The primacy of microchips in the security design of embedded devices

Hojjati, Avesta

Permalink

https://hdl.handle.net/2142/114062 Copy

Description

Title

The primacy of microchips in the security design of embedded devices

Author(s)

Hojjati, Avesta

Issue Date

2021-12-02

Director of Research (if dissertation) or Advisor (if thesis)

Gunter, Carl A

Doctoral Committee Chair(s)

Gunter, Carl A

Committee Member(s)

• Mohan, Sibin
• Li, Bo
• Shintre, Saurabh

Department of Study

Computer Science

Discipline

Computer Science

Degree Granting Institution

University of Illinois at Urbana-Champaign

Degree Name

Ph.D.

Degree Level

Dissertation

Keyword(s)

• Security
• Embedded Devices
• Healthcare
• Security Protocols
• Side channel

Abstract

The global embedded system market is projected to grow from $86.5 Billion in 2020 to $116.2 Billion by 2025. The increased prevalence of embedded devices and the boost in sophisticated attacks against them has made embedded system security an intricate and pressing issue. Embedded systems are at the center of many different electronic products, machines, and intelligent operations, despite being designed to focus on specific tasks and completing those tasks perfectly, they often pose security and privacy issues. For example, embedded systems such as widely deployed medical devices, are posing a pressing issue due to their inadequate security design. These devices once compromised, can lead to death and injury of patients in clinical environments. Another example is the Unmanned Aerial Vehicles (UAVs), also known as “drones”,with the promise of enabling many favorable applications. Besides military purpose, many industries are paying more attention to the commercial usage of drones. For example, Amazon announced its Air PrimeDelivery Service in 2013, aiming to deploy small drones to deliver lightweight packages. However, the further adoption of drones has been significantly impeded by an overwhelming public outcry over the security and privacy implications of drone technology. Additionally, Amazon’s Alexa and similar voice assistant devices are capable of recording every conversation. This appears to be by design in order to allow the device to be responsive to “wake up” commands such as “Hey Alexa!”. However, such capability without properly securing the collected data causes many security and privacy complications. The economic and mortality impacts of the vulnerabilities in devices as described above have been widely discussed, but there is limited in quest that has focused on identifying the root causes of these issues. In this dissertation, I have identified several critical issues that have roots in the security design of embedded devices. As an example, I have demonstrated that widely used Medical Infusion Pumps could easily be compromised since developers/manufacturers have utilized insecure username and password such as“admin” and “12345” as the main method of authentication on their product. To make things worse, they have also decided to transmit variety of sensitive data in plain text instead of utilizing modern encryption methods for data in transit. In another example, I have demonstrated how an additive manufacturing equipment such as a 3D printer and the designs residing on the printer can be easily compromised due to the lack of proper authentication and data security. While conducting these studies, it emerged that the underutilization of security protocols existing on microcontrollers within each embedded device is the root cause of many vulnerabilities. At this step, the question of “Why more capable security protocols despite being available on the microcontrollers aren’t being used?” replaced the “Why this device is vulnerable?”. It is evident that from the manufacturer’s perspective, the time to market of a product is crucial. To make things worse, often developers will sacrifice spending more time and paying attention to security components in favor of a faster release cycle. I have identified that the main issue descents during the design phase of such devices. Developers are frequently rushed to develop the main functionality of these devices and omit to forget the “Security by Design” principal. As a result, vast majority of embedded devices are being released to the public without implementing modern security protocols despite being supported by the underlining hardware.I have researched, designed, and developed an intuitive web-based tool capable of efficiently and effectively guiding developers and manufactures to identify the supported security protocols of hundreds of microcontrollers. I focus on multiple methods to collect, parse, analyze, and identify the available security protocols of hundreds of microcontrollers that are often time-consuming to identify and challenging to categorize for developers. The current process results in frustration and ultimately unawareness of many essential capabilities of microcontrollers such as elevated security protocols. The developed solution will determinately enable developers to save time, reduce error, fully utilize the hardware’s capability at their disposal, and ultimately increase the security posture of their final product. My approach revealed that, a web-based tool designed to return the supported cryptographic protocols based on the inputted microcontroller model with a simple and intuitive interface can facilitate the design phase of an embedded device without sacrificing security. I experimentally validate the correctness of the developed framework by obtaining a patient monitor, a form of medical device and reverse engineering it to 1. validating the presence or absence of secure authentication and encryption of data in transit 2. validating that the underlining hardware supports modern security protocols via utilizing the developed framework, and 3. concluding that despite the availability of a stronger security protocol, developers/manufactures have neglected to utilize these protocols.

Graduation Semester

2021-12

Type of Resource

Thesis

Permalink

http://hdl.handle.net/2142/114062

Copyright and License Information

Copyright 2021 Avesta Hojjati

Owning Collections