The BSI publishes a study on possible attacks on microcontrollers that are installed in industrial IoT in the aviation or automotive sectors in particular. The study shows that several attacks on microcontrollers are possible, but can be prevented with the right software.
The Fraunhofer Institute AISEC prepared the study "A Study on Hardware Attacks against Microcontrollers" on behalf of the Federal Office for Information Security (BSI), which presents the current status of hardware attacks on microcontrollers.
Study shows attack possibilities
The publication describes easy-to-implement countermeasures that can prevent many attacks or significantly increase the effort for attackers. The aim of the study is to sensitize product developers and manufacturers to the existing risks, to show them ways to protect products and to make the countermeasures available to a wide audience.
Microcontrollers are used in numerous areas, for example in aviation or in the automotive sector. The Internet of Things (IoT) also means that microcontrollers are increasingly being used in industrial products and consumables. In addition, they are increasingly used in security-related applications such as access systems or electronic purses (wallets). In such applications, sensitive data such as cryptographic keys are often stored in controllers. This makes them an attractive target for attack.
Hardware attacks require protective measures
Due to their mobility, devices with microcontrollers are not only exposed to classic attacks. These include buffer overflows, which are mainly caused by remote access via software. Special attacks can also be carried out that do not target vulnerabilities in the software, but exploit properties of the hardware itself. Such hardware attacks include, but are not limited to, side channel and error injection attacks.
In the past, product development did not take enough account of the security of the underlying hardware. Many current products therefore have vulnerabilities and attack vectors. Countermeasures can often be implemented at an early stage. The attacks demonstrated in this report should be practically feasible on all microcontrollers in the market overview. This implies that microcontroller products must have dedicated software-based countermeasures.
More at BSI.Bund.de
About the Federal Office for Information Security (BSI) The Federal Office for Information Security (BSI) is the federal cyber security authority and the creator of secure digitization in Germany. The guiding principle: As the federal cyber security authority, the BSI designs information security in digitization through prevention, detection and reaction for the state, economy and society.