Wibu-Systems Blog

Marcellus Buchheit

Recent Posts

Secure Software Updates via Embedded Integrity Protection

Posted by Marcellus Buchheit on Dec 17, 2014 7:00:00 AM

Software for embedded systems is based more and more on open system platforms, such as Linux Embedded, VxWorks, Windows Embedded, QNX and many others. In addition to powerful core functionality, one of the main reasons to use open platforms is their implementation of standardized interfaces for loading code or calling system functions (API). Such standards simplify software development between several teams within a large enterprise or even in different software companies. And similar to the success of software for traditional desktop systems or smart phones, you can find more solutions that can be purchased from third parties instead of developed in-house.

However, this new open world also makes embedded systems vulnerable to attacks from hackers who also know the system platforms very well. Current examples of such threats include successful attacks to POS systems to steal credit card numbers or ATM machines to steal cash. The IoT now brings embedded systems with such open platforms into a globally connected environment that is highly vulnerable to all types of attacks from hard-to-identify hackers located around the world.

One solution to prevent such attacks is the installation of security barriers between the code and the open Internet, such as firewalls or strict access control to the critical code. But the structure of such barriers in larger installations of embedded systems – an automobile assembly plant for example – is quickly becoming very complex with a high risk of security leaks. And if a hacker can find one such leak, he or she is now “inside”, and knows the details of the platform in use, and can modify the existing code or even upload and start new code to perform malicious attacks beyond simply analyzing, copying or deleting data.

A more effective solution is to protect the running program code itself against any modifications and also prevent the loader of the operating system to start any unauthorized code. This also includes protecting the open system platform itself to prevent a hacker from installing his own loader. And finally the BIOS of the embedded system should prevent any loading of an unauthorized platform.

Wibu-Systems CodeMeter technology provides consistent code protection at all levels of an embedded system where software components are running. Beginning in the BIOS, which will only start an authorized operating system, through the loader in this operating system which only accepts execution files of authorized programs, and up to the ability that these programs can load only applets or dynamic libraries with authorized dynamic extensions. This code integrity protection is based on sealed code, which cannot be modified at the file level, and which is verified by a private/public key schema. All components (BIOS, operating system, optional loader, application and applets) can come from different sources. Dynamic updates of any component is possible as long as the updated code is authorized as well. It is also possible to remotely update, extend or remove the required keys in a secure manner.

This technology enables the flexibility of secure code upgrades, which will be required in the ever evolving IoT world, with the security of the closed, non-changeable, unconnected systems of today. It is currently available in the latest version of VxWorks Real Time Operating System and will also be available for other platforms in the coming months. The technology is based on secure keys which are stored in a security device and which can be integrated as a chip directly into the system hardware or attached as a USB Stick, SD, microSD or CF Card.

Integrity Protection White Paper

If you are interested in learning more about Integrity Protection for embedded systems, download our whitepaper.

Topics: CodeMeter, Code Integrity, embedded security

IoT, Industry 4.0, and Cyber-Security

Posted by Marcellus Buchheit on Sep 23, 2014 1:49:40 PM

IoT_iStock_000001014206Large_IndustriebildschirmThe recent revelation that an Internet-connected LED bulb could be hacked to reveal Wi-Fi usernames and passwords shouldn’t come as a surprise. Unscrupulous thieves have been stealing seemingly protected intellectual property for years, whether it be software, credit card data, or some other personal or business information. So, you can imagine that with the emergence of a myriad of connected devices defined by the Internet of Things (IoT), evil doers must be rubbing their hands in delight at the thought of the potential mayhem that can be unleashed.

In this case in point, security services firm Context Security undertook a white hat exploitation of a vulnerability in programmable, smartphone controlled LIFX smart LED bulbs. The exploit allowed hackers within close proximity of the bulbs to obtain passwords used to secure the connected Wi-Fi network by sending a command to the compromised bulb with their smartphones. Once commands are received, the credentials are broadcasted from the master bulb to all the other bulbs over a network. Although the Advanced Encryption Standard (AES) was used to encrypt passwords, the pre-shared key never changed, thus enabling hackers to easily decipher the information.

You can read the full post here on Embedded-Computing.com.

