Sunday, March 12, 2017

How CIA hackers tried to explain the IoT and Embedded Systems to their “management”; also bullets dodged by Intel’s VXWorks and Blackberry’s QNX

I must admit that when the news broke this week about the Vault 7 WikiLeaks files I had to go and take a look; did you?  The CIA won’t say if these documents are fakes but my sense is they are authentic given the banality anyone who has worked in a large corporation and browsed the internal wiki will immediately recognize.  This leak doesn’t actually include any acual code but just the project pages and descriptions of the work of the wonderfully titled (for me) Embedded Development Branch (EDB).  

After spending more than a decade in the pre-IoT Embedded market I had a few flashbacks to the days when we toiled in a computing backwater that few could define and most couldn’t care less about.  There was much to ponder among these 8000 pages; much of it mundane but every now and again a gem would show itself and I will share a couple that struck me.

Like any good working group or project team it has to define its mission, scope and purpose so at some point the CIA hacker team came up with this:

Do we need to define "embedded systems" for management and customers?

§      Technical:  A single-purpose device that has a firmware running a software operating system.
§      Non-technical:  A computer serving a singular function that doesn't have a screen or keyboard.
§      Really non-technical:  "The Things in the Internet of Things"

Many of us from Embedded land have argued about the definition of an Embedded System and just for grins here is Blaza’s definition:  “a system that doesn’t allow the user access to the operating system”.  

This means PC’s aren’t embedded devices but an ultrasound machine may have a screen and keyboard but the doctor isn’t going to browse the web on it. I like mine more than the CIA’s!

You can find the CIA Vault 7 documents here if you want to go on your own journey of discovery.  I will spend a little more time digging around but wanted to share another nugget which I think is interesting.  

The EBD team decided to leave two specific operating systems alone; namely VXWorks by Wind River (part of Intel) and QNX which is now owned by Blackberry and widely used in vehicle computing systems.  My guess is that this team knew that these are highly secure operating systems and extremely difficult to attack compared to all the wide open and free Linux distros  that are proliferating in the IoT.  In the Embedded market a decade ago there was interminable debates about whether Linux could or even should be used in embedded devices and now we have our answer; it should never have been used in anything mission critical because it’s virtually impossible to protect.  Some of you may say the same for Windows but it had limited penetration into the embedded market and Microsoft drifted out of the market in recent years.

My word of advice for anyone developing in the IoT is to go and license (for real money) a secure real time operating system like VXWorks, QNX or Integrity from Green Hills because these were built to be secure and Linux isn’t.  The classic adage never held truer, if you buy cheap you buy twice. Samsung should have known better.