Abstract: We are surrounded by Embedded Systems with whom we interact continuously and unconsciously, enabling them to collect, manage, and transmit our private and sensitive information to third parties. Who controls information, controls people, and ensures the security of Embedded Systems is a matter of our freedom.
Keywords: Embedded Systems, Firmware, Software Application, Security, Privacy, GDPR.
Table of Contents
What is an Embedded System
An Embedded System is a computer system designed for a dedicated function, as opposed to a general-purpose computer system (e.g., desktop or server computer), which is designed for multiple functions. An Embedded System, as a general-purpose computer system, has a computer processor, memory, storage, operating system, and input/output peripheral devices. An Embedded System is designed to optimize performance in terms of small form factor, low power consumption, and high throughput, while at the same time providing the specific functionality required. 
Examples of Embedded Systems
Embedded Systems are all over our lives. In critical infrastructure (telecommunications, smart grids, water networks, air traffic control, space control, military, etc.), home appliances (TVs, phones, refrigerators, printers, sales machines, etc.), medical devices, cars, phones, credit cards, and so on. The following table list some examples of Embedded Systems used in our daily life. 
Embedded Systems manage the collection, elaboration, and manipulation, and transmission of information. An example of an Embedded System is TLC devices (antennas, access points, routers, switches, etc.) They collect the signal from our cellular phone, transform and elaborate the radio frequency signal into the wired network electrical signal, and transmit voice and data (information) from the source to the receiver. Another example of an Embedded System is Smart TV. Through the integrated microphone and cameras, they can collect sounds and images, transmit this information to a provider to deliver a service to us (e.g., upgrade TV software, install a new application like Netflix or any other application, allow us to talk over Skype).
Embedded Systems and the amount of information they manage are growing dramatically, and today they are the major components and actors of what is called the Internet Of Thighs, Big Data, and Industry 4.0.
Security of Embedded Systems
Embedded Systems collect, manipulate, manage and transmit to third parties huge amounts of our information everywhere (vendors, government entities, marketing entities, etc.) and at any level (from critical infrastructures to home appliances). With the advent and widespread use of Embedded Systems, information is no longer confined to isolated environments where physical separation and controlled access can provide sufficient protection. Embedded Systems containing valuable information can be distributed across a wide area, such as buildings, factories, or industrial plants, which can be literally spread throughout the world.
Unfortunately, ensuring the security of information managed by Embedded Systems is not easy, is an open question., and could prove to be a longer-term problem more difficult than security for desktop and enterprise computing today. Security issues are nothing new for Embedded Systems. However, as more Embedded Systems are connected to the Internet, the potential damage from such vulnerabilities is increasing dramatically. Internet links expose Embedded Systems to intrusion and malicious attacks. Unfortunately, security strategies designed for business and desktop computing cannot meet the requirements of Embedded Systems. 
The main reasons for this lack of security for Embedded Systems are on the manufacturer’s side. They have limited hardware and software options, cut investments in security research to reduce production costs in order to be competitive on the market (security is expensive), and resist sharing intellectual properties ( i.e., software) with independent third party security analysts. Ensuring advanced security techniques for Embedded Systems means higher costs for them and customers are often looking for cheaper products and are not aware of and concerned about the likely security threats to the products they purchase. The lack of security analysis and the low-cost market mentality of the manufacturing companies are leading hackers to the exact environment they expect. 
The known attacks and hacks against Embedded Systems reflect only a fraction of the entire threat landscape, given the specific interests of the researchers, the costs incurred in security tests, and the non-disclosure agreement forced by the vendors or owners of assets. 
The major targets of attacks to Embedded Systems are hardware, firmware/OS, communication stack, and embedded applications. 
The causes of Embedded Systems vulnerabilities include programming errors, rarely updates of firmware and OS with security patches, week access, and authentication control, improper use of cryptography, weak or absent secure configuration (hardening). 
The main effects of the attacks to Embedded Systems include denial of service, information leakage, financial loss, code execution, integrity violation, illegitimate access, degradation of the level of protection. 
Who controls information can control also people
There is one more sneaky and extremely dangerous possibility why Embedded Systems cannot be secure and is the deliberate intent of manufacturers or service providers to illegally collect and manipulate our private and sensitive information.
“Knowledge is power. Information is power. The secreting or hoarding of knowledge or information may be an act of tyranny camouflaged as humility.” (Robin Morgan).
“The control of information is something the elite always does, particularly in a despotic form of government. Information, knowledge, is power. If you can control information, you can control people.” (Tom Clancy).
These famous words perfectly anticipated what we observed and observe every day. The Facebook – Cambridge Analytica scandal, the Russian interference in the 2016 US election, the US-China struggle for the new generation of telecommunications networks (named 5G), and the fake news, are just the tip of the iceberg of the worldwide disputes to dominate and manage information. These words also constitute the essence and meaning of Information Security, Cyber Security, and the National Privacy Acts. If we do not want to polarize or to concentrate power, and we do not want to be unnecessary controlled, then we need our personal information is protected wherever they reside or pass through like Embedded Systems.
Embedded Systems are all part of our lives (from critical infrastructure to home appliances) and securing them is also a must in order to preserve our freedom. National governments and regulators should ensure that manufacturers producing Embedded Systems and service providers using Embedded Systems take all necessary measures to protect the information collected and managed by Embedded Systems. The European Community is moving (slowly) in this direction, but many other countries producing Embedded Systems that we continue to use are still very far away.
MEASEC for Embedded Systems security
MEASEC (www.measec.com) is a division of Zeroclock specialized in the security of Embedded Systems and Software Applications. We support government entities, manufacturers, and service providers (e.g. Telecom Operators, Utilities, Banks, etc.) to ensure Embedded Systems and Software Application security by providing them with specific and unique consulting services, professional services, and tools.
MEASEC is the exclusive distributor of Security Reviewer (www.securityreviewer.net) for the Middle East and Africa. A unique suite of tools capable of detecting vulnerabilities in Embedded Systems through sophisticated static, dynamic, and software composition analysis.
 Embedded Systems Security: Threats, Vulnerabilities, and Attack Taxonomy – Dorottya Papp, Zhendong Ma, Levente Buttyan – 2015.
 Embedded Systems: Security Threats and Solutions – Anik Barua, Mohammad Minhazul Hoque, Rubina Akter – 2014.
 Embedded Systems: Hardware, Design and Implementation – Krzysztof Iniewski – 2012
 Embedded Security for Internet of Things – Arijit Ukil, Jaydip Sen, Sripad Koilakonda – 2014