Wibu-Systems Blog

Building Security Into IoT Devices

Posted by Terry Gaul on Jan 29, 2015 12:37:43 PM


The U.S. Federal Trade Commission recently released an in-depth report entitled, The Internet of Things: Privacy & Security in a Connected World, which included a long list of considerations and recommendations on how manufacturers should secure IoT devices.

To emphasize the magnitude of the IoT, the FTC noted that six years ago, for the first time, the number of “things” connected to the Internet surpassed the number of people. And experts estimate that, as of this year, there will be 25 billion connected devices and by 2020, 50 billion. And, this is not taking into consideration devices sold in a business-to-business context, nor does it address broader machine-to-machine communications.

The report recognized the numerous benefits the IoT presents to consumers and the potential to change the ways that consumers fundamentally interact with technology. In the future, they said, the Internet of Things is likely to meld the virtual and physical worlds together in ways that are currently difficult to comprehend. From a security and privacy perspective, the predicted pervasive introduction of sensors and devices into currently intimate spaces–such as the home, the car, and with wearables and ingestibles, even the body –pose particular challenges.

The FTC outlined a variety of potential security risks that could be exploited in the IoT to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety. The security risks associated with IoT devices are not only limited to the compromise of Personal information, but can involve broader health and safety concerns. For example, if a pacemaker is not properly secured, the concern is not merely that health information could be compromised, but also that a person wearing it could be seriously harmed. Similarly, a criminal who hacks into a car’s network could cause an accident.

Among the many best practices for IoT device manufacturers recommended by the FTC staff, this one stands out the most – “companies should build security into their devices at the outset, rather than as an afterthought.”

Of course, none of this is startling news to us here at Wibu-Systems. We have been protecting software for more than 25 years and experienced with securing embedded systems found at the core of IoT devices. With our CodeMeter protection platform, IoT device manufacturers can ensure the integrity of embedded systems through the use of cryptographic methods. CodeMeter offers different secure storage options for keys and state information: smartcard chip, TPM and software container. CodeMeter supports common operating systems like Windows, OSX, and Linux as well as Windows Embedded, Real Time Linux, VxWorks, Android, QNX and PLCs like CODESYS, B&R and others. It contains a fast and reliable implementation of symmetric and asymmetric encryption methods (AES, RSA, ECC) as well as hash functions (SHA-256), functions for signature validation (ECDSA) and a random number generator.

CodeMeter includes all the available tools needed to implement integrity protection, software protection and the prevention of code tampering. CodeMeter also includes tools for creation, management and delivery of keys and digital rights.

To see how easy it is to build security into your software and embedded systems, request a fully functional CodeMeter Evaluation System and try it out.

 Request a CodeMeter Evaluation System

Topics: CodeMeter, embedded security, Internet of Things

Secure Software Updates via Embedded Integrity Protection

Posted by Marcellus Buchheit on Dec 17, 2014 7:00:00 AM

Software for embedded systems is based more and more on open system platforms, such as Linux Embedded, VxWorks, Windows Embedded, QNX and many others. In addition to powerful core functionality, one of the main reasons to use open platforms is their implementation of standardized interfaces for loading code or calling system functions (API). Such standards simplify software development between several teams within a large enterprise or even in different software companies. And similar to the success of software for traditional desktop systems or smart phones, you can find more solutions that can be purchased from third parties instead of developed in-house.

However, this new open world also makes embedded systems vulnerable to attacks from hackers who also know the system platforms very well. Current examples of such threats include successful attacks to POS systems to steal credit card numbers or ATM machines to steal cash. The IoT now brings embedded systems with such open platforms into a globally connected environment that is highly vulnerable to all types of attacks from hard-to-identify hackers located around the world.

One solution to prevent such attacks is the installation of security barriers between the code and the open Internet, such as firewalls or strict access control to the critical code. But the structure of such barriers in larger installations of embedded systems – an automobile assembly plant for example – is quickly becoming very complex with a high risk of security leaks. And if a hacker can find one such leak, he or she is now “inside”, and knows the details of the platform in use, and can modify the existing code or even upload and start new code to perform malicious attacks beyond simply analyzing, copying or deleting data.

A more effective solution is to protect the running program code itself against any modifications and also prevent the loader of the operating system to start any unauthorized code. This also includes protecting the open system platform itself to prevent a hacker from installing his own loader. And finally the BIOS of the embedded system should prevent any loading of an unauthorized platform.

