Digg this story   Add to del.icio.us  
Embedded market ripe for picking
Daniel Hanson, 2005-09-09

Perhaps an embedded version of windows in every device isn't such a bad thing after all.

For anyone who has been living in a cave through the summer, or perhaps at a cottage with no Internet connection, Cisco devices were proven to be vulnerable to reliable remote code execution and gaining shell access (improving on some previous techniques). This may seem like small potatoes to those of us who have watched for years as operating system after operating system has been torn open by vulnerabilities and worms, but in the networking world, Cisco has always been regarded as pretty safe if you could keep an attacker from gaining administrative access via a bad password, faulty authentication module or secondary application. In short, a router worm would have a difficult time spreading.

In August, security researcher Mike Lynn disclosed that the Cisco IOS, the operating system that runs the routers and switches, was as vulnerable to reliable code execution as any other operating system. Talk about angering a giant -- the reaction to this discovery and disclosure has been widely reported and discussed, particularly on the legal side, and therefore I'm not going to dive into this any further.

Built-in concern

The concern to me is that embedded devices, whether they are multi-media units, car control units, networking appliances, or refrigerators, are all being connected to networks and people are beginning to look for ways to take advantage of these devices. Do I really want my refirgerator participating in a denial of service attack on the Heinz factory? What happens when a vulnerability is found in the fridge operating system, is there a automated way for it to download a patch? Should your fridge be firewalled, or need an IDS for someone raiding the salami in the middle of the night?

Cisco has been making networking equipment for years, I would hope that they would be aware of the risks that a network can pose to their devices. The truth is, even they still don't always get it. Some have argued that the very reponse from Cisco really shows that they don't get it. They are okay with admitting vulnerabilities (which these days is pretty much expected) but they have never believed that attacker supplied code can be run on their operating system.

If Cisco isn't willing to admit to themselves the truth, what about Ford? Do the engineers really understand what can happen with a bluetooth installation in their cars that is not properly secured? For better or worse, everything is becoming networked. Right now it's luxury goods, but invariably these features will filter down to the rest of us common folk. As that happens, the cost will go down and the pressure to put more features inside for less money will continue to rise. As companies cut corners, vulnerabilities are left open. But what is scary to me is that often no plans may be in place for fixing these things proactively. Once you fridge starts DoS'ing Heinz, should you have to get a repairman out to "update" the software? Imagine how busy the appliance repair guy will be if today's computers with antivirus and autoupdate are an indication. Embedded devices are supposed to just work.

Networking with embedded devices

I want all manufactures to make the following pledge before putting a WLAN, Bluetooth or hardlined network connection into their device. Put your hand up and say the following, along with me:

1. I will not develop my own operating system. BSD, QNX or embedded Windows is good enough for me.
2. I will realize that these operating systems do contain vulnerabilities, as will my own code.
3. I will make a plan to update and deal with these problems in a way that does NOT involve a repairman coming with a USB drive.

And, for extra points and an offical badge of honor:

4. I will find a way to update my embedded system silently and flawlessly so no-one has to interact with it at all.

Vulnerabilties happen to every company, what sets companies apart is the way they respond. Cisco showed what I think is tremendous arrogance, and then fear, when confronted by the fact that they were no better off than anyone else.

Daniel Hanson manages the Focus Incidents area of SecurityFocus as well as the Incidents mailing list.
    Digg this story   Add to del.icio.us  
Comments Mode:
Embedded market ripe for picking 2005-09-09
Embedded market ripe for picking 2005-09-09
Embedded market ripe for picking 2005-09-11
Paul Kosinski (1 replies)
Embedded market ripe for picking 2005-09-11
Embedded market ripe for picking 2005-09-12
Alexey Vesnin
Embedded market ripe for picking 2005-09-23
Embedded market ripe for picking 2006-03-29


Privacy Statement
Copyright 2010, SecurityFocus