Sunday, March 12, 2017

How CIA hackers tried to explain the IoT and Embedded Systems to their “management”; also bullets dodged by Intel’s VXWorks and Blackberry’s QNX

I must admit that when the news broke this week about the Vault 7 WikiLeaks files I had to go and take a look; did you?  The CIA won’t say if these documents are fakes but my sense is they are authentic given the banality anyone who has worked in a large corporation and browsed the internal wiki will immediately recognize.  This leak doesn’t actually include any acual code but just the project pages and descriptions of the work of the wonderfully titled (for me) Embedded Development Branch (EDB).  

After spending more than a decade in the pre-IoT Embedded market I had a few flashbacks to the days when we toiled in a computing backwater that few could define and most couldn’t care less about.  There was much to ponder among these 8000 pages; much of it mundane but every now and again a gem would show itself and I will share a couple that struck me.

Like any good working group or project team it has to define its mission, scope and purpose so at some point the CIA hacker team came up with this:

Do we need to define "embedded systems" for management and customers?

§      Technical:  A single-purpose device that has a firmware running a software operating system.
§      Non-technical:  A computer serving a singular function that doesn't have a screen or keyboard.
§      Really non-technical:  "The Things in the Internet of Things"

Many of us from Embedded land have argued about the definition of an Embedded System and just for grins here is Blaza’s definition:  “a system that doesn’t allow the user access to the operating system”.  

This means PC’s aren’t embedded devices but an ultrasound machine may have a screen and keyboard but the doctor isn’t going to browse the web on it. I like mine more than the CIA’s!

You can find the CIA Vault 7 documents here if you want to go on your own journey of discovery.  I will spend a little more time digging around but wanted to share another nugget which I think is interesting.  

The EBD team decided to leave two specific operating systems alone; namely VXWorks by Wind River (part of Intel) and QNX which is now owned by Blackberry and widely used in vehicle computing systems.  My guess is that this team knew that these are highly secure operating systems and extremely difficult to attack compared to all the wide open and free Linux distros  that are proliferating in the IoT.  In the Embedded market a decade ago there was interminable debates about whether Linux could or even should be used in embedded devices and now we have our answer; it should never have been used in anything mission critical because it’s virtually impossible to protect.  Some of you may say the same for Windows but it had limited penetration into the embedded market and Microsoft drifted out of the market in recent years.

My word of advice for anyone developing in the IoT is to go and license (for real money) a secure real time operating system like VXWorks, QNX or Integrity from Green Hills because these were built to be secure and Linux isn’t.  The classic adage never held truer, if you buy cheap you buy twice. Samsung should have known better.


  1. Firmware is simply much more secure than an operating system, such as Linux, that allow dynamic modification of the system architecture at runtime -- i.e. load modules. The following whitepaper explains this in details:

  2. Welcome Post very usefull informatation.and iam expecting more posts like this please keep updating us........

  3. Good Post,Its Nice to read. At Saturam, we know that greatness in a connected-era requires audacious re-interpretation of status-quo, best-in-class talent and a culture that believes in conquering together. We approach every device, data and AI challenge holistically, with tier-1 expertise in the areas of Banking, Manufacturing, Food, Hospitality, Retail and Telco. On-premise, On-cloud, On-edge.

  4. Thanks for sharing such type of amazing and nice post,.

  5. Thank you so much for sharing the blog. Nowadays IoT is very important factor in any type of industry. We are having expertise in developing IoT applications for industries like Water, transportation, education, hospitality, healthcare etc. For More info about IoT in Water Industry Please Visit at -

  6. Thank you for sharing this info.we are offering video door phone system based on IOT technology.It can control through mobile from any place any time.for more details you can visit our site.

  7. Internet of Things (IOT) has become one of the hottest topics in technology. Thank you for this nice article. keep sharing.
    Get more details on IOT Course

  8. yes, IOT can be used in many ways thanks for sharing this informative content about the IOT.

    Cloud Accounting Software

  9. IMPRESSIVE.thanks for sharing the information.
    Indian Cyber Army’s most awaited internship is live now. Summer Internship 2018 on “ Ethical hacking” and book your seats before it runs out.Candidates have to get themselves registered to be a part of this Internship program. Here internship will give you on-the-job experience, help you learn whether you and Cyber security industry are a good match and can provide you with valuable connections and references. Here interns are usually exposed to a wide variety of tasks and responsibilities which allows the intern to showcase their strengths by working on projects for various managers that work on different parts of Indian Cyber Army. Becoming a high performing intern is a fantastic way to improve your employment prospects. This internship can be a great way to get your foot in the door of success with a prestigious or desirable Organization.As career in ethical hacking is most in demand.

  10. Thanks for the information.It is really nice .Information security is the set of processes that maintain the confidentiality, integrity and availability of business data in its various forms.In this age of Technology advancement, computer and information technology have not only brought convenience to citizens in modern life but also for policemen & various Government officials of the nation to fight cybercrime through various modus operandi. Indian Cyber Army has been dedicated in fighting cyber crime, striving to maintain law and order in cyberspace so as to ensure that everyone remains digitally safe.Read more:- Information Security

  11. Hi, Thanks for Sharing nice information. IOT can be used in many ways thanks for sharing this information content about the IOT. For more information please visit.
    IOT Training in Ameerpet

  12. nice post.thanks for sharing the more valuable information.
    The Best ethical hacking training in noida provided by Indian Cyber Army.Indian Cyber Army credibility in Ethical hacking training & Cybercrime investigation training is acknowledged across nation as we offer hands on practical knowledge and full assistance with basic as well as advanced level ethical hacking & cybercrime investigation courses. The training is conducted by subject specialist corporate professionals with wide experience in managing real-time ethical hacking/ cyber security projects. Indian Cyber Army implements a blend of academic learning and practical sessions to give the candidate optimum exposure.Ethical hacking training ,Ethical hacking course

  13. Indian Cyber Army validity in Ethical hacking training and Cybercrime examination preparing is recognized crosswise over country as we offer hands on reasonable information and full help with essential and in addition propelled level moral hacking and cybercrime examination courses. The preparation is led by subject master corporate experts with wide involvement in overseeing continuous moral hacking/digital security ventures. Indian Cyber Army actualizes a mix of scholastic learning and handy sessions to give the applicant ideal presentation.