Wibu-Systems CodeMeter technology provides consistent code protection at all levels of an embedded system where software components are running. Beginning in the BIOS, which will only start an authorized operating system, through the loader in this operating system which only accepts execution files of authorized programs, and up to the ability that these programs can load only applets or dynamic libraries with authorized dynamic extensions. This code integrity protection is based on sealed code, which cannot be modified at the file level, and which is verified by a private/public key schema. All components (BIOS, operating system, optional loader, application and applets) can come from different sources. Dynamic updates of any component is possible as long as the updated code is authorized as well. It is also possible to remotely update, extend or remove the required keys in a secure manner.

This technology enables the flexibility of secure code upgrades, which will be required in the ever evolving IoT world, with the security of the closed, non-changeable, unconnected systems of today. It is currently available in the latest version of VxWorks Real Time Operating System and will also be available for other platforms in the coming months. The technology is based on secure keys which are stored in a security device and which can be integrated as a chip directly into the system hardware or attached as a USB Stick, SD, microSD or CF Card.

Integrity Protection White Paper

If you are interested in learning more about Integrity Protection for embedded systems, download our whitepaper.

Topics: CodeMeter, Code Integrity, embedded security

Repelling the BadUSB Exploit with Cryptography and Secure Boot

Posted by Terry Gaul on Aug 7, 2014 5:06:02 PM

By now, many of you have heard about the “BadUSB” exploit, where two security researchers at Security Research Labs demonstrated how they could perpetrate an attack on USB devices.  By reprogramming the USB’s firmware with malicious code, attackers could gain control of a PC or any other USB-driven peripheral, such as a mouse, keyboard or even a smartphone. Once the infected USB is connected to the device, the software can be programmed to perform any number of malicious acts, from corrupting data to impersonating a USB keyboard to type in its own commands. And, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted.

So what should we conclude about the vulnerabilities of USB sticks? Given the ubiquity of USB technology, consumers using USB memory sticks should be aware of the potential threat and be more cautious about the origin of the stick and who else may have used it, before it’s connected to a device.  But we should also be aware that not all USB sticks are alike and some, such as our WibuKeys and CodeMeter sticks (CmStick), incorporate advanced security technology that make attacks, such as BadUSB, impossible to perpetrate.

Let’s take a deeper look. Each USB stick consists of a controller chip and at least one memory module. The controller is responsible for the communication with the computer over the USB interface, and manages the memory. In principle, this can be equated to a microcomputer that, upon being plugged in, boots its operating system (firmware) from a non-visible part of the flash memory. Then it sets the flash memory of the computer as an available drive.

For economic reasons, the firmware on USB sticks is updateable, and therein lies the vulnerability. There are two ways to update the firmware: 1) a safe, secure boot process or 2) a simpler one with obfuscation of undocumented commands. The latter approach applies to all classic USB sticks and is the main vulnerability to the BadUSB threat.

The first step to a BadUSB attack is the manipulation of the firmware, which must be reversed engineered. New custom firmware is then developed and loaded onto the stick, in a manner that circumvents the obfuscation protection.

Secondly, the modified USB stick presents itself to the computer as an HID device. Once the USB stick is connected, the computer recognizes the HID device and initializes it automatically  -  a standard procedure that would not draw suspicion from the user. Once initialized, the modified firmware goes into action and the programmed malware is unleashed.

Although the explanation of the exploit seems simple enough, the demonstration by Security Research Labs is extremely difficult to achieve. Reverse-engineering controller firmware requires great technical skills and is extremely time consuming. Plus, the attack is controller specific, so it would require extensive knowledge of the specific chip and the reverse engineering effort would need to be repeated for each threat.

However, as we have grown to understand the hacking community, we don’t underestimate their persistence and leave nothing to chance in terms of the protection we build into our CmSticks.  At Wibu-Systems, our own security experts have been developing and refining technologies to make software safe from malicious tampering since 1989.

Our family of CodeMeter CmSticks comes in many form factors. All are implemented on a separate chip that has its own memory and cryptographically secure firmware. Only firmware signed by Wibu-Systems can be downloaded into the controller, making a BadUSB attack impossible. Our most modern CmStick offers further protection. The chip firmware is encrypted and signed and the root key is stored in non-alterable ROM. This key is written only once during manufacturing and cannot be subsequently updated in the field under any circumstances. This is our implementation of a secure boot process. The inter-chip communications is also encrypted, making the stick immune to hardware based attacks.

In conclusion, if you are using any of our USB powered devices, you can feel confident that you are protected from the BadUSB threat.

For a more detailed description of our cryptographic protection and secure boot process, please read our official statement "BadUSB Uncovered", or contact one of our security experts.






