Introduction to Secure Embedded Systems

  • Catherine H. Gebotys
Part of the Embedded Systems book series (EMSY)


Security is increasingly widespread in many embedded systems. Embedded systems requiring security range from the smallest RFID tag to satellites orbiting the earth. This widespread need for security is expected to continue for many more decades. Future growth services include identify control (e-passport, e-VISA), public services (e-administration, e-commerce, e-banking, transportation), communication (SIM card, PDAs), retail business (inventory systems), health care (patient monitoring, RFID, pharmaceuticals supply chain), and entertainment (games, movie industry). For example, the global shipment of smart cards exceeded five billion units in 2008. This is expected to increase by 11% through 2012 (RNCOS 2009). In 2008, 70% of the shipment was attributable to mobile subscribers. The use of contactless smart cards is expected to grow by 30% through 2012 (RNCOS 2009). This section will briefly introduce some types of security attacks on embedded systems and then overview some interesting embedded systems describing their security requirements.

Embedding security into devices is not a straightforward process. First the type of security functionality to embed into the device must be determined. This is often a challenge since specifying security requirements largely depends upon attack or threat models, which may not be fully known at the time. Designers must also ensure that their implementations are secure, since this is typically the focus of attacks. Unlike other embedded constraints such as energy, performance, and cost, which can be verified and quantified, the verification of security is often not possible (apart from functionality). In general, the security cannot be quantified nor can it be readily verified due to the possibility of unforeseen future attacks. From a security point of view, a complete understanding of the device from the process level and up is necessary in order to verify that the security and its implementation are sound. This section will discuss attacks and the need for security in some interesting embedded systems.


Smart Card Embed System Security Requirement Side Channel Replay Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. Anderson R (2001) Security engineering. Wiley, New YorkGoogle Scholar
  2. Drimer S (2007) Volatile FPGA design security – a survey. Computer Laboratory, University of Cambridge, Cambridge, UK.
  3. Gao (2002) Critical infrastructure protection: commercial satellite security should be more fully addressed. USGAO, GAO-02–781.
  4. Gebotys C, Ho S, Tiu CC (2005) EM analysis of Rijndael an ECC on a wireless java-based PDA, CHES 2005, LNCS 3659 GmbH 250–265Google Scholar
  5. Grand J (2005) Advanced hardware hacking techniques. Defcon 12.
  6. Hancke GP (2005) A practical relay attack on ISO 14443 proximity cards.
  7. Hoppe T, Dittman J (2007) Sniffing/replay attacks on CAN buses: a simulated attack on the electronic window lift classified using an adapted CERT taxonomy. Workshop on Embedded Security in Systems (WESS)Google Scholar
  8. Huang A (2002) Keeping secrets in hardware: the Microsoft Xbox case study. MIT AI lab, AI Memo 2002–08.
  9. ISO 7816 (1987–2005) Identification cards – integrated circuit cards, 1st edn. International Organization for Standardization, ISO/IEC, Geneva, SwitzerlandGoogle Scholar
  10. ISO 14443 (1999) Identification cards – contactless integrated circuit(s) cards – proximity cards. Final committee draft. International Organization for Standardization, ISO/IEC, Geneva, SwitzerlandGoogle Scholar
  11. ISO 7810 (2003) Identification cards – physical characteristics. Final draft. International Organization for Standardization, ISO/IEC, Geneva, SwitzerlandGoogle Scholar
  12. Jansen W, Ayers R (2004) Guidelines on PDA forensics SP800–72.
  13. Jun B (2008) Protecting consumer electronics, HT1–108, RSA 2008 presentationGoogle Scholar
  14. Kent J (2006) Security fears raised at conference.
  15. Kocher P, Jaffe J, Jun NB (1999) Differential power analysis. In: CRYPTO’99. Springer, New York, pp 388–397Google Scholar
  16. Kotadia M (2004) Bluetooth phone hacking tools ‘spreading quickly’.,39024665,39118440,00.htmG
  17. Kuhn M, Anderson R (1996) Tamper resistance – a cautionary note. Second USENIXworkshop on electronic commerce, Oakland, CA, pp 1–11Google Scholar
  18. Landers K (2008) Millions of dollars lost in identity theft. Transcript from AM.
  19. Marwedel P (2006) Embedded system design, 2nd edn. Birkhauser, Springer, New YorkzbMATHGoogle Scholar
  20. Marwedel P, Gebotys C (2004) Panel on secure and safety-critical vs. insecure, non safety-critical embedded systems: do they require completely different design approaches? In: ACM Proc of CODES+ISSS’04, 8–10 Sept 2004, Stockholm, Sweden, pp 72–73Google Scholar
  21. Newitz A (2006) The RFID hacking underground. WIRED, issue 14.05.
  22. Oren Y, Shamir A (2006) Power analysis of RFID tags.
  23. Paar C (2008) New directions in lightweight cryptographic primitives for RFID applications. In: RFID CUSP workshop, John Hopkins University, presentation, Baltimore, MDGoogle Scholar
  24. Paar C (2009) Crypto Engineering: Some History and Some Case studies, CHES 2009 Presentation
  25. Rao JR, Rohatgi P, Scherzer H, Tinguely S (2002) Partitioning attacks: or how to rapidly clone some GSM cards. IEEE Symp Security Privacy 31–41Google Scholar
  26. Rieback M et al (2006) A platform for RFID security and privacy administration. In: Proceedings of the 20th conference on large installation system administration, Washington, DCGoogle Scholar
  27. Schneier (2005) Eavesdropping on bluetooth automobiles, Schneier on security.
  28. Shamir A, Van Someren N (1998) Playing hide and seek with stored keys. In: Financial cryptography 1998, Springer, Berlin, 10.1007/3–540–48390-X 1999. LNCS 1648:118–124Google Scholar
  29. Tarnovsky C (2008) Security failures in secure devices. Black Hat briefings and training.
  30. VanTilborg HCA (2005) Encyclopedia of cryptography and security. Springer, New YorkCrossRefGoogle Scholar
  31. Xnet (2007) Hackers control a British military communications satellite, xnet solutions, http://www.890

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  1. 1.Department of Electrical & Computer EngineeringUniversity of WaterlooWaterlooCanada

Personalised recommendations