Security on Embedded Systems

Transcription

1 Cyber Security (CYS) Issue Group Activity Report Security on Embedded Systems Chair : Buheita Fujiwara Information-technology Promotion Agency With Cybersecurity Malaysia, Hitachi and III GBDe Summit 2007, November 9, 2007, Tokyo 1

2 Cyber Security realizing Secure and Safe Environment on Embedded systems Cyber Security Service Centers Ubiquitous Network Society International Micro Payment Digital Home Mobile Phone IC Card DigitalTV Consumer Consumer Consumer Confidence Consumer 2

3 Agenda Security on Embedded System Risks and Solutions Recommendations 3

4 Connection to the Internet Web Connection Timer-recording recording Setting Timer-recording Setting Internet TV recorder Web Connection Internet Phone VoIP Mobile Phone Map Data Update LAN Connection Online Game Program Updates Car Navigation Multi Function Device Game Machine Digital TV 4

5 What is an Embedded System? Definition A general-purpose device such as home electric appliance having a built-in chip to run software for specific purposes Examples IC Cards Mobile Phones Home Information Appliances RFID (Radio Frequency Identification) Financial Terminals (ATM) Electronic Toll Collection (ETC) Systems Car Navigation Systems 5

6 Why we need to focus on Embedded Systems? What will happen when connecting a PC without any security measures? Virus infection in a short period Hacked and be used for another attack For PCs, we can Install anti-virus software Use firewalls Download and apply security patches For Embedded Systems Can we do the same action? 6

7 Risks : Threats and Incidents How to fix problems with a computer software product and an embedded device PCs World How to fix a problem with a computer software product (Distribution over the Internet) Computer Software Manufacture Web site Revised Program Internet 2 Each user downloads the revised program 1 Uploads a revised program to the company s Web site Embedded Systems World 3 How to fix a problem with an embedded device (Product Recall) Manufacture Repairs the recalled products 2 4 Recalls products Retunes products 1 Requests the manufacture to repair the embedded device Problems with Embedded Devices Product Recall Might Be Required 7

8 Examples for Threats and Incidents Mobile devices infected with computer viruses were not booted up Sep : Symbian OS-based Mobile phone virus spread in northern Europe. Virus Spreads among Bluetooth Mobile Phones Oct : Virus for handheld gaming devices was disclosed. These viruses delete system files on the devices, causing them to boot abnormally. Virus 8

9 Solution example : IT Security on Embedded Systems (1) Organization for IT Security (2) Education and Rules on IT Security (3) Reviews at each stage of development (4) Incidents Response Team for IT Security 9

10 Summary Recommendations for IT Security Measures on Embedded Systems For Ensuring Embedded Systems Security, Classify into 5 phases Entire Life Cycle Planning Developing (Design and Implementation) Operating Disposal / Recycle Approach from 2 aspects of management and technology 10

11 Issues Covering the Entire Life Cycle Managerial Aspect Stationing a computer security specialist in the Project Audit Organization (Project Management Office) Collecting security-related information, including information on vulnerabilities and attacks, and keeping the software development engineers informed about it Technical Aspect Taking appropriate measures in each phase, referring to security-related information, including information on vulnerabilities and attacks 11

12 Issues Related to the Planning Phase Managerial Aspect Deciding how to provide means to troubleshoot security-related problems Technical Aspect Defining security-related risks, considering possible topology, operation environments, and usage patterns of the product Establishing security policies to address the defined risks involved in implementing functions as planned, taking into account the constrains Providing users with a function for confidential data disposal 12

13 Issues Related to the Developing Phase (Design and Implementation) Managerial Aspect Preparing for tests on attacks to the finished product in the actual operation environment Making the computer security specialist in charge of a series of tasks required for the use of an Internet application, including its selection, operation setting, and testing Technical Aspect Conducting tests on attacks (including hacking) to all the interfaces connected to the network Measuring effects of attacks by observing operational state of the device 13

14 Issues Related to the Operation Phase Managerial Aspect Managing, collecting, and analyzing information in preparation for the possible detection of vulnerabilities Technical Aspect Enabling the call-center employees to respond appropriately to inquiries from customers, based on the latest trend of information security Issues Related to the Disposal Phase Managerial Aspect Specifying in the manuals the confidential data disposal procedures that must be followed by the user 14