1 00:00:00,400 --> 00:00:03,050 Embedded system vulnerabilities. 2 00:00:03,050 --> 00:00:05,180 In this lesson, we're going to start talking about 3 00:00:05,180 --> 00:00:07,310 some embedded system vulnerabilities, 4 00:00:07,310 --> 00:00:08,570 because we talked about the fact that 5 00:00:08,570 --> 00:00:10,540 a lot of these devices that we connect to the Internet 6 00:00:10,540 --> 00:00:12,810 as part of the Internet of Things at large 7 00:00:12,810 --> 00:00:14,630 do have embedded operating systems 8 00:00:14,630 --> 00:00:17,410 like Linux or Android or other things like that. 9 00:00:17,410 --> 00:00:19,290 Now, when we talk about an embedded system, 10 00:00:19,290 --> 00:00:21,200 this is a computer system that is designed 11 00:00:21,200 --> 00:00:24,650 to perform a specific and dedicated function. 12 00:00:24,650 --> 00:00:26,940 Now, oftentimes, when we talk about an embedded system, 13 00:00:26,940 --> 00:00:28,160 we're talking about things 14 00:00:28,160 --> 00:00:31,830 more in the manufacturing space or automation space. 15 00:00:31,830 --> 00:00:35,180 So, we might have a microcontroller in a medical drip system 16 00:00:35,180 --> 00:00:36,450 that has one job, 17 00:00:36,450 --> 00:00:38,530 it's to measure the amount of volume of fluid 18 00:00:38,530 --> 00:00:41,340 that goes through that machine and into your IV 19 00:00:41,340 --> 00:00:43,190 so you can give the patient what they need. 20 00:00:43,190 --> 00:00:44,190 You might have another one 21 00:00:44,190 --> 00:00:46,650 for a control system at a water treatment plant, 22 00:00:46,650 --> 00:00:48,380 and its responsibility is to make sure that 23 00:00:48,380 --> 00:00:50,550 water is flowing through at a certain rate, 24 00:00:50,550 --> 00:00:52,130 and they're going to open or close valves 25 00:00:52,130 --> 00:00:53,330 to make sure we maintain 26 00:00:53,330 --> 00:00:55,620 that amount of flow through the system. 27 00:00:55,620 --> 00:00:56,967 This is the idea of an embedded system. 28 00:00:56,967 --> 00:00:59,540 And it can be a very, very simple device 29 00:00:59,540 --> 00:01:01,290 or it can be fully complex 30 00:01:01,290 --> 00:01:04,220 and have a full operating system like Linux or Android 31 00:01:04,220 --> 00:01:06,570 being used to run these types of systems. 32 00:01:06,570 --> 00:01:08,040 It just depends. 33 00:01:08,040 --> 00:01:09,450 Now, in this particular lesson, 34 00:01:09,450 --> 00:01:12,490 I'm going to focus more on the specific embedded systems 35 00:01:12,490 --> 00:01:13,810 that have a single function, 36 00:01:13,810 --> 00:01:16,100 and they have their own dedicated operating system 37 00:01:16,100 --> 00:01:18,770 or microprocessors to do that function. 38 00:01:18,770 --> 00:01:21,620 For instance, at my house, I have a smart meter, 39 00:01:21,620 --> 00:01:23,600 so, if I go out to my side of my house, 40 00:01:23,600 --> 00:01:25,240 I can look at the electric meter on my house, 41 00:01:25,240 --> 00:01:28,620 and it will tell me how many kilowatts per hour I'm using 42 00:01:28,620 --> 00:01:30,700 and how much I've used over time. 43 00:01:30,700 --> 00:01:33,550 Now, this information is connected to the Internet 44 00:01:33,550 --> 00:01:34,820 so that the power company 45 00:01:34,820 --> 00:01:36,370 doesn't have to send somebody me to my house 46 00:01:36,370 --> 00:01:38,100 to read this meter once a month. 47 00:01:38,100 --> 00:01:40,400 Instead, it's all done electronically now. 48 00:01:40,400 --> 00:01:42,290 They do this by using cellular modems 49 00:01:42,290 --> 00:01:44,120 and it connects to the cellular network 50 00:01:44,120 --> 00:01:45,370 back over the Internet 51 00:01:45,370 --> 00:01:47,220 to their headquarters and to their servers 52 00:01:47,220 --> 00:01:48,360 to feed in the data 53 00:01:48,360 --> 00:01:50,290 of what we've used for power consumption. 