Seatbelts, embedded firewalls, and complacency
What do embedded firewalls and seatbelts have in common, you ask? Quite a bit, as I see it. Both are simple, elegant, and effective solutions to important problems; protecting people in car crashes, and protecting embedded devices from hackers. Both an embedded firewall and seat belt are relatively inexpensive. Like a seatbelt, the cost of the embedded firewall is relatively small compared to the overall cost of the device. And like a seatbelt, a firewall is a bit inconvenient. Someone has to go to the trouble of configuring the firewall.
By controlling with whom a device is allowed to communicate (IP address and MAC filtering), what communication is allowed (port and protocol filtering), and in some cases,protecting against specific attacks (DoS protection, web-attack detection, etc.) a firewall provides a critical and easy to implement layer of security for embedded devices. Commercial products are now available, so engineers do not need to create a firewall from scratch or attempt to port an open source solution to a small embedded device.
Virtually everyone designing embedded devices recognizes the growing need for security. Security is a hot topic at technology conferences and in the media, and many companies are focusing more resources on security. While security is getting a great deal more attention, people are still forgetting this one critical component; firewall technology is still nearly absent in embedded devices. Engineers just don’t see this as a critical part of the security, or think that security protocols provide sufficient protection, or don’t feel that a firewall is important enough to justify the time and expense.
Engineers may argue the risk of attack against embedded devices is not that high, or that embedded devices are inherently secure because they are not running Windows. Recent reports of vulnerabilities found in embedded devices show that this is simply not true. Printers have been hacked, insulin pumps and pacemakers have been compromised, and automotive control and safety features have been successfully hacked.
A seatbelt won’t eliminate death and injury in automobile accidents, and a firewall isn’t a silver bullet to thwart all attacks against embedded devices. Yet they both go a long ways towards that goal. People failed to use seatbelts for decades before laws requiring there use were imposed. Seatbelts now save thousands of lives each year. Yet some people are still complacent; my father, for example, still refuses to wear a seatbelt. Unlike seatbelts in cars, firewalls are virtually absent in embedded devices. With the growing attention to security for embedded devices and The Internet of Things, there is no room for complacency. Buckle up, and protect your embedded device.
Alan Grau is the President of Icon Labs. You can reach him at firstname.lastname@example.org