Sunday, March 12, 2017

How CIA hackers tried to explain the IoT and Embedded Systems to their “management”; also bullets dodged by Intel’s VXWorks and Blackberry’s QNX

I must admit that when the news broke this week about the Vault 7 WikiLeaks files I had to go and take a look; did you?  The CIA won’t say if these documents are fakes but my sense is they are authentic given the banality anyone who has worked in a large corporation and browsed the internal wiki will immediately recognize.  This leak doesn’t actually include any acual code but just the project pages and descriptions of the work of the wonderfully titled (for me) Embedded Development Branch (EDB).  

After spending more than a decade in the pre-IoT Embedded market I had a few flashbacks to the days when we toiled in a computing backwater that few could define and most couldn’t care less about.  There was much to ponder among these 8000 pages; much of it mundane but every now and again a gem would show itself and I will share a couple that struck me.

Like any good working group or project team it has to define its mission, scope and purpose so at some point the CIA hacker team came up with this:

Do we need to define "embedded systems" for management and customers?

§      Technical:  A single-purpose device that has a firmware running a software operating system.
§      Non-technical:  A computer serving a singular function that doesn't have a screen or keyboard.
§      Really non-technical:  "The Things in the Internet of Things"

Many of us from Embedded land have argued about the definition of an Embedded System and just for grins here is Blaza’s definition:  “a system that doesn’t allow the user access to the operating system”.  

This means PC’s aren’t embedded devices but an ultrasound machine may have a screen and keyboard but the doctor isn’t going to browse the web on it. I like mine more than the CIA’s!

You can find the CIA Vault 7 documents here if you want to go on your own journey of discovery.  I will spend a little more time digging around but wanted to share another nugget which I think is interesting.  

The EBD team decided to leave two specific operating systems alone; namely VXWorks by Wind River (part of Intel) and QNX which is now owned by Blackberry and widely used in vehicle computing systems.  My guess is that this team knew that these are highly secure operating systems and extremely difficult to attack compared to all the wide open and free Linux distros  that are proliferating in the IoT.  In the Embedded market a decade ago there was interminable debates about whether Linux could or even should be used in embedded devices and now we have our answer; it should never have been used in anything mission critical because it’s virtually impossible to protect.  Some of you may say the same for Windows but it had limited penetration into the embedded market and Microsoft drifted out of the market in recent years.

My word of advice for anyone developing in the IoT is to go and license (for real money) a secure real time operating system like VXWorks, QNX or Integrity from Green Hills because these were built to be secure and Linux isn’t.  The classic adage never held truer, if you buy cheap you buy twice. Samsung should have known better.


  1. Firmware is simply much more secure than an operating system, such as Linux, that allow dynamic modification of the system architecture at runtime -- i.e. load modules. The following whitepaper explains this in details:

  2. Welcome Post very usefull informatation.and iam expecting more posts like this please keep updating us........

  3. Good Post,Its Nice to read. At Saturam, we know that greatness in a connected-era requires audacious re-interpretation of status-quo, best-in-class talent and a culture that believes in conquering together. We approach every device, data and AI challenge holistically, with tier-1 expertise in the areas of Banking, Manufacturing, Food, Hospitality, Retail and Telco. On-premise, On-cloud, On-edge.

  4. Thanks for sharing such type of amazing and nice post,.

  5. Thank you so much for sharing the blog. Nowadays IoT is very important factor in any type of industry. We are having expertise in developing IoT applications for industries like Water, transportation, education, hospitality, healthcare etc. For More info about IoT in Water Industry Please Visit at -

  6. Thank you for sharing this info.we are offering video door phone system based on IOT technology.It can control through mobile from any place any time.for more details you can visit our site.

  7. Internet of Things (IOT) has become one of the hottest topics in technology. Thank you for this nice article. keep sharing.
    Get more details on IOT Course