Category Archives: Embedded Software

The SIOT Trust-Mark

Look for a SIOT trust-mark

The SIOT Security Trust-Mark

On 29 July 2014, HP released the results of a study claiming that 70% of the most commonly used Internet of Things (IoT) devices contained vulnerabilities. Furthermore the devices averaged 25 vulnerabilities per product.
(see )
So, since Gartner is anticipating something like 26 billion units installed by 2020, there is little doubt that users will be suffering from a myriad of IoT information security and privacy problems well into the next decade. Fortunately, it is still possible to do some things that will reduce the extent of this problem.

While having a complete understanding IoT information security problems is beyond the capability of IoT device users, many will appreciate the value of purchasing devices with a trust-mark. For example when someone buys an electric appliance that has the UL® trust-mark on it, the buyer understands it’s less likely that this product will electrocute someone. Similarly, buyers could come to believe that an IoT security trust-mark will mean that the marked device is less likely to be hacked, less likely to be used to hack other devices, and/or less likely to disclose someone’s personal information.

Devices that come with an IoT security trust-mark would need to meet a standard, and, as with the UL® mark, these standards would need to be verified by an independent third party.   Many things could be included and tested according to such standards.   Here’s a list of some of the things that might be included along with a brief description of each:

Active Anti-Tamper: FIPS 140 is a NIST standard that describes security for many commercially available cryptographic devices with varying levels of security. The highest level includes physical active anti-tamper capabilities that will cause keys and other critical security parameters to be erased whenever the physical boundaries of the device are penetrated.   There are many technologies that can meet these requirements, and many are not that difficult to implement. Similar anti-tamper standards can be applied to IoT devices.

Trusted Boot: Most PCs contain a device called a Trusted Platform Module (TPM). This device can be used to help ensure that the code executed while booting has not changed from one boot to the next.   If the boot code has changed from an authorized version, the TPM makes it possible for other devices to stop trusting the changed system.   Trusted IoT devices should have hardware for verifying the device has booted into a trusted state.

Removeable Power: Many cell phones today, have removable batteries, and many people have realized that this is a strong security feature. By removing the batteries from a cell phone, a user can be relatively certain that he has disabled any spyware that might be running on the phone, spyware that might be listening to the user’s conversations or reporting on the user’s location.   A user of a trusted IoT device should have the ability to stop trusting that device by removing the power source.

Independent User Control of Physical I/O Channels: Similarly, a user, not wanting to completely disable his device, might wish to be sure certain I/O functions are not activated. For example, the user may want to disable the camera function, the GPS function and the microphone function while retaining the ability to listen to music. By providing hardwired switches certified to disable specific hardware I/O function, a user can rest assured that these functions won’t be secretly activated by some malware lurking inside the trusted IoT device.

Host Based Intrusion Detection: For several years now, host based intrusion detection software has been available for desktop machines and servers. It is time to recognize that IoT devices are hosts too. There should be software running on the trusted IoT device so that one can detect when that trust is no longer appropriate.

Automatic Security Patching: Today, the time between the release of a critical security patch and the release of malware that exploits the associated vulnerability can be measured in hours.   The reality of the present situation is that the existence of a critical security patch means your system is already broken. Consequently, the automated application of security patches is necessary for desktops and servers. Automated security patching for trusted IoT devices will also be necessary.

Independent Software Security Verification: To a certain extent, trusting a software companies to develop secure code is like trusting a fox to guard a hen house. This is because the pressures on software developers to make marketing windows, to release code and to get paid frequently overpower discussions about the appropriate levels of security needed for operating the end products safely.   The resulting security problems are then left for others to solve. Because of this, various information security standards depend on independent software security verification. While this can be expensive, free services like “The SWAMP”
( ) offer the hope that independent software security verification can be done cheaply enough to motivate standardization.

