diamond_full diamond diamond_half diamond_euro search-icon menu chat-icon close-icon envelope-icon smartphone-call-icon

Embedded Security Assessment

What is an Embedded Security Assessment?

Embedded systems are increasingly integral to both industrial applications and consumer products, particularly in the smart home sector, where they frequently connect to internal networks or the Internet. This connectivity is often referred to using terms like the Internet of Things (IoT) or cyber-physical systems (CPS). Typical use cases encompass a range of scenarios that highlight the importance of embedded software development and security. As these systems evolve throughout their development lifecycle, addressing potential vulnerabilities becomes paramount.

Static analysis and side channel analysis are critical testing methods that assess the security aspects of embedded software systems, helping to uncover weaknesses that could be exploited in an embedded system. By taking control of the system through thorough embedded software tests, organizations can better secure embedded systems against cyber security threats.

The integration of security frameworks and a software bill of materials into the development process is essential to maintaining hardware security features and meeting cyber security requirements. The ongoing evolution of embedded software security testing will play a important role in safeguarding the future of many embedded devices.

Typical use cases for embedded systems include:

  • Industry 4.0, Process IT (systems to control and monitor machines and facilities in the areas of production and logistics)
  • Automotive (automobiles, control units, head units or combined instruments, sensor technology, driver assistance systems, etc.)
  • Consumer products (smart home, office and network technology, multimedia systems, household appliances, home automation and monitoring, electronic fitness devices, etc.)
  • Health and medical technology (clinical devices, systems to monitor patients and important body functions)
  • Home automation and process control

placeholder for background/embedded.jpg

Objective

Identification of vulnerabilities in IoT devices or other embedded systems with a risk assessment for specific threat scenarios

Question

How secure is the embedded system and what can external attackers or malicious users and employees achieve in the worst case?

Scope

IoT devices or other embedded systems including hardware and interfaces

Embedded Security Assessment Process: Methodology & Approach

In a comprehensive security assessment of embedded systems, both hardware and software components are scrutinized to identify potential vulnerabilities. The auditor assumes the role of an external attacker or a privileged user, simulating various attack vectors. These can include techniques such as reading storage chips, man-in-the-middle attacks, and infiltrating systems by exploiting weaknesses in exposed interfaces.

In general, the assessment is based on the approach of an examination that is as comprehensive as possible. However, depending on the type of application or system and the relevant threats, a risk-based approach is also possible (comparable to a penetration test ). In this case, the focus is on particularly security-critical or endangered areas, whereby the scope of the test is determined by the time budget agreed upon in advance.

Core Components of a SCHUTZWERK Embedded Security Assessment

The embedded security assessment usually consists of the following parts:

  • Analysis of hardware (e.g., data extraction from chips, access to debug and diagnostic interfaces)
  • Analysis of firmware and operating systems together with existing update processes
  • Analysis of specific security features (e.g., secure boot or HSM integration)
  • Analysis of cryptographic methods (e.g., for encryption, signature verification, challenge-response procedures, or entropy of RNGs)
  • Analysis of SoC-specific features (e.g., boot chain security, memory isolation, TEE isolation)
  • Analysis of communication within the embedded system (e.g., data transfer between chips or processors)
  • Analysis of communication with external components or backend services (e.g., via field buses, Bluetooth, NFC, Wi-Fi, or mobile connections)
  • Analysis of passive and active side channel attacks (e.g., power analysis or fault injection via power glitching)
  • Analysis of application layer (e.g., user inputs or backup functionality)
  • Documentation, including a risk evaluation and proposed measures

Embedded Security Assessments and Relevant Regulations & Standards

The security of embedded systems is subject to a variety of regulations and standards that can be relevant depending on industry and application area. A comprehensive embedded security assessment takes these requirements into account and helps you achieve regulatory compliance:

  • Cyber Resilience Act (CRA) - This new EU regulation establishes concrete requirements for the cybersecurity of connected products. An embedded security assessment helps you meet these requirements and prepares your product for market launch.

  • IEC 62443 - This series of standards defines security requirements for industrial automation systems and covers both technical and organizational aspects. Our assessments are conducted with these requirements in mind.

  • EU Radio Equipment Directive (RED) - Products with radio interfaces are subject to specific security requirements according to EU RED. We verify compliance with the relevant security provisions.

  • ISO/SAE 21434 - This standard for cybersecurity in the automotive industry defines requirements for cybersecurity management throughout the entire vehicle life cycle, for example with regard to threat analysis and risk assessment (TARA) or the verification of security measures. Our embedded security assessments for automotive components for automotive components are tailored to this standard and meet the requirements of technical verification in particular.

  • UNECE R 155 - This regulation contains binding requirements for cybersecurity in vehicle type approval. We support you with our automotive security assessment in meeting these requirements during the homologation process.

By working with our experts, you ensure that your embedded systems are not only technically secure but also comply with relevant regulatory requirements.

Embedded Security Assessment Results: Risk Evaluation & Countermeasures

As a result of the assessment we will provide a detailed report. Depending on the type and scope of the project, the final report will include the following parts:

  • Management summary with a description of the results and the security level
  • Description of the project approach, scope, schedule and methodology
  • Detailed description of identified vulnerabilities in order to understand underlying issues and to enable reconstruction of possible attacks (where necessary with proof-of-concept implementation)
  • Detailed description of the iterative exploitation process when using chained vulnerabilities
  • Risk assessment of identified vulnerabilities taking into account the IT environment or the application context (risk classification: low, medium, high, critical)
  • Description of measures to remedy the vulnerabilities
  • If necessary, a description of higher-level strategy, concept and process-related measures or optimization suggestions.

Blog & News

Blogposts about: embedded security

Blog & News Archive

Latest 2024 2023 2022

How can we help you?

Call us or schedule an appointment directly

+49 731 977 191 - 0 Schedule an appointment
Free Consultation