • System on a Chip
  • Often Embedded Systems are running on an SoC
  • multiple components running on a single chip
  • Very flexible, can buy off the shelf, customizable, usually memory built and low power, don’t require a lot of power
  • Security considerations: hardware might not be able to upgraded (if components are soldered to motherboard). Although might be easy to change software, can’t add hardware (like security components)
  • Difficult to find firewall you could integrate with a Raspberry Pi for example
  • Ex: Raspberry Pi
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

FPGA

A
  • Field Programmable Gate Array
  • An integrated circuit that you can program after device is shipped
  • Array of logic blocks, programmed in the field
  • A problem doesn’t require a hardware replacement (can be reprogrammed)
    Can have new software pushed to device, provides a lot of flexibility for developer (can modify functionality)
  • Common in infrastructure (firewalls, routers, switches all use FPGAs commonly)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

SCADA / ICS

A
  • Supervisory Control and Data Acquisition System
  • Large-scale, multi-site Industrial Control System (ICS)
  • Commonly found where there is a lot of industrial facility (ex: manufacturing facilities, industrial, energy, logistics)
  • Not the kind of systems you would connect to the internet (not practical or secure), it would be segmented off internet
  • Good for distributed control systems, provides real-time information and system control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

IoT

A
  • Internet of Things
  • Connected to the internet
  • Ex: Sensors (Heading / cooling / lighting)
  • “smart devices” can be connected to many different type of systems in homes / businesses (home automation, video door bells)
  • Ex: smart watch
  • Ex: Facility automation (temperature, air quality, lighting etc)
  • However, these aren’t necessarily things that been created by security pros
  • Weak defaults
  • You could create a segmented network in your home just for IoT, so if there was a breach, they wouldn’t have access to your home computing network
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Specialized devices

A
  • Ex: Medical Devices, are very specialized, but often run older versions of OS
  • Vehicles, internal network often accessible from mobile networks
  • Aircraft DoS could damage the aircraft
  • Smart meters - measure power / water usage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

VoIP

A
  • Voice over Internet Protocol
  • Instead of analog phone line or POTS (Plain Old Telephone Service)
  • Relatively complexed embedded systems
  • Each VoIP phone is a stand alone computer, separate boot processes, individual configurations, different capabilities/ functionalities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

HVAC

A
  • Heating, Venting, and Air Conditioning systems
  • Usually very complex, integrated with fire system
  • Common in large HVAC to have a computer monitor the HVAC, computer can monitor and make changes
  • Traditionally not built with security in mind (difficult to recover from an infrastructure DoS)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Drones

A
  • Flying vehicle, no pilot
  • may be manually controlled from the ground, or can be semi-autonomous
  • Extensive commercial / non commercial use
  • May require federal license
  • Security and fail safes are required
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

MFD

A
  • Multifunction Devices (Printers, scanners and fax machines in one)
  • Very sophisticated firmware
  • Some images are stored locally, can be retrieved externally (security risk)
  • Logs on device can give attackers info on who has communicated with device
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

RTOS

A
  • Real-Time Operating System
  • An OS with a deterministic processing schedule
  • no time to wait for other processes, no other processes can override it
  • Often used in automobiles, military environments, industrial equipment
  • Ex: anti-lock break technology
  • Extremely sensitive to security issues, non-trivial systems, need to always be available, difficult to know what security is in place (Don’t want security to get in the way, but need to know that it’s secure)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Surveillance Systems

A
  • Cameras / audio surveillance
  • Embedded systems in the cameras
  • Might be monitoring sensitive areas, so they might need to be authorized
  • Might be physically difficult to reach (top of buildings) to change hardware, but many support update firmware so can update security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Embedded Systems Communication

A
  • Look at how embedded systems communicate with one another

- Ex: 5G

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

5G

A
  • Fifth Generation cellular networking
  • Launched in 2020
  • Provides high speed communication over wireless networks
  • Can reach up to 10gigabits per second (more common range 100 -900 megabits / s)
  • significant throughput
  • Have a lot of impact on IoT (bandwidth less of a constraint, larger data transfers, faster monitoring and notification, additional cloud processing)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

