A View from Erica Naone
Vulnerabilities of embedded systems on display at Black Hat.
Today at the computer security conference Black Hat 2008, in Washington, DC, several impressive displays made clear that embedded systems, such as those used for keyless entry to cars or garage-door openers, could be an important security battleground in coming years. Breaking into embedded systems requires a different set of skills than those needed to crack websites. Instead of breaking in by using code written in computer languages that are relatively widely known, getting access to embedded systems can call for hands-on techniques, such as exposing a chip to ultraviolet light or probing it with needles.
Christopher Tarnovsky of Flylogic Engineering gave a virtuosic presentation in which he showed how he had taken over chips made by major manufacturers including Atmel, Motorola, and Infineon. Tarnovsky emphasized that, although the manufacturers stress the security features of their devices, he often finds it relatively easy to circumvent the very features that are being touted.
Later, Job de Haas, a senior specialist at Riscure, showed how he could extract keys from embedded devices without needing to open them up. The technique relies on measuring the electromagnetic field surrounding a device and analyzing patterns to make guesses at the processing going on within the system.
While in both cases, specialized skills and equipment are needed to pull off the attack, embedded systems are increasingly being used to guard access to valuable information or equipment that could make it worth the effort to break into them.