Vendors That Don't Test Products Before Selling Them are Doomed to be Targets of Future Research and Attacks
In several of the talks at Black Hat and again DefCon, both in early August, I noticed a number of security researchers using the open source Arduino boards for their projects. Arduino, which is Italian for “strong friend,” is useful among security researchers for rapid prototyping of tools used in hardware analysis. The most recent releases include 54 digital input and output pins, up to 256KB of memory, serial connectivity, and power, and a reprogrammable USB interface for program uploading. In September, Arduino announced a new open source hardware specifically targeting ARM prototyping and one model with a full TCP/IP stack.
The Arduino circuit board is pretty basic and can be easily configured to control lights, motors, and other actuators. Projects listed on the company site include "intrusion alarm, thermostat, line follower robot, RBS lights and switches, an intelligent bug zapper that shows how many bugs were zapped and average/cumulative zap time, a photovore robot that goes to the brightest source of light and a Poo and Pee detector, with a Diaper Shield, for use with newborn babies." These projects take advantage of the Arduino programming language (which is based on the open source Wiring project) and the open source Arduino development environment (which is based on the open source Processing project).
Arduino boards can be purchased directly from the company or from third parties, with programs already installed. But there's also a vibrant community of security researchers who prefer to build their own and go well beyond the basic weekend-hobbyist DIY projects. For example at DefCon, Steve Ocepek presented “Blinkie Lights: Network Monitoring with Arduino," using a 8×8 multicolor LED matrix, an Arduino board, and a network monitoring program to make a low-cost LED-based network sniffer for around $60. While it is a minor example, I expect to see more uses for Arduino and other boards at future security conferences.
The Arduino Due, the first ARM-based single-board development system, offers a 32-bit ATMEL SAM3U Cortex-M3 ARM-based processor running at 96MHz. Like the basic version already available, the Arduino Due includes 256KB of flash memory, 50KB of SRAM, 5 SPI busses, 2 I2C interfaces, 5 UARTs, and 16 analogue inputs offering a 12-bit resolution.
Since the Due will be a big departure from Arduino's usual fare, it is expected to undergo a beta testing period with selected developers. Following the Maker Faire in New York last week, a Developer Edition became available to those who want to shape the final design, which the company has promised will go on sale before the end of the year.
In addition, Arduino announced the Arduino Leonardo, which is able to simulate a mouse, a keyboard, and a serial port. And the Arduino Wifi Shield, which adds wi-fi capabilities to the basic Arduino board. The board uses a wifi micro module made by H&D Wireless and an AVR32 processor with the full TCP-IP stack.
With the Arduino board and other open source tools now available via the Internet, the days of saying it would take the resources of a nation-state to discover or exploit vulnerabilities in a particular piece of hardware in an industrial control system or a healthcare environment are rapidly fading. Vendors who do not test their products before selling them into the field are doomed to be targets of future research and, perhaps, attacks. Hopefully, future security disclosures will be handled responsibly. Hopefully, the good guys can also learn from products such as the Arduino.
Related Reading: Attacks on Mobile and Embedded Systems: Current Trends
Read More in SecurityWeek's Smart Device Security Resource Center