Mobile menu
PCB Design
Resources PCB Design Internet of Things Security Vulnerabilities: It's All About That Buffer Overflow

Internet of Things Security Vulnerabilities: It's All About That Buffer Overflow

Created: December 15, 2017
Updated: September 25, 2020

A fist punching a palm with orange sparks flying

I follow a bunch of animal and nature publications, and recently the phrase ‘zombie ants,’ kept popping up in my feed. I decided to do a little digging and discovered that there’s a type of fungi - Ophiocordyceps - whose life cycle involves infecting ants that walk across its spores with fungal cells that infiltrate the ant’s central nervous system and essentially take over the ant. Once they have the ant "under its control", the fungus-infected ant climbs a plant stalk, clamps down on a leaf, and turns into more of the fungus from the ant’s body to then spread more of its spores. This overflows the region with more potential fungus and zombie-ants.

This may seem a bit gratuitous, but it's a lot like the way hacker groups steal their information from large companies and even governments. They attack websites and services using botnets made up of thousands of Internet of Things devices. These gadgets have been turned into “zombies” that do their master’s bidding through malicious software (malware). Defending our networks and products from becoming part of these armies is a daunting task as software exploits can come in all shapes and sizes. Luckily for us, though, there is one vulnerability that is often used which we can protect against: buffer overflow vulnerabilities. This error allows hackers to inject their code into our PCB’s memory and then execute it. Careful programming can reduce the risk posed by buffer overflow, and following IoT security best practices can limit attackers ability to attempt buffer overflow.

What is Buffer Overflow

Buffer overflow was first widely acknowledged during the “Code Red” attacks in 2001. These assaults used buffer overflow vulnerabilities in Windows to take control of computers, one version infecting hundreds of thousands of machines in a matter of hours. Once infected those computers were then used to launch a distributed denial-of-service (DDoS) attack on the White House. Since that time, buffer overflow has become one of the methods of choice for hacker groups seeking to infect devices. In order to defend against this vulnerability, it’s important to understand how it works and why it poses a particular threat to the IoT.

This kind of error occurs when a program tries to write a value that is too large into a buffer. A buffer is simply a piece of memory allocated for certain values. When the program attempts to fill it with more data than it can hold, the buffer “overflows” into other sections of memory. This usually results in a system crash but can also open the door for hackers to gain access to the system. Hackers can use buffer overflow vulnerabilities to do two things: inject their code into a system, and run the injected code. The first can be quite complicated and is system dependent. The second, however, is quite easy to understand. If malware has been inserted into memory and the hacker knows where it is, they can simply overflow the buffer next to it with a connected device in order to run that program. It's like putting an embedded device that steals wallets into a room no one every goes in, then inviting over a ton of people. People "overflow" into the extra room, and wallets go missing.

The Weak Links Targeted by Buffer Overflow

Buffer overflow poses a particular risk to an IoT device because of their limited memory, the languages they’re programmed in, and the commonality of programs.

  • Memory: An IoT device usually needs to conserve power, which leads to small amounts of energy efficient memory. The smaller the buffer, the easier it is to overflow. This removal of an innate  IoT security "buffer" makes the IoT the perfect arena for these kinds of attacks.
  • Language: Most programs for the IoT are written in C or C++. Neither C nor C++ has a “garbage collector” for extra memory needs, which increases the risk of buffer overflow vulnerabilities. Also, these languages use pointers, which can be used by hackers to determine the location of critical code in memory.
  • Commonality: The convenience of buying ready-made, inexpensive, programs for our IoT devices can be too tempting to pass up. When you use the same code as everyone else, though, you run the risk of having common vulnerabilities. One such exploit, known as Devil’s Ivy, was found in software used by thousands of IoT devices and just recently revealed. Many machines only escape infection through obscurity. If your product can be infected along with thousands of others because of common code, it’s much more likely to be targeted.
A computer error shutdown screen
A buffer overflow can be used to gain access to or crash your device.

