Secure Firmware and Software Updates a Matter of Trust
2020-02-20 Marco Blume
A lot has been written recently about the increasing network connectivity of embedded devices found in a wide array of smart applications and platforms, including automobiles, household appliances, industrial systems and medical equipment, and the subsequent expansion of the cyberattack surface now available to nefarious actors. Recent examples of such attacks include the infamous Stuxnet virus in 2010 that compromised Programmable Logic Controllers (PLCs) used in the Iranian nuclear program and a similar attack against the Ukranian power grid in 2015 that took out power for more than 225,000 people. Both of these attacks exploited weak software update mechanisms to install malicious code into embedded systems.
Frequent and timely software and firmware updates are critical to preserving the security and integrity of these connected systems. This criticality was illustrated by the more recent WannaCry ransomware attack that locked out file and data access on unpatched systems until a ransom was payed to the attacker. Although a patch was available for many of the affected systems, they were not updated in a timely fashion and devices with older operating systems no longer had available support and were susceptible to the attack.
To protect against such attacks, the Trusted Computing Group (TCG) recently published TCG Guidance for Secure Update of Software and Firmware on Embedded Systems. The reference document provides a comprehensive overview of the current threat landscape and in-depth guidance on how to mitigate risks and take the necessary steps to securely and regularly perform updates that reduce threats and attempt to validate the current execution state of the system.
The document identifies and delves further into the main phases and recommended practices in the secure software and firmware update lifecycle including secure firmware and software development, secure update signing, robust distribution to those systems needing updates, secure update installation, post-update verification and attestation and associated threats and countermeasures.
The reference document also provides assessments of the benefits associated with employing Trusted Platform Modules (TPM), Device Identifier Composition Engine (DICE) architecture and other Trusted Computing technologies in securing software and firmware updates for embedded systems.
Wibu-Systems has already developed use cases in conjunction with TCG and its technology to secure the devices, data and networks of the Internet of Things (IoT) and embedded systems. At the upcoming Embedded World 2020 meeting in Nuremberg, Wibu-Systems and Fraunhofer Institute for Secure Information Technology will demonstrate solutions for Industrial Internet of Things (IIoT) and embedded security based on the TCG specifications in the TCG exhibit, hall 1, booth 500.
Another good example of the collaboration of security-minded vendors was a demonstration that Wibu-Systems has previously completed with Infineon, using TPM technology to protect application code and intellectual property on a microcontroller.
An increasing number of connected systems are managed by microcontrollers. These units use sophisticated algorithms and are likely to need firmware updates during their lifetime. The firmware of today’s microcontrollers is generally loaded onto controllers as a compiled hex image using a serial connection, without any protection against reverse engineering or fraudulent manipulation. This leaves the file vulnerable in its transfer from the build system to the controller and jeopardizes the trustworthiness of the end-to-end production process.
Even if the manufacturer trusts his own build process, the microcontroller is no longer located in a controlled environment after it has left the production site. Vendors thus face a double threat: product know-how stolen by competitors and tampering attacks during updates and upgrades of the firmware. Either can occur in any insecure and unpredictable environment regulated by end users.
To achieve a comprehensive solution that meets the goals of know-how protection, integrity protection, and license-based monetization, the firmware of the Infineon XMC™ microcontroller was encrypted by Wibu-Systems CodeMeter µEmbedded technology with symmetric and asymmetric (AES and ECC) algorithms, digitally signed as part of the build process in the DAVE™ (Digital Application Virtual Engineer) toolchain and uniquely bound to the microcontroller via a secure TPM element.
During the third-party production of a XMC4500-based device, the secure firmware is loaded into the controller. When powering up for the first time, the loader communicates with the production system, generates a fingerprint of the device and is injected with a license. From then on, only encrypted, licensed and signed firmware can be loaded into the XMC microcontroller. If needed, the firmware can also use the license information for custom behaviors. The firmware cannot be extracted from the XMC and it is read-protected by internal XMC mechanisms.
You can read more about Wibu-Systems security technology collaborations with organizations like TCG here.
Contributor
Marco Blume
Product R&D Manager Embedded at WIBU-SYSTEMS AG
Since 2013, Marco Blume has been with WIBU-SYSTEMS AG as Product Manager/R&D Manager Embedded. His work covers the range of protection concerns for embedded systems and includes the development of custom concepts for manufacturers and contributions to active research ventures. He has spent his entire career with different embedded systems, including 11 years as product manager for the security of ATMs and checkout systems and previous responsibilities as embedded specialist for video systems and industrial automation.