I used to consider myself a hacker, but that was decades ago when the term referred to programmers who could do interesting things with computers. These days hacking is all about attacking computer systems, usually doing something bad or nefarious rather than constructive and inventive.
Those of us who have taken up programming as a job know both the joys and horrors of computers and software. Most will also understand the difficulty of explaining the possibilities and limitations of software to those without outside of the industry. To many of those individuals, computers and software are more like magic. And while magic may be fine for fiction, too many things that happen on shows like “NCIS” are thought to be closer to reality than fantasy by those uneducated in the underpinnings of computers. Having NCIS hacking into the CIA or other entities to get information needed to capture its target is not something that can be done, nor would we really want it to happen.
I tend to cringe when I hear things like President Donald Trump saying “I know a lot about hacking and hacking is a very hard thing to prove.” The comment is actually about proving who did hacking related to the U.S. election and the Democratic National Committee’s e-mail. This discussion will continue to play out on the national stage, but there are implications for those dealing with embedded systems and the Internet of Things (IoT) that we talk about here at Electronic Design.
In particular, the follow-on comments that “no computer is safe,” and recommending the use of couriers for secure communication, flies in the face of emerging technologies from smart buildings to self-driving cars and its smart city infrastructure. Using human couriers for those is a bit impractical, and it is obviously counter to the purpose of these IoT applications. It also highlights a misunderstanding of computer security and the state of computer affairs.
The problem is that the discussion is quite complex, with many issues and facts. It is also true that there isn’t just one type of computer environment in this discussion. Just try explaining something simple to someone like why a Distributed Denial of Service (DDOS) swarm of computers is hard to prevent, detect, and disarm; why there is more than one of these on the internet; and what this means for billions of IoT devices.
Even the security differences between smartphones, tablets, and PCs are major, and they are just a fraction of the environment. Remember, each of these has different operating systems, methods of updates, and distribution of software. All this is related to security.
So will all this rhetoric make any difference to that embedded system you are working on? Will make justification of security support easier or harder? Given the potential political trend toward deregulation, will security be something that falls to the wayside? Will protection of content be limited to multimedia via HDMI?
We like to think that much of our work can be done in relative isolation when developing a product for a specific purpose. It was less common in the past that a device could be used for a much different purpose than what it was originally designed for. That will not be the case with IoT devices, simply because of their programmability and connectivity. Preventing an attack on a device is only part of the discussion, since the actual attack surface can be quite large: An IoT device’s surface includes related devices and services such as gateways and cloud services.
It is much easier to talk about security specifics from secure boot to self-encrypting drives (SED) that it is to discuss policy and user understanding. We will continue to concentrate on the former, but we can’t overlook the latter.