User Defined Trust Relationships: When an IoT device enters a home, there may be very good reasons why it will need to communicate with other devices inside or outside of that home.   That does not mean that the new device should have the ability to communicate with all other devices. Consider the recent Target hack. The point of sale terminals were attacked by first gaining access to a system used to manage heating, ventilation and air conditioning.   Likewise, it might not make sense for your home’s air conditioning system to be able to talk with your home’s electric door locks.   It seems that giving users an easy way to manage what systems are allowed to talk with other systems could help quite a bit here. How to do this effectively may take some creativity, but one could imagine users having a tool, perhaps a wand that they could tap on one device and then tap on another device, to establish or dissolve the trust relationships between devices.

Recently, on 10 September 2014, The International Workshop on Secure Internet of Things (SIOT 2014, see ) conducted its meeting in Wroclaw, Poland.   This was only the third such workshop.   So, SIOT standardization is still far from being where it needs to be.  What will actually go into a set of IoT Security standards is not yet known. Likewise, an IoT Security Trustmark is not yet available.   Hopefully, some of the ideas suggested above will start to find their way into trusted IoT devices. If not, we can surely expect the same sorts of security problems that have plague our PCs and web servers, to appear all over again in the Internet of Things.

Is a Smart Toilet in Your Future?

HAL smart toilet

Is a smart toilet in your future?

When personal computers first appeared to on the market, there weren’t many people asking whether cars would have embedded computers. Today, a luxury sedan has somewhere around 60 embedded computers.  Yes, the Internet of Things is expanding, and that means we’ll be seeing more and more smart devices. Devices like these will also be communicating with each other so that they may work together to bring us more advanced information age benefits.

So, will toilets eventually have embedded processors?   Why change a good thing?  Why add a processor that will need software updates?  Why add electric power to a convenience that can function just fine without electric power?  These are very reasonable questions, and here are 5 possible answers.

1)   A smart toilet can include an automatic flush function.   A flushed toilet is always more presentable that an un-flushed one.  So, having an automatic flush function ensures that toilets are presented in the best possible light.  Self-flushing toilets already exist and can be found in public restrooms.  Assuming this functionality becomes popular in the home, the power needed for other smart functions will be available.

2)   A smart toilet can measure usage patterns.  By measuring how long someone is taking on the toilet, the smart toilet could remind the user to avoid taking too much time.  This could be done with and audible alert or more discretely by sending a text message to the user’s smart phone, reminding the user of the possible health consequences of prolonged toilet use.  To send this information by text messages, the smart toilet would need to identify the user.

3)   A smart toilet can measure a user’s regularity.  Once the smart toilet can identify the user, the smart toilet can also measure the regularity of the user, reporting trends and suggesting possible dietary changes to improve regularity (e.g. drink more fluids, eat more fiber, etc.).  In order to perform this function properly, the smart toilet might also need to communicate with other toilets.

4)   Similarly, a smart toilet could measure urinary frequency.  For male users, this function could be useful for detecting enlargement of the prostate.

5)   A smart toilet can also measure other healthcare information.   When traditional toilets are flushed, useful healthcare information is lost.  With more advanced sensors, a smart toilet can detect abnormal amounts of blood, or biochemical changes in the waste.   This can be helpful in the early detection of cancer.

Of course, there will probably be resistance to the idea of smart toilets. Some, perhaps most, people won’t like the idea of toilets recording their bathroom habits or having access to their healthcare information. Still, there are some practical and, perhaps, life saving benefits to be gained.   Consequently, when Smart Toilets start appearing, the manufacturers will need to assure their customers that these devices are secure and that their personal healthcare information will be kept private.   If buyers are convinced, smart toilets might eventually become more popular than the dumb toilets on the market today, and that’s an enormous market.

A smart toilet that’s already on the market…

Video of a smart toilet getting hacked…

Meanderings on Dancing, Dogs, Robotics and Artificial Intelligence

graceful robotics requires AI

Dancing Robots

To see dancing robots…

After watching a dancer express herself so beautifully, conveying sensitivity, emotion and creativity, one can’t help but notice how far robotics has to go.  Sure… the robotic Atlas from Boston Dynamics is amazing, but it will probably be a long time before people will pass on the real thing to watch robots dance for pure aesthetics.  Similarly, when one considers the skill with which Fido can jump into the air and catch a ball, the dog certainly puts the latest robotic marvel in its place.