Topics: CodeMeter, software copy protection, CmSticks, cracking, WibuKey, embedded security

Making the Case for Medical Device Software Protection

Posted by Terry Gaul on Feb 13, 2014 10:50:00 AM

sirona 01Former U.S. Vice President Dick Cheney acknowledged that he once feared that terrorists could use the electrical device that had been implanted near his heart to kill him and had his doctor disable its wireless function. The device in question was a defibrillator that could detect irregular heartbeats and control them with electrical jolts. Cheney had his doctor turn off the device’s wireless function in case a terrorist tried to send his heart a fatal shock.

Medical devices used for critical care are becoming increasingly reliant on software and securing that software from tampering and malware has become a critical consideration in the development process.

Even so, software security remains an afterthought in some medical device design, according to researchers from Carnegie Mellon who are working towards evaluating the software security of medical devices. In their paper, “Take Two Software Updates and See Me in the Morning: The Case for Software Security Evaluations of Medical Devices,” Steven Hanna, University of California Berkeley, et al, notes that medical devices are susceptible to malware because:

1. Software in medical devices is becoming increasingly complex.

2. More and more medical devices are becoming networked with wireless Internet connectivity.

3. More medical devices are evolving from electro-mechanical to software-controlled devices.

4. Analyzing security after a potential risk becomes a tangible threat would be too late for effective deployment of defensive technology.

In their study of an Automated External Defibrillator (AED), they identified security flaws in both the embedded software and the commercial off-the-shelf software (COTS) update mechanism. They concluded that manufacturers of medical devices containing software should have plans for assessing specific security risks, detecting security compromises, and recovering from computer security incidents—especially if the manufacturer plans to use wireless communication or Internet connectivity that would increase the device exposure to the risks of malicious software.

After becoming aware of cybersecurity vulnerability and incidents that could directly impact medical devices or hospital network operations, the FDA is recommending that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyber-attack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and those connected to hospital networks.

They further stated that manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and are responsible for putting appropriate mitigations in place to address patient safety and assure proper device performance.

At Wibu-Systems, we are providing the tools that enable embedded software developers to protect medical devices. The term “Integrity Protection” encompasses security measures, namely protection of system resources, programs and data against unauthorized manipulation, or at least identification and display of such modifications. The challenge consists in guaranteeing data integrity, and, if not possible, bringing the system to a safe mode and stopping the execution of any function.

We’ve demonstrated that the best integrity protection solutions are based on cryptography and associated security mechanisms, such as digital signatures and message authentication. With our CodeMeter licensing and protection platform, we provide a smart-card-security-based protection system, which is available for industrial interfaces. By utilizing CodeMeter, you can secure a device so that it only receives software updates from the device manufacturer. When the device is started, integrity checks are performed to be sure that the software being run is authenticated and not some type of virus.

CodeMeter supports common operating systems like Windows, Mac OS X, Linux as well as Windows Embedded, Embedded Linux, RTOS like Wind River’s VxWorks and PLC development software like CODESYS and more. It contains a secure implementation of symmetric and asymmetric encryption methods (AES, RSA, ECC), functions for signature validation (ECDSA) and a random number generator, according to FIPS140-1 and fulfilling EAL 4+ (Common Criteria Certified). CodeMeter includes all the available tools needed to implement all of the steps described above for integrity protection, software protection and the prevention of code tampering of embedded medical devices.


Download the White Paper: Integrity  Protection for Embedded Systems

Topics: software protection, CodeMeter, embedded security

Integrity Protection for Embedded Systems

Posted by Terry Gaul on Oct 21, 2013 9:51:00 AM

In their book, Embedded Systems Security, David and Michael Kleidermacher point out some all-to-real scenarios about the consequences of malicious threats to embedded systems.

Consider that for every PC in the world, there are hundreds of embedded systems, interconnected over various communication channels, like WiFi, Bluetooth and RFID. And nothing has become more computerized faster than the modern automobile. Computers, in the form of self-contained embedded systems, have been integrated into virtually every aspect of a car's operation and diagnostics, including throttle control, transmission, brakes speedometer, climate and lighting controls, external lights and entertainment systems.

The authors gave one example of an industrial company that sells bearings that use a magnetic field to suspend a shaft. A Digital Signal Processor performs 15,000 calculations per second to keep operations running smoothly. The bearing controllers have Ethernet connections.  With a coordinated attack on the bearings, plant operations could be brought to a halt.

The authors also discuss the security issues brought on by non-malware bugs. As embedded systems become increasingly ingrained in our lives, any bug that compromises the reliability of a system can become a mission-critical security threat. For example, what would happen if automated jail control doors failed to close? A task that errantly consumes too many resources (like memory) or CPU cycles can prevent other activities from running: the traffic light fails to turn red, the railroad signal remains open, or the ATM’s bill counter fails to stop spewing money. 