54 00:01:50,290 --> 00:01:51,440 If you look at your meter at your house, 55 00:01:51,440 --> 00:01:53,880 you probably have something that looks pretty similar. 56 00:01:53,880 --> 00:01:55,700 Now, these types of embedded systems 57 00:01:55,700 --> 00:01:57,650 are considered static environments 58 00:01:57,650 --> 00:02:00,220 where frequent changes are not made or allowed. 59 00:02:00,220 --> 00:02:02,300 So, when is the last time you upgraded the software 60 00:02:02,300 --> 00:02:03,660 on your electric meter, for instance? 61 00:02:03,660 --> 00:02:04,890 You probably never have 62 00:02:04,890 --> 00:02:06,080 and the power company 63 00:02:06,080 --> 00:02:07,800 probably doesn't do it very frequently, either. 64 00:02:07,800 --> 00:02:09,870 That's the idea of these embedded systems. 65 00:02:09,870 --> 00:02:11,600 They are a very stripped down system 66 00:02:11,600 --> 00:02:14,650 that is made to do one purpose and one purpose only. 67 00:02:14,650 --> 00:02:17,170 And by doing that, that helps them become more secure, 68 00:02:17,170 --> 00:02:19,170 because they don't have a lot of extra code. 69 00:02:19,170 --> 00:02:20,380 But if that original code 70 00:02:20,380 --> 00:02:22,330 wasn't made in place in a good state, 71 00:02:22,330 --> 00:02:23,840 it makes it hard to do updates, 72 00:02:23,840 --> 00:02:25,300 because these things aren't built 73 00:02:25,300 --> 00:02:27,530 to be able to get frequent software updates. 74 00:02:27,530 --> 00:02:28,363 Because of this, 75 00:02:28,363 --> 00:02:30,660 embedded systems often have very little support 76 00:02:30,660 --> 00:02:33,460 for identifying and correcting security issues. 77 00:02:33,460 --> 00:02:34,810 You can't call the power company 78 00:02:34,810 --> 00:02:36,540 and tell them to come secure your meter, 79 00:02:36,540 --> 00:02:38,720 that's just not part of what they're going to do for you. 80 00:02:38,720 --> 00:02:40,070 They're going to do it the way they want to do it 81 00:02:40,070 --> 00:02:41,530 because it's their device. 82 00:02:41,530 --> 00:02:43,830 And often, if you have an embedded system inside your factory 83 00:02:43,830 --> 00:02:46,400 or inside your plant if you're in a manufacturing area, 84 00:02:46,400 --> 00:02:48,920 you're going to have limited support from that manufacturer. 85 00:02:48,920 --> 00:02:50,210 And so, this is an area 86 00:02:50,210 --> 00:02:51,720 where you really want to get all these devices 87 00:02:51,720 --> 00:02:53,170 onto a separate network 88 00:02:53,170 --> 00:02:55,790 and not have them connected back to the Internet at large, 89 00:02:55,790 --> 00:02:58,660 or this could be a big area of vulnerability for you. 90 00:02:58,660 --> 00:03:00,100 Now, when we talk about embedded systems, 91 00:03:00,100 --> 00:03:01,900 there's a term called PLC, 92 00:03:01,900 --> 00:03:04,700 which is a programmable logic controller. 93 00:03:04,700 --> 00:03:06,990 This is a type of computer that is designed for deployment 94 00:03:06,990 --> 00:03:08,890 in industrial or outdoor setting, 95 00:03:08,890 --> 00:03:11,640 and it can automate and monitor mechanical systems. 96 00:03:11,640 --> 00:03:13,430 Now, when you think about a PLC, 97 00:03:13,430 --> 00:03:15,370 I want you to think of something like manufacturing 98 00:03:15,370 --> 00:03:17,090 that's going to open or shut a valve 99 00:03:17,090 --> 00:03:19,050 to let more or less water come in. 100 00:03:19,050 --> 00:03:20,810 That's the idea of a PLC. 101 00:03:20,810 --> 00:03:23,450 It is a programmable logic controller. 