Still, the idea of graceful robots may not seem that far fetched.   The senses of joint position, position in space, space and time and gravity in humans are impressive, but machines can sense these things.   The skeletal/muscular capabilities of our bodies are also impressive, but, again, machines might generate similar motions.   The big difference is what is happening in the brain.

Imagine that we built a robot in a humanoid form, and that we gave each part a computer.  For example, the head had a computer in it; the left forearm had a computer in it, and so on.  Each of these computers would be responsible for controlling the artificial muscles and monitoring the sensors contained within that body part.    This is possible, and it has already been done.  Naturally, in such a configuration, to achieve coordinated motion of the whole, there would need to be a great deal of communications going on between the various computer/body parts.  This seems like it should be possible, since we can transmit vast amounts of data quite quickly around such a machine using fiber optic technology.   If each computer had capabilities like that of an iPhone, it might make great use of those accelerometers, always knowing which direction is down, knowing where it is and how it is being accelerated.  Add the high capacity communications, and perhaps each body part could know where it is and how it is moving relative to the inertial frame and to the other body parts.

To get to a graceful expression, however, it seems a few things are still needed…

the algorithms that are going to allow all those computers communicate with one another,
the instincts,
the desire,
the ability to set goals,
the ability to learn from mistakes,
the instructor’s training,
the practice,
the self-discipline,
the dream,
the passion,
the inspired music and choreography,
the feelings,
and finally, the encouraging applause from an appreciative audience who sees greatness in the performance.

or, in the case of the dog, a master’s pat on the head and piece of bacon.

Happy New Year!

Creepy yet graceful

Creepy Robot Spider

To see robotic spider move naturally…

The Hacker-Proof Automobile

The Information Security Analyst sat quietly in the audience.  He had driven for hours to hear this presentation, and he could barely believe what he was hearing.  The speaker, the head of a government organization, an organization responsible for protecting his country’s information systems, was downplaying the importance of automotive cyber security, comparing those worried about the situation to “Chicken Little,” running around and complaining that the sky was falling.  “Wow” he thought.  “Does this guy just not understand the situation, or is he pretending that it isn’t a problem for some reason?”    The analyst knew full well there was a problem, because he had read two important papers on the topic.

The first was titled “Comprehensive Experimental Analyses of Automotive Attack Surfaces.”  The second was titled “Experimental Security Analysis of a Modern Automobile.”   These two papers, both written by a team of researchers from the University of California, San Diego and the University of Washington painted a very different picture of automotive cyber security.  Not only did the papers point out that there were vulnerabilities.  The researchers demonstrated exploits against the vulnerabilities.  Three experiments were most notable.   First, they demonstrated that it was possible to hack a vehicle through a music file, which would play fine on a computer or a stereo system, but would deliver software updates to onboard computers called Electronic Control Units (ECUs) when played on a vehicle stereo system.  Next, they demonstrated that it was possible hack a car while the car was in motion, disabling the brakes at 40 miles per hour.  Finally, they demonstrated that multiple cars could be hacked and then commanded to respond to remotely issued commands in unison.  This was done while the cars were geographically separated by a large distance.

The authors left it to the reader to speculate what sort of major cyber-attack might be possible should some gifted hacker, terrorist group or some nation state decide to get very nasty.  The idea of millions of cars simultaneously losing the brakes while driving over 55 mph came to the analyst’s mind.  “Guess that means I’m chicken little” he thought.  “Well, at least I’m not running around claiming the sky is falling.”  Of course, he would do something about it.  He was planning to get another car.  This car would be cyber hardened because it would contain no ECUs.  This car would be a 1966 Corvette.

This car has no computers to hack.

The Hacker-Proof 1966 Corvette Stingray

Two important papers on automotive cyber security…

copyright 2013 NetChime Research LLC,  All rights reserved.

