Software in embedded devices offers many points of attack. A systematic approach to securing and automated scanning of security gaps helps.

IoT hacking: Improve firmware and network security Secure update mechanisms Do not underestimate web applications Reduce the attack surface Silence services Article in iX 2 / 2021 read How can IoT software be implemented securely? Embedded firmware often contains sensitive data. This also applies to images that are downloaded to update the firmware. If you extract their data, you can use exposed web services, databases, file or terminal services to steal or manipulate further information.

The methods for securing memory modules represent a hurdle, but not a complete safeguard against access to the memory content. This can only be achieved almost completely by encrypting all content. However, the correct implementation must be ensured here. Experience has shown that important key material such as private keys are often unsecured, i.e. stored in plain text. If an attacker steals the key, he can decrypt the firmware without great difficulty.

The firmware used must be signed so that an attacker cannot manipulate the memory content or the firmware. This is the only way to verify the source as trustworthy. Particular attention should be paid to the boot loader. An attacker often succeeds in manipulating the boot process in such a way that it does not take into account downstream signatures of the kernel or the file system or starts an alternative operating system. Therefore the authenticity of the bootloader has to be checked in order to secure the following processes.

Access to all contents of heise + exclusive tests, advice & background: independent, critically sound c’t, iX, Technology Review, Mac & i, Make, c’t read photography directly in the browser register once – read on all devices – can be canceled monthly first month free, then monthly 9, 95 € Weekly newsletter with personal reading recommendations from the editor-in-chief Start FREE month Start the FREE month now Already subscribed to heise +?

Log in and read Register now and read the article immediately More information about heise + IoT hacking: Improve firmware and network security Secure update mechanisms Do not underestimate web applications Reduce the attack surface Silence services Article in iX 2 / 2021 read