Embedded Operating Systems – Chapter 9

What is an Embedded Operating System? It is a special-purpose computer system, which is completely encapsulated by the device it controls. An embedded system has specific requirements and performs pre-defined tasks, unlike a general-purpose personal computer. One type of specialized embedded OS is a real-time operating system. (RTOS) This is typically used in devices such as appliance controls, programmable thermostats, and even in pacemakers.

There are a plethora of other proprietary embedded operating systems such as VxWorks developed by Wind River Systems, Windows from Microsoft, and QNX form QNX. The *NIX embedded operating system is an example of a monolithic OS used in a multitude of industrial, medical, and consumer items.

Today hackers want more than notoriety; they are looking for monetary gain. They are looking for ways to exploit embedded operating systems for personal profit. For reasons of efficiency and economy connecting embedded systems to a network has its advantages. However a security tester will need to address:

• What peripheral component interconnects devices is present?
• Where were they manufactured? Is this supply chain trustworthy?
• Which embedded OS is currently loaded on device?
• Can you make sure the embedded OS hasn’t been corrupted or subverted with malicious code?
• Which devices have embedded OSs stored in rewriteable memory?

 Supervisory Control and Data Acquisitions systems (SCADA) are used for equipment monitoring in large industries, such as public works and utilities, power generators and dams, transportation systems, manufacturing and anywhere automation is critical. The protection of SCADA systems are a life or death proposition. So for this reason SCADA systems are usually separated from the internet by an air gap. This measure helps minimize the potential vulnerabilities.

In an effort to fight off attacks a security professional should be aware of all embedded systems, upgrade or replace embedded systems that can’t be fixed or pose an unacceptable risk, be on top of all patching, and follow the least privileges principle and restrict access to thwart off attackers.