Two explorers, George and Harry, were exploring in the jungle when a large, hungry-looking tiger jumped out of the undergrowth in front of them. The hungry tiger paused to look at the two men as if deciding which one it eat first.

While the tiger hesitated, George quickly slipped on a set of running shoes.

"Don't be stupid," said Harry, "you'll never outrun a tiger!"

"I dont have to outrun the tiger," replied George, "I only have to outrun you!!"

In most cases security is the same. Your device only has to be more secure than the next device with similar functionality. Of course, the more you improve your own security compared to the next device, the less risk your device has of being compromised.

As consumer electronics devices such as set-top boxes, digital TVs, mobile phones and tablets get more advanced, they will become more attractive targets for hackers to attack.

There are a number of reasons for this:

• Their use model makes them attractive to hackers. They may be used to steal valuable personal information such as credit card numbers as consumers use these devices for web access. When near-field communication is used for payment for goods and services then mobile devices with such hardware will certainly become very attractive targets.
• Their software is generally less mature than existing devices. For example, PCs have had to deal with viruses, worms, and other internet-based attacks against core software for many years and now have reasonable software such as anti-virus agents to help detect and prevent attacks. The rapid speed of development and evolution, the pressure to keep development costs to a minimum, and the fact that most embedded devices have custom software also makes it hard to develop a consistent and effective approach to security.
• They are generally not updated often. Unlike my PC that obtains almost daily updates for the operating system, anti-virus software and applications, my blu-ray player, digital TV and mobile phone and tablet get updated at best every few months! I don't believe that in this period of time no vulnerabilities have been found as a lot of these devices run Linux and I can see daily reports of potentially serious operating system security flaws.

So, why haven't we seen hacking on a large scale happening to embedded devices? I think the simple reason for this is that until recently a lot of these devices weren't connected to open networks. i.e. it is only relatively recently that "smart" phones came into existance and that set-top boxes and TVs have become "connected".

Also, until recently the software they ran was relatively simple and could be well tested with a high degree of test coverage. Embedded devices also tend to have more secure hardware, with significant effort being put into ensuring that software cannot be modified or that memory can not easily be altered on the fly.

But software is now increasing dramatically in complexity and these devices are becoming more and more critical to the lives of the consumers who own them. As consumers demand more and more features from embedded devices, the amount of software required is increasing at an exponential rate. The large amount of interconnected software components from many different vendors together form a system that is very difficult to comprehensively test. It also needs to be regularly updated in the same way a PC is as these devices are growing to the point where they have the complexity of a PC!

Unfortunately in many cases the software complexity is increasing faster than the rate of technical expertise in many maufacturers. This is especially true at the lower price end of the market where the pressure to get products out to market as quick as possible is greater.

The final factor that will contribute to their increased susceptability to attack is that there is more standardisation now on the lower-level software components. Linux is becoming the prevalent operating system in these devices and many open-source libraries are being used for the software infrastructure. Hackers can therefore use their knowledge of this software to try and target multiple platforms, safe in the knowledge that the devices they are attacking probably won't have had a patch for a recent, critical software vulnerability. Even with secure hardware, software can be used to quickly open doors.

The recent example that triggered me to write this piece was the breaking of a well-known set-top box security scheme by a Polish security research team. This was an attack against a set-top box produced by a well-known manufacturer who used silicon respected for its security, and using a respected security scheme.

I believe that these types of attacks will only become more prevalent and that other well-known security schemes will be broken. I wonder how many more brands will be damaged before we, as an industry, put more effort into protecting these systems? Security is an intangible cost, but getting hacked will certainly produce tangible damage to reputations and a resulting loss of sales. Consumers trust is fragile.

So, how do we protect against this threat?

• We need to develop a better attitude to designing trusted systems and not repeat the mistakes of the PC software vendors. Device software needs to be designed with security in mind from the very start.
• If an embedded device is connected to the internet then it needs to be regularly updated!
• Developers of embedded software need to learn how to program securely and avoid common security errors that will make their code vulnerable.
• System developers need to understand how to integrate and configure software components securely. A system built from secure software components is not necessarily secure!

Now, earlier I mentioned that "in most cases security is the same", however there are cases where relative security is not so important and absolute security (making your device as secure as possible) counts. Two examples that I can think of are an "Advanced Persistent Threat" and the situation where the embedded device has unique, valuable content.

For set-top boxes and smart TVs the multimedia content (and in particular the HD movie content) make them very attractive targets for hacking. I think that this, coupled with the lower level of general software security, will make them increasingly more interesting targets for hackers.

We'll see what 2012 brings...