102 00:03:23,450 --> 00:03:25,680 Now, these PLCs run on firmware, 103 00:03:25,680 --> 00:03:27,930 because again, these are embedded systems. 104 00:03:27,930 --> 00:03:30,600 So, the firmware which is software at a chip 105 00:03:30,600 --> 00:03:32,150 can be patched and reprogrammed 106 00:03:32,150 --> 00:03:33,970 to fix vulnerabilities when they occur, 107 00:03:33,970 --> 00:03:36,290 but again, there's a very specific process 108 00:03:36,290 --> 00:03:38,910 and there's usually limited support from the manufacturer. 109 00:03:38,910 --> 00:03:40,040 It's not like Microsoft 110 00:03:40,040 --> 00:03:42,050 where they're going to give you a patch every Tuesday. 111 00:03:42,050 --> 00:03:43,920 With these PLCs, you might get a patch 112 00:03:43,920 --> 00:03:46,240 every six months or a year or two years. 113 00:03:46,240 --> 00:03:49,200 There's usually a very long time in between patches. 114 00:03:49,200 --> 00:03:50,340 Now, another way we can do this 115 00:03:50,340 --> 00:03:52,370 is using what's called a system on a chip. 116 00:03:52,370 --> 00:03:54,450 This is another form of embedded systems. 117 00:03:54,450 --> 00:03:56,040 This is where our processor 118 00:03:56,040 --> 00:03:57,740 integrates the platform functionality 119 00:03:57,740 --> 00:04:01,100 of multiple logical controllers onto a single chip. 120 00:04:01,100 --> 00:04:03,730 So, instead of having all these big PLCs all over the place, 121 00:04:03,730 --> 00:04:06,870 we can get all that down to one single chip. 122 00:04:06,870 --> 00:04:10,290 Now, this system on a chip can be very power efficient, 123 00:04:10,290 --> 00:04:12,720 and therefore, they're often used with smaller devices 124 00:04:12,720 --> 00:04:14,210 that need to have an embedded system. 125 00:04:14,210 --> 00:04:15,310 So, if I need to create something 126 00:04:15,310 --> 00:04:16,290 that's going to have an embedded system 127 00:04:16,290 --> 00:04:18,530 and be very small that can fit in my pocket, 128 00:04:18,530 --> 00:04:21,060 that would usually use something like a system on a chip. 129 00:04:21,060 --> 00:04:23,700 If using something like a Roomba or robot vacuum cleaner, 130 00:04:23,700 --> 00:04:26,510 those use a system on a chip type of mentality, 131 00:04:26,510 --> 00:04:28,360 because they try to get all that information 132 00:04:28,360 --> 00:04:29,920 put onto a single chip, 133 00:04:29,920 --> 00:04:31,540 because again, it takes up less space, 134 00:04:31,540 --> 00:04:32,970 and therefore, you can leave more room 135 00:04:32,970 --> 00:04:36,250 for the functioning parts you need such as the vacuum. 136 00:04:36,250 --> 00:04:37,660 Now, the other thing we want to talk about 137 00:04:37,660 --> 00:04:39,240 is some of these operating systems they use. 138 00:04:39,240 --> 00:04:41,450 So, there's this thing known as an RTOS, 139 00:04:41,450 --> 00:04:43,740 which is a real-time operating system. 140 00:04:43,740 --> 00:04:45,840 Now, this is a type of operating system 141 00:04:45,840 --> 00:04:49,450 that prioritizes deterministic execution of operations. 142 00:04:49,450 --> 00:04:51,640 And this will help us to ensure consistent response 143 00:04:51,640 --> 00:04:53,500 for time-critical tasks. 144 00:04:53,500 --> 00:04:54,610 Now, think about this. 145 00:04:54,610 --> 00:04:57,720 If you're running something that has to open or shut a valve 146 00:04:57,720 --> 00:04:59,540 inside of a nuclear plant, 147 00:04:59,540 --> 00:05:00,590 can you have the ability 148 00:05:00,590 --> 00:05:02,750 for that to be offline at any time? 149 00:05:02,750 --> 00:05:03,960 Probably not, right? 150 00:05:03,960 --> 00:05:06,390 Well, that's the idea of where we would use an RTOS, 151 00:05:06,390 --> 00:05:08,210 a real-time operating system. 