Bar Your (Programming) Windows, Patch Your (Security Gateway) Walls

Now that we know the dangers that buffer overflow poses to a typical IoT device, how do we defend against it? There are several ways to mitigate this risk. If you’re writing your software yourself, careful internal programming can keep your device safe:

  • Check Input Sizes - If you know how large an input should be, check to make sure it is that size. Buffer overflow vulnerabilities occur because a value that is too large is written to memory. If you can detect the size before passing it to memory, you can reject values that are too large and will cause overflow. This may not be applicable to all systems, for example where incoming sensor data may be an unknown size.
  • Make Memory Non-Executable - As stated previously hackers will often hide malware in memory and then use a buffer overflow to execute it. If the part they inject source code into is non-executable, it could keep them from activating their program. Due to the diversity of buffer overflow attacks, this can stop some intrusions, but not all.
  • Use ASLR (Address Space Layout Randomization) - As the G.I. Joes always said, knowing is half the battle. If a hacker knows where critical code is stored, they may be able to overwrite or delete it. ASLR randomizes memory locations, making it much more difficult for attackers to find their targets.

Even if you use someone else’s programs you can insist on a few best practices or enable them yourself that will defend your system. Some of these may soon be mandated by the US government:

  • Enable Patching - If you find out that your software is vulnerable, you’ll need to be able to patch it. If you’re not able to, your gizmo could become a “zombie” in a botnet for the rest of its existence.
  • Gateways - If you’re designing a peripheral or sensor for a large network, consider designing for interoperability with an IoT security gateway. These can reduce the likelihood that a hacker will assault your device directly, and will instead have to deal with a portal that is designed for security.
  • Authentication - Many buffer flow attacks are attempted using “Man in the Middle” (MITM) schemes. Authentication will ensure that your system only receives inputs from trusted devices, not malicious code or pretenders.
Green numbers on a black screen with overload in a large font
You can defend your system with careful code and best practices.

The IoT can benefit mankind greatly, but also presents a huge new attack surface for hackers. Buffer overflow assaults have been used extensively in the past, and are perfectly positioned to affect the IoT. Fortunately, we can either write source code that protects against this vulnerability, or incorporate a few best practices into our design to mitigate this risk.

Cybersecurity is a daunting issue, and one that will likely take up more of our time than we’d like in the future. With this issue looming, there’s no time to waste on inefficient design. That’s why you should use the best PCB software available. Altium Designer® comes with a range of tools, and even optional add ons, that can speed up your design process.

Have more questions about IoT cybersecurity? Call an expert at Altium Designer.

Altium Designer - PCB Design Software Altium 365 - PCB Design Platform Enterprise PCB Design Solutions FREE Trials

Related Resources

What is Lenz's Law What is Lenz's Law and How Does it Affect PCB Design? Lenz's law is one of the fundamental physical laws that describes the multitude of relationships between electricity and magnetism. Together with Ampere's law, Gauss law, Faraday's law, Coulomb's law, and the Lorentz force law, we have everything we need to understand the classical behavior of the electromagnetic field. Among these laws, Lenz's law and Faraday's law work together to describe how the magnetic field in your PCB is related to the Read Article
What is a balun What is a Balun in RF PCB and Do You Need One? Are you wondering what a balun is? Find out more and see where one fits into your RF PCB layout. Read Article
pcb testing PCB Testing 101: Important Methods and Metrics PCB testing must occur during fabrication, assembly, and board bring-up. Here’s how you can plan to be successful during testing and inspection. Read Article
Continuous conduction mode Continuous Conduction Mode in an SMPS: What is it and Why it Matters Learn more about continuous conduction mode and how to design to this condition in your power supply. The best design and simulation tools can help you verify continuous conduction mode is reached. Read Article
Everything You Need to Know About Oscillators What Is An Oscillator? Everything You Need to Know What is an oscillator? Mark Harris gives an in depth overview of the major categories of Oscillators. He explains the different types with their functions and drawbacks. Read more here. Read Article
Solder Bridge Jumper Best Practices in PCB Design What Is a Solder Bridge? Best Practices in PCB Design A PCB variant is often simply thought of as a new layout created from an old design. However, if you’re creative with your routing and layout, you can use a solder bridge jumper to configure portions of a single PCB layout for multiple variants. This lets you quickly create variants of a PCB layout without rerouting traces or changing your schematics. If you plan to use jumpers in your PCB layout, there are some important guidelines to follow to Read Article
ESD protection and PCB design What is ESD and How Does it Affect My PCB Design? We've compiled a complete guide to ESD protection for PCBs and your electronics. Implement these guidelines for enclosure-level ESD protection and to prevent ESD on important digital interfaces. Read Article
What is PCB Design? What is a PCB and Intro to PCB Design Printed circuit board (PCB) design has grown into its own specialized field within the electronics industry. PCBs play an important role in that they provide electrical interconnections between electronic components, rigid support to hold components, and a compact package that can be integrated into an end product. They are the main component in an electronic device that is responsible for form and function, and they allow advanced semiconductors Read Article
1:19 What is Concurrent Engineering? Watch Video
1:39 What is MLH's Student Demographic? Watch Video