“FIPS 140 Made Easy” Part 1

The product manager smiled and offered his guest some coffee.  “What we’ve managed to do is build a high performance cryptographic processor with just the right combination of algorithms and other characteristics.   This has uniquely positioned our company for a rapidly growing market.  It turns out that the US government is very interested, and we can seize a significant portion of this opportunity by moving quickly.  The only problem is that the government wants our device to be FIPS certified before they’ll commit to buying any.”  The product manager paused and waited for a response from his guest, an information security engineer who had had experience designing products to meet NIST’s FIPS140-2 requirements.

Getting a FIPS 140 Cert can be challenging

Typical FIPS 140 Certification

His guest suppressed a smile when he heard that getting a FIPS certification was “the only problem.”  He knew from what had been said so far that there were many other problems.  That’s because FIPS 140-2 consists of many requirements, and each one can result in a significant amount of work.   He had been through this scenario twice before, and in both cases, the same big mistake had been made.  The design engineers should have known about the FIPS 140-2 requirements from the beginning.  Now there were bound to be software changes, retesting and additional troubleshooting.  “Do you know what level of certification you need?” he asked.

“We’re thinking level 4.” the product manager replied.  “Do you think that will be a problem?”

“Well… if you haven’t been designing for a level 4 FIPS certification up to this point, it’s highly likely you’re going to need both hardware and software design changes.”

“Do you have any suggestions for me?”

To Be Continued…

“FIPS 140 Made Easy” Part 2

Continued from “FIPS 140 Made Easy” Part 1…

“Do you have any suggestions for me?”


  1. Maybe you only need a level 4 for one of the areas.  For example, let’s say you only need to meet the FIPS 140-2 level 4 physical security requirements.    It’s possible have your device’s physical security certified a level 4, but have an overall certification level of 2.  This might be good enough for the application your customers have in mind, and it will take much less time and money to get the certification.

    Pick your FIPS 140 compliance levels carefully.

    Compliance levels may vary by FIPS 140 section

  2. Consider changing your design so that it has approved and non-approved modes of operation.  Some of your customers may not want a device that obeys all the rules of FIPS 140-2.   You can retain a non-approved mode of operation that will function in a way that will still satisfy those customers.
  3. Make the Finite State Machine description of your device as simple as possible.  That means with as few states and as few ways to move between those states a possible.   These should be a high level finite state machine.  Your device will obviously have many more low level states, but the more states you add to your high level description, the more work you’ll make for yourself and the more work you’ll make for the certifying lab.

    Don't get hung up trying to get your FIPS 140 Finite State Machine fully describe the device operation.

    Make your FIPS 140 Finite State Machine simple

  4. If there is an embedded OS, consider designing your system so that the OS cannot be modified.  If you don’t do this, for level 2 devices and above, you’re going to need to ensure that the operating environment is evaluated to at least Common Criteria Effective Assurance Level 2 (EAL 2).  If the operating environment hasn’t already been evaluated, the addition work necessary will significantly increase your development costs, and will cause significant schedule delays.”

“What about FIPS 140-3?”

To be continued…

“FIPS 140 Made Easy” Part 3

Continued from FIPS 140 Made Easy part 2…

“What about FIPS 140-3?”

“You should probably check the FIPS 140-3 standard as well.  Presently, it’s in a draft form.  So, it could change.  Still, it’s possible FIPS 140-3 could become the new standard before you’re through with your current certification effort.  Knowing what’s in it shouldn’t hurt you.  Here’s the link for you…”–3

“Anything else?” asked the product manager.

“Yes.  The next time you design a crypto device, consider whether you need a FIPS 140 certification and what level of certification you might need during the requirements definition phase.  It is usually easier to get your crypto design certified when it is designed to meet the security requirements from the outset.  Modifying an existing design to meet the same requirements, after the fact, can be quite difficult. “

The information security engineer got the job, but it was a short contract.  Soon, the product manager began to realize how important that last piece of advice was, and the company decided it didn’t have the time or the money to seize that big government business opportunity.

The End