Do embedded developers need to worry more about security now? [in the after-math of the Dyn DDoS attack]

Posted by Magnus Unemyr on Oct 31, 2016 8:30:00 AM

Internet security has been a focused area for PC’s and servers during the past two decades, if not more. So far, most embedded systems haven’t been connected to the Internet, and so Internet security has not been such a major problem for embedded developers. Up till now.

Internet of Things is exploding, with billions of Internet-connected devices predicted in the near future. A major security incident caused by an IoT product was only waiting to happen. And the first major security threat on a global scale - caused by IoT devices - may have been seen last week.


The Dyn DNS service was brought down by a DDoS (Distributed Denial of Service) attack, causing large parts of the Internet to become unreachable. 

The attack that took down a large chunk of the Internet the past weekend was allegedly caused by the Mirai malware infecting certain IoT devices. More specifically, IP cameras from the Chinese Hangzhou Xiongmai Technology has been pointed out as part of the problem during the attack.

Before April 2015, the company used a firmware that enabled the Mirai malware to exploit their devices. The malware software contains a list of known username and password combinations, that it will try against newly discovered IoT devices.

I have no way of verifying if security vulnerabilities in this particular IoT device from this vendor was, in fact, largely responsible for bringing the Dyn DNS service down or not. But in either case, it highlights the need for embedded developers to become more security cautious.

This applies to developers of any embedded device of course, but in particular, those that will be connected directly to the Internet.

Product developers need to:

1) Gain the necessary expertise to deliver secure products

2) Allow the development teams to develop products with security built-in from the ground up

3) Generally, make security a much higher priority than in the past

A problem here might be that embedded developers are experts in low-level programming, including device driver development, RTOS scheduling, and other intricate things most other types of software developers are clueless about. But I suspect that most embedded developers have relatively weak knowledge in networking and networking security.

Embedded developers are not to blame. We haven’t needed this skill before, and we have had enough of other difficult work-tasks to complete on the plate. But the situation is changing, and with the new challenges on the doorstep, development managers must ensure skills, technology and development time is ensured for these important tasks.

I think that networking security skills are the most important one by far. Without the right knowledge, it doesn’t matter what technology you purchase, or how much time you set aside. State-of-the-art security libraries, configured and integrated in the wrong way, will not make a secure product. And security cannot be bolted-on as an after-thought. Security needs to be designed-in from the start.

And so, please make sure your team has the necessary networking security skills for your next project. And plan for security from the start - you cannot add it later. We are all worried about the consequences of billions of IoT devices creating havoc on a global scale. Let's make sure it is not your product that catches the attention from global media the next time an IoT product is the cause of a major security problem. This could become a PR nightmare. The badwill may well cause your company to go out of business.

What is your opinion about networking security in embedded systems in general, and IoT products in particular? Feel free to leave your thoughts in the comment form below! I am sure there are many valid opinions, thoughts and points of view on this topic!

Topics: Embedded Software Development