Our devices hold answers and often snapshots of our lives. Our videos, pictures, thoughts of the day, wallets, research history, favorite playlists, medical information, banking information, our children’s schedules, access to our homes and cars, nearly every aspect of our lives is detailed in the palm of our hand (maybe microelectronics we carry). Yet the semiconductors that power our devices – the intricate embedded systems which enable this unfettered access – are not entirely secure, inside or outside of the device. As Dan Walters, Senior Principal Microelectronics Solution Lead at MITRE, says, “If semiconductors fall into attackers’ hands, it portends all manner of problems. For example, attacker access may facilitate attacks on other embedded systems and the theft of information stored on attacked systems.”
Every day, an increasing number of devices are being connected to the internet, and attackers are becoming increasingly successful at remotely accessing these devices, even cars. Embedded systems – hardware programmed with firmware that aligns it to its device – require security measures to prevent such attacks, much like the protection commonly applied to standard computer systems. To achieve security, embedded security programming must be designed properly, for example by meeting authentication requirements that ensure only authorized users can access a device. Then this theoretical design must be properly implemented on the embedded system through the program of code-bearing firmware.
But embedded security currently faces several challenges in the area of design and implementation. The first challenge relates to workforce: it is broadly understood that a talent shortage exists in the field of cybersecurity. MITRE lead for project incubation Brendan McEntee notes that “this is especially true in terms of embedded systems. For example, colleges often do not have curriculums to teach students about this burgeoning field”.
Another challenge for embedded security relates to the economic pressures on embedded systems. Walters explains, “The devices to which the chips are being applied face intense pressure to be low cost, limiting resources to invest in the design and implementation of successful security practices.” This is especially problematic, since the supply of embedded security designers and implementers is low.
MITRE has developed a unique and efficient way to address this talent shortage: its annual two-phase embedded capture the flag (eCTF) competition. In the eCTF student teams first tasked with designing a secure version of a given embedded system, such as a key fob system for a car door lock. Then they shift perspectives and attack systems created by other teams; at this point they may realize their own design errors as they exploit the mistakes of others. The competition started in 2016 with four universities and it now includes almost 60. We also offer sponsorships which offer a way for companies to get involved and gain access to students with the embedded security skills that they value highly.
“Black Hat” illicit adversaries continue to advance and develop new strategies to attack and bypass the embedded security protections that are being developed. And Ben Janis, a former eCTF participant who now works with Walters, notes that “even if we create security systems that address new attack strategies, the embedded systems of countless legacy devices aren’t being updated with new security protections, creating areas that attackers can continue to use outdated ways.” The eCTF is playing a crucial role in increasing the supply of computer scientists that engage with firmware to meet challenges such as these and find innovative ways to increase security in the embedded systems that are expanding around us.