CES: Consumers Steer Future Innovations

Posted by Marcellus Buchheit on Jan 18, 2013 12:31:00 PM

Consumers file in to the 2013 Consumer Electronics Show to see the latest innovationsThe Consumer Electronics Show (CES) was held in Las Vegas last week. Everything that a consumer could ever hope to need in the world of sophisticated products — TVs, cell phones, cars, fitness and health products, home controlling, etc. — was displayed.

You may wonder what such a consumer show has to do with Wibu-Systems’ business — license management and security products — a strictly B2B world! The short answer is that most product development today is controlled by the consumer. And Wibu-Systems, as an always innovative company, has to look how the world is changing and we need to react to this consumer driven development phenomenon.

This is very different from the past. Just remember how the world looked 50 years ago: The most sophisticated products with the highest quality, largest power, smallest dimensions, or whatever other “super” attributes, were used by the military and large industry. They paid the highest prices; companies and research funneled all innovation into this very special market. In a second phase, innovation was then redirected to science and commercial products. In this line of innovation the consumer was at the very end – the consumer had to wait, sometimes many years, until a specific innovation was affordable and finally available for everyone.

The “line of innovation” did not change much in succeeding decades. Just think about the first personal computers in the '60s: The military and academic community had the first ones and then they went to big business. But before the first real home computer was affordable, at least 10 more years passed. Even then these consumer products had much less memory, slow permanent storage, smaller screens and much slower execution speed than even the commercial mainstream products.

Today the world has changed: The fastest personal computers with overclocked processors and liquid or nitrogen cooling elements are used by consumers for video games. The most sophisticated computers — tablets with high resolution monitors, non-mechanical permanent storage and long lasting batteries — are used to watch videos, take private pictures or connect consumers with Facebook. Real innovative technology — for example touch screens with finger gesture recognition — was not invented because soldiers on the battle field could manipulate their maps easier; but because consumers on the couch could easily rescale their private vacation pictures.

Military industry and academia no longer have “exclusive” use of sophisticated products — they are glad that the latest generation of consumer products are also usable in their world. Why did this shift happen? One reason: there are many more consumers in the world than there are military organizations, scientists or professional people. Development of a real innovative product like an iPad or a Samsung Galaxy Note Tablet is always extremely expensive. But if this cost can be divided over millions of consumer devices, it can become negligible. In the scientific or military world, the development cost will be a huge part of every single sold product.

The consumer is also very critical about esthetics, usability and quality — only the best products are finally successful and become market leaders. Every company wanting to participate in the huge world of consumer products knows about these challenges and wants to develop the greatest products — just to survive. And consumers make quick decisions — the “hip” product from last year is already obsolete compared with the newest products displayed at CES this year. And because the products are cheap, many consumers just buy these “hip” new products, even if the old ones are still working well. This is in strict contrast to the military and scientific world — these markets are usually defined by very few companies, which develop very expensive products quite slowly. The high cost requires that the products be used for years before the military or others in this category have the budget for another expensive successor product.

It is very likely that the dominance of the consumer in the world of innovation and development will continue as a megatrend for a long time. With more consumers in China, India, Russia and South America, the market is still fast growing and not only global companies but also their regional counterparts see big opportunities in consumer electronics.

But the consumer has not taken over the steering wheel everywhere. One remarkable exception is data security. Here we still have the old world: Governments are very worried that an unauthorized person or group could start their rockets, the scientific community is worried that their competitors could steal their research results and professionals are worried that their business models are spied on and duplicated.

On the other hand the consumer has the unprotected Wi-Fi network at home, the cell phone without any access restrictions or the laptop without hard disk encryption. “I have nothing to hide and no real secrets” is the typical excuse of most consumers for this “I do not care” style. But I predict that also this will change very soon: With more and more globally connected consumer devices containing personal data, it is very likely that very soon the consumers will be a major target of daily serious malicious attacks. Just wait… when millions of consumers panic because their bank accounts are emptied by hackers in Russia, strange people publish anonymously personal pictures from their “private cloud storage” or neighbors can peek in other houses after cracking the baby surveillance video systems. The “personal security” will very likely become another big megatrend in a few short years.

Twenty-five years ago it was unthinkable that soldiers would use consumer GPS products to determine their locations on the battle field — today it is a reality. It will be interesting to see if soldiers in the future will use consumer security products because they will become much more secure… because the number of people who try to crack exciting consumer secrets will be much larger than those who try to crack boring military secrets.

Photo by taylorhatmaker