Creating a Configuration Security Layer for Embedded Devices: A research-based on the case study of a widely used Embedded Device

As software security expert Bruce Schneier argues, the pervasive vulnerability of embedded systems today is structurally similar to the security crisis of PCs in the mid-1990s—only much worse. Embedded devices are ideal malware targets for several reasons. Firstly, Internet-connected devices are inherently more exposed to remote exploitation. Furthermore, embedded systems are notoriously difficult to update, regularly leading to unpatched vulnerabilities. Last but not least, many such devices operate in a mostly unattended fashion, which means that the timely discovery of compromise is unlikely. Hardening is the process of securing a system by reducing its surface of vulnerability. Hardening of the already deployed embedded devices that are connected to the internet is examined in this research. A method capable of automatically generating and enforcing security configuration based on the embedded system’s set of functions has been designed and implemented. The proposed system is dynamic, automatic, and seamless. Hardening level of such devices is measured through recognized security benchmarks. The objective is to harden the product as much as possible while maintaining its full functionality. This study concerns embedded systems using custom Linux-distribution software. The thesis was conducted in cooperation with Atos. OpenScape Business series X (OSBiz X) was used as a case study. OSBiz X is an embedded system used as a telephony center, with more than 150.000 systems already deployed worldwide. Implementing the system described above on OSBiz X significantly increased the hardening-level of the product while its functionality remained intact. Due to the case study’s scenario results, Atos plans to integrate the proposed system into the next version of OSBiz X’s official release. Finally, ongoing research about other internal organization’s products that could greatly benefit from this approach is being conducted.