Related Technical Documentation

Measuring Distances on a PCB Document in Altium Designer Measuring Distances on a PCB Document in Altium Designer

Explore Altium Designer 24 technical documentation for Measuring Distances on a PCB and related features.

 Read Documentation
Working with Grids & Guides for Your PCB in Altium Designer Working with Grids & Guides for Your PCB in Altium Designer

Explore Altium Designer 24 technical documentation for Working with Grids & Guides and related features.

 Read Documentation
Interactively Multi-Routing Your PCB in Altium Designer Interactively Multi-Routing Your PCB in Altium Designer

Explore Altium Designer 24 technical documentation for Interactive Multi-Routing and related features.

 Read Documentation
Quick Routing Tools in Altium Designer Quick Routing Tools in Altium Designer

Explore Altium Designer 24 technical documentation for Quick Routing Tools and related features.

 Read Documentation
Modifying Existing Routes on Your PCB in Altium Designer Modifying Existing Routes on Your PCB in Altium Designer

Explore Altium Designer 24 technical documentation for Modifying Existing Routes and related features.

 Read Documentation
Updating Footprints from Libraries in Altium Designer Updating Footprints from Libraries in Altium Designer

Explore Altium Designer 24 technical documentation for Updating Footprints from Libraries and related features.

 Read Documentation
Altium Designer Improvements in Beta Altium Designer Improvements in Beta

This page presents key features and enhancements that will become available in the next update to Altium Designer, but which are currently still in beta. Also included are features that are in Closed Beta - strictly only available to the beta user group

 Read Documentation
Performing Design Updates to Your Captured Multi-board System in Altium Designer Performing Design Updates to Your Captured Multi-board System in Altium Designer

Explore Altium Designer 24 technical documentation for System Design Updates and related features.

 Read Documentation
Working with Connections on a Multi-board Schematic in Altium Designer Working with Connections on a Multi-board Schematic in Altium Designer

Explore Altium Designer 24 technical documentation for Working with Connections and related features.

 Read Documentation
Object & Layer Transparency in Your PCB in Altium Designer Object & Layer Transparency in Your PCB in Altium Designer

Explore Altium Designer 24 technical documentation for Object & Layer Transparency and related features.

 Read Documentation
Back to Home

Table of Contents

Altium Designer Logo

Take advantage of the world's
most trusted PCB design system.

One interface. One data
model. Endless possibilities.

Effortlessly collaborate with
mechanical designers.

The world's most trusted
PCB design platform

Best in class interactive
routing

View License Options
Try Altium Designer
Which best describes you?
Step 1 of 2
Try Altium Designer
Which best describes you?
I’m a Professional
I’m a Student University Email Required
I’m a Startup
Thank you, you are now subscribed to updates.