IoT makes security protection imperative for embedded software

September 5th, 2016, Published in Articles: EE Publishers, Articles: EngineerIT


Manufacturers of appliances, automotive, consumer electronics and medical devices are rapidly expanding the use of embedded devices powered by software, making products smaller and adding new features and in many instances reduce the energy consumption. Many analysts say this is only the beginning and that in the future just about everything will be embracing some device driven by software and connected to the internet. So the internet of things (IoT) is no longer just hype, but is fast approaching everyday reality.

However, there are some unintended consequences. As more and more products rely on embedded software, the risk of security breaches increases exponentially. Cutting-edge hackers are fully aware of this and will exploit weaknesses.

Security problems often stem from the need to accelerate development and bring new products to market ahead of the competition. The majority of security vulnerabilities are a result of coding errors that go unnoticed in the development stage.

A white paper by Programming Research quotes the Carnegie Mellon’s Computer Emergency Response Team (CERT) who found that 64% of vulnerabilities in the CERT National Vulnerabilities Database were the result of programming errors. Similarly, the US National Institute of Standards and Technology (NIST) which tracks cyber security issues, found application layers are among the leading attack vectors accounting for 92% of reported vulnerabilities.

Issues that can introduce vulnerabilities include corrupted data, overflows, dangling pointers and uninitialised data. These issues contribute to attack surfaces which hackers can exploit once the flaws are discovered.

The Detroit Free Press reported on 24 July 2015 that Fiat Chrysler Automobiles were under pressure from the US Federal Regulators to recall 1,4-million cars and trucks to protect them from cyber security attacks just days after Wired magazine reported that a Jeep Cherokee could be hacked remotely. A scary thought indeed.

Traditional business and personal computing devices have methods in place to update software and fix newly identified bugs. It is significantly more difficult to address software defects and issues on embedded devices which are not always connected to a trusted source and may require on-site visits by a technician to update the firmware. As a result of these limitations, security problems in embedded devices can have a serious negative impact on businesses.

Cyber-attacks that were not so long ago in the realm of movies are now uncomfortable realities that must be taken seriously. With so many people depending upon devices for health and protection, there is a very real possibility that someone will be injured or killed by compromised embedded software in an aircraft, car, pacemaker or fire control. Just imagine a hacker takes over the embedded devices in your car and controls your steering or acceleration.

Many developers work under time pressures and are evaluated on their ability to produce quality software. Many of them lack security training. It is there not surprising that they have difficulty in finding security problems during code review. Training a development team to create secure software takes time away from their development activities and will put additional strain on deadlines.

In his study “Software defect origins and removal methods”, Caper Jones, president and CEO of Capers Jones & Associates said that due to low defect removal efficiency at least eight forms of testing are needed to achieve reasonably efficient defect removal. Testing by itself without any pre-test inspections or static analysis is not sufficient to achieve high-quality levels. Pre-test inspections and static analysis are synergistic with testing and raising testing efficiency.

Static code analysis tools integrated into a developer’s integrated development environment and incorporated into the team’s existing workflow enable the early and automated detection of key security issues and vulnerabilities. A process in which developers run frequent analysis on their code provides them with quick feedback they need to make corrections as the code is being written.

Static code analysis tools can address a variety of security issues including invalidated user input, buffer overflows, code injection, unprotected data, insecure API’s resource and memory leaks, race conditions and dereferencing  Null pointers as well as errors related to memory allocation resource management and use of uninitiated data.

Two of the most prominent security initiatives related to secure software development are the Common Weakness Enumeration (CWE) database project and the CERT C coding standard. The CWE database includes security issues related to multiple programming languages and can be applied to a broad range of application types, including web, desktop, mobile and embedded. In contrast, the CERT C coding standard is focussed specifically on the C language which is the most widely used in embedded software application development. An increasing number of organisations are making adhering to these guidelines and standards a requirement for both internal development organisations and outsourced application development vendors.

Development organisation can now employ static analysers that include built-in checkers for CWE related coding errors and support the CERT C standards. This will enable developers to address errors before code check-in. Static Analysis tools can automatically aggregate information from the entire development team about what errors are being found and fixed. This will give teams a better understanding of defect reduction trends. Organisation-wide view of how well defect elimination efforts are working can be generated. This critical insight will enable management to identify areas within the code base that have the greatest risk.

As the concept of IoT and industrial IoT becomes more pervasive, elimination of any possible data breach vulnerability becomes imperative. This translates to more time having to be spent on training developers on security issues and providing them with more tools to do so.

The full white paper is available on




Related Articles

  • South African Government COVID-19 Corona Virus Resource Portal
  • Ministerial determinations propose 13813 MW of new-build by IPPs, none by Eskom
  • Crunch time for South Africa’s national nuclear company, Necsa
  • Dealing with the elephant in the room that is Eskom…
  • Interview with Minerals & Energy Minister Gwede Mantashe