Cybersecurity for Custom Hardware: An Executive Summary

Connected hardware is everywhere, and it isn’t limited to phones, tablets, and laptops anymore! Whether it’s the SCADA systems that regulate water flow to your house or the “smart” kettle you bought to boil that water just in time for you to wake up in the morning, these devices have made their way into our daily lives in a way that wouldn’t have been imaginable a few decades ago. Each of these devices adds value to our lives and our society in myriad ways, but each also represents a potential vector that malicious actors can use to achieve their own ends at your expense.

One of the core challenges in any safety-related topic is determining how to measure risk. In our modern, interconnected world, our devices connect to the internet, to each other, and to their manufacturers to exchange information, keep themselves up-to-date, and provide convenience. Each point in which a device can be accessed, physically or digitally, represents a point from which an attacker can attempt to interfere with and/or take control of the device. We refer to the aggregate of these connectivities as the device’s attack surface. Each bell and whistle added to the device can increase the number of ways in which a malicious actor can seek to attack the device and thus increases its attack surface.

As an often non-obvious aside, the security controls put in place to protect these devices can (and typically do) increase the attack surface themselves! As a result, over-securing your device can, ironically, lead it to be less secure on the whole. Many assessment frameworks take this into account and, as a result, your device may score worse on an audit by adding more “security”.

There is more to consider when looking at your device’s attack surface than just the number of accessible features, however. One must also consider the environment in which the device is going to be used! While a wi-fi connection might be the single most important point on the attack surface of a consumer device, it may be a non-issue in, say, an industrial context when it is connected to an air-gapped SCADA network (or other industrial control network). Personal consumer devices, in particular, are valuable targets because they operate on the home networks of individuals. A compromised smart oven, for example, can be instructed to log all websites visited in that home and stream it back to the attacker(s) over the internet.

Your internet connection isn’t the only way your connected device can be compromised, however. A great case study for this is the “Stuxnet” worm which terrorised the IT world in late 2010. Stuxnet was a computer worm that targeted SCADA systems (or, more specifically, the PLCs therein) controlling nuclear centrifuges. Because these networks typically aren’t connected to the internet, Stuxnet spread to its primary targets by infecting USB drives! Any mechanism through which your device can send or receive data should be thoroughly checked for security concerns.

It is at this point in any security discussion that I often start getting questions such as “Should I remove features from my device?”, “If these attackers are so resourceful, won’t they be able to compromise my device no matter what I do?”, and so on. Rest assured: Best practices are here to save the day! Generally speaking, there are three things that any and every device manufacturer should do to improve their security and minimise the risk of a costly lawsuit:

Firstly, remove any unused features of the device. Developer “testing” backdoors are a dime a dozen, and are so often mistakenly left in only to be discovered years down the line by people with less constructive intent.

Along the same lines, hire professional developers! While software development companies can feel expensive when compared to your colleague’s high-school child looking for a summer job, they typically more than pay for themselves in faster development times, improved performance, and, yes, experience-driven improvements in software security.

Finally, consider a professional security audit or, if that isn’t financially viable, an informal (but professional!) security assessment. The best way to find vulnerabilities is to have a trained expert simulate a determined attacker and do their best to break your device.

In summary: Think about the security of your device in terms of the attack surface it presents to the world. Minimise the surface by removing unnecessary features, capabilities, and/or modules, including security controls that aren’t resolving a specific, known, documented potential vulnerability or following a recommended best-practice. Where possible, have a professional developer write the software, especially the parts which are accessible from the “outside” (whether logical or physical). Finally, consider hiring a professional security analyst or auditor to review and test your device to find potential problems and take their recommendations seriously!

If you are looking for expert assistance with professional, secure custom software for your hardware, reach out to ROK Software today. Our experience in both consumer and business-facing markets ensures the best outcomes for your devices.