The Department of Homeland security notes that our country’s reliance on cyber systems to run everything from power plants to pipelines and hospitals to highways has increased dramatically, and our infrastructure is more physically and digitally interconnected than ever. Yet for all the advantages interconnectivity offers, critical infrastructure is also increasingly vulnerable to attack from an array of cyber threats.

Most embedded systems developers have little training in security and are largely unaware of both the threats and the techniques and technologies needed to make their products secure. In order to develop effective methods aimed at preventing attacks, the potential threat scenarios need to be understood. Some of the possible attacks to embedded systems are listed here below:

  1. Attackers develop a "fake device," a device that looks just like the original, but whose functions have been altered for nefarious purposes, that could be installed, for example, as a replacement part during equipment service.
  2. Attackers develop their own software and run it by replacing the memory card in the embedded system.
  3. Attackers extract the memory card out of the embedded system, manipulate the software and plug the card back into the system.
  4. Attackers modify the software on the embedded system by controlling the communication interfaces from the outside.
  5. Attackers monitor an embedded system, while in use by the application, in order to analyze it and to develop avenues of attack.

Finally, the authors make one more important point. They say that one of the most important tenets of computer security is that it is difficult, unwise, and often financially and/or technically infeasible to retrofit security capability to a system that was not originally designed for it. Therefore, they conclude, the only hope for improving security across the world of embedded systems is to educate the developers, who must learn to think about security issues as much as they already think about functionality, memory footprint, and debugging.

And that's where Wibu-Systems comes in. For 25 years, we have delivered the tools needed by software developers to protect their software against piracy, IP theft, and manipulation.  We continue to incorporate state-of-the-art security technologies into our software protection tools for embedded systems and PC software as well as cloud services and mobile apps.

Download the White Paper: Integrity  Protection for Embedded Systems

The term "Integrity Protection" encompasses security measures, namely protection of system resources, programs and data against unauthorized manipulation, or at least identification and display of such modifications. The challenge consists in guaranteeing data integrity, and, if not possible, bringing the system to a safe mode and stopping the execution of any function. The best integrity protection solutions are based on cryptography and associated security mechanisms, such as digital signatures and message authentication. This 12-page white paper will describe these advanced encryption techniques.

Topics: CodeMeter, software copy protection, secure licensing, Anti-piracy, Copy Protection, embedded security

Wind River's New VxWorks EDK Improves Embedded Systems Security

Posted by John Poulson on Feb 15, 2013 12:35:00 PM

Threats to Embedded Systems Security is on the rise Worldwide

In a report published in 2012, the German Engineering Federation (VDMA) indicated that for larger companies (those with more than 1,000 employees) 9 out of 10 respondents were affected by piracy of intellectual property (IP) in one form or another. In addition to proprietary software, industrial computing systems can contain data in logs, service records, and documentation that has value to competitors and organized crime. Such intellectual capital is subject to theft and gray-market competition as well as outright counterfeit copies of proprietary machinery.

Top 5 Security Threats in ICS (Industrial Control Systems):

  • Unauthorized reading and writing messages in ICS
  • Unauthorized access to resources
  • Introduction of malware using USB devices or other hardware
  • Distributed Denial of Service Attacks (DDOS)
  • Attacks to commercial off-the-shelf systems, in ICS, like OS or networks

Wind River Reacts to Threats

For maximum embedded systems security Wind River's new VxWorks Embedded Development Kit uses CodeMeterRecognizing that the security threat to embedded systems is growing year by year with no end in sight, Wind River in partnership with Wibu-Systems, a world leader in IP protection and secure software licensing is delivering an EDK for VxWorks with a focus not only on securing the code, but also on securing the certificate chain for signed code.

Learn How to Protect Your Embedded Code When Using NITX-315 Boards

Join Emerson Network Power, along with Wind River and Wibu-Systems as they launch the Embedded Development Kit (EDK); the "first ever" out of the box solution for IP protection, tamper protection and license management for Emerson Network Power NITX-315 boards.

Sign up for this free webinar today

What You Will Learn:

  • Protecting embedded software intellectual property and embedded software license management results in the prevention of "jail-break" software and reverse-engineering and IP theft.
  • Secure boot & integrity protection
  • Protecting the signature chain for signature verification
  • IP protection & copy protection
  • New business models through flexible licensing

john poulsonJohn Poulson has worked in the software protection industry since 1988 and has been with Wibu-Systems since 2000. He is an expert in license authentication best practices and deep powder skiing.

Topics: CodeMeter, embedded security