152 00:05:08,210 --> 00:05:10,140 This is because a lot of our embedded systems 153 00:05:10,140 --> 00:05:12,720 typically can't tolerate reboots or crashes, 154 00:05:12,720 --> 00:05:14,450 and they have to have these response times 155 00:05:14,450 --> 00:05:17,160 that are predictable within milliseconds. 156 00:05:17,160 --> 00:05:18,290 So, if I'm building something 157 00:05:18,290 --> 00:05:20,600 that's going to run parts of an airplane, 158 00:05:20,600 --> 00:05:22,800 that's going to help my autopilot fly, 159 00:05:22,800 --> 00:05:24,110 and where the autopilot needs to make 160 00:05:24,110 --> 00:05:27,130 adjustments on the wings every couple of milliseconds, 161 00:05:27,130 --> 00:05:28,815 well, that is something that we would want to use 162 00:05:28,815 --> 00:05:30,570 a real-time operating system for, 163 00:05:30,570 --> 00:05:32,880 we can't use a standard Windows system for that. 164 00:05:32,880 --> 00:05:34,710 It's just not fast enough or powerful enough, 165 00:05:34,710 --> 00:05:36,780 and it's subject to rebooting or crashing 166 00:05:36,780 --> 00:05:38,980 and security patches and all that other stuff. 167 00:05:38,980 --> 00:05:41,300 So, RTOS, when you hear that term, 168 00:05:41,300 --> 00:05:43,420 think about this as a type of operating system 169 00:05:43,420 --> 00:05:45,290 that's often used with embedded systems, 170 00:05:45,290 --> 00:05:47,530 especially in critical applications. 171 00:05:47,530 --> 00:05:50,220 Now, the last thing I want to talk about is an FPGA, 172 00:05:50,220 --> 00:05:52,470 which is a field programmable gate array. 173 00:05:52,470 --> 00:05:54,540 This is a type of processor that can be programmed 174 00:05:54,540 --> 00:05:57,380 to perform a specific function by a customer, 175 00:05:57,380 --> 00:05:59,560 rather than at the time of manufacture. 176 00:05:59,560 --> 00:06:02,450 So, if I'm going to use something like a system on a chip, 177 00:06:02,450 --> 00:06:04,890 that is going to be programmed by the manufacturer 178 00:06:04,890 --> 00:06:06,210 and whatever it's programmed to do, 179 00:06:06,210 --> 00:06:07,490 that's what it's going to do. 180 00:06:07,490 --> 00:06:10,000 But with a field programmable gate array, 181 00:06:10,000 --> 00:06:13,320 I, as the customer, can actually program what I want it to do. 182 00:06:13,320 --> 00:06:15,860 This is really useful if I have a more generic function 183 00:06:15,860 --> 00:06:17,140 like open or shut a valve, 184 00:06:17,140 --> 00:06:19,360 but I need to tell it what time I want it to do it. 185 00:06:19,360 --> 00:06:20,310 Or if I want to tell it 186 00:06:20,310 --> 00:06:21,840 how many seconds it should be open for 187 00:06:21,840 --> 00:06:23,740 and how many seconds it should be closed for. 188 00:06:23,740 --> 00:06:25,270 Those are things I can program in 189 00:06:25,270 --> 00:06:27,240 using a field programmable gate array. 190 00:06:27,240 --> 00:06:28,590 Now, the end customer here 191 00:06:28,590 --> 00:06:30,830 has the ability to program these things 192 00:06:30,830 --> 00:06:32,600 by configuring the programming logic. 193 00:06:32,600 --> 00:06:35,310 And we can do this to run a specific application 194 00:06:35,310 --> 00:06:38,620 instead of using an application-specific integrated circuit, 195 00:06:38,620 --> 00:06:41,520 like I was talking about a system on a chip design would. 196 00:06:41,520 --> 00:06:42,900 When you burn a system on a chip, 197 00:06:42,900 --> 00:06:44,870 that is the program you're going to have. 198 00:06:44,870 --> 00:06:47,110 When you're dealing with a field programmable gate array, 199 00:06:47,110 --> 00:06:48,910 you have the ability to change that.