SIM

A
  • Subscriber Identity Module
  • Universal integrated circuit card
  • IoT will need a SIM in addition to mobile phones
  • SIM provides critical information to a cellular network (phones, tablets, embedded systems)
  • Contains mobile details (IMSI International Mobile Subscriber Identity)
  • Important to manage SIM cards that are connected to IoT devices (Many embedded systems = Many SIM cards)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

IMSI

A
  • International Mobile Subscriber Identity
  • Allows mobile network provider to recognize SIM card and add it to cellular network
  • may contain authentication details, contact info about IoT device
17
Q

Narrowband

A
  • Allows analog communication over a narrow range of frequency
  • Signal is stronger, but in a narrow range
  • vs broadband signals that are less strong over a wider range
18
Q

Broadband singal

A
  • Uses a large number of frequencies to communicate
  • Wider communication area, but less powerful
  • Many IoT devices can communicate over long distances
  • SCADA equipment
  • Sensors in oil fields
  • Opposite of Narrowband
19
Q

Baseband signal

A
  • Using a single frequency used to communicate
  • Usually a digital communication over a single fiber or copper / cable
  • The communication signal uses all the bandwidth (utilization is either 0 or 100)
  • Can support bidirectional communication (but not at the same time on the same fiber) however, it is usually only going one way
  • Very common to see baseband on wireless ethernet connection: 100BASE-TX, 1000BASE-TX, 10GBBASE-T
20
Q

100BASE-TX, 1000BASE-TX, 10GBBASE-T

A
  • Ethernet standards

- that use baseband and the “base” references the baseband communication

21
Q

Zigbee

A
  • Open standard IEEE 802.15.4 PAN (personal area network)
  • IoT things are not communicating over wires, they’re
    using wireless networks often using the Zigbee standard
  • IoT devices create a meshed network of all Zigbee devices in your home (ex: light switch communicates with Light bulbs, amazon echo: lock the door )
  • This means IoT devices can hop through the Zigbee connection of other devices throughout your home to a management station
  • In US, Zigbee communicates over the ISM band (Industrial, Scientific, and Medical)
22
Q

IEEE 802.15.4 PAN

A
  • Open standard that Zigbee uses to communicate over wireless network (IoT’s use this)
23
Q

PAN

A
  • Personal Area Network
  • Alternative to WiFi and Bluetooth
  • longer distances than bluetooth
  • less power consumption than WiFi
24
Q

ISM Band

A
  • Network in US that Zigbee communicates over

- 900MHz and 2.4GHz frequencies in the US

25
Q

Embedded System Constraints

A
  • Embedded Systems are not usually running on a fully capable computer
  • Low cost, purpose-built
  • May be limited number of features available
  • Upgradability limitations (OS, size of storage, etc)
  • Limits in communication options
  • Limits in hardware upgrades
  • This is the on-going trade off with devices since they were built for very specific purposes
  • low cost, unique management challenges
26
Q

Power constraint

A
  • Often putting devices in field, often no power source (usually use battery, or solar powered)
  • Batteries need to be manually replaced / maintained
27
Q

Compute constraint

A
  • lower-power CPUS are limited in speed (however, this might not necessarily be bad, when you consider cost / heat)
  • low cost
  • often off the shelf
28
Q

Network constraint

A
  • Location of devices can limit the networking options
  • may not have options for a wired link
  • wireless is the limiting factor
  • Ex: may not have an ethernet connection in a oil field
29
Q

Crypto Constraints

A
  • In embedded devices, often not a lot of crypto options
  • Usually a CPU, but it’s limited and usually no cryptography options
  • But prob won’t be able to change crypto upgrades, if they’re even an option
30
Q

Inability to patch

A
  • Some IoT devices have no field-upgradable options
  • Upgrade options may be limited or difficult to install
  • might not be able to update over the network for a firmware (might need to physically plug in)
31
Q

Authentication limitations

A
  • On embedded systems, this is often an after thought if it exists at all
  • limited options, no multi factor
  • limited integration with existing director services
32
Q

Range constraint

A
  • Unusual for embedded devices to have any additional capabilities beyond their specific purpose for which it was built
33
Q

Cost Constraint

A
  • Single purpose functionality comes at low cost

- low cost may affect product quality (could limit life span)

34
Q

Implied trust

A
  • Limited access to hardware / software

- Difficult to verify the security posture of these embedded devices