Embedded market ripe for picking, 2005-09-09
Perhaps an embedded version of windows in every device isn't such a bad thing after all.
In August, security researcher Mike Lynn disclosed that the Cisco IOS, the operating system that runs the routers and switches, was as vulnerable to reliable code execution as any other operating system. Talk about angering a giant -- the reaction to this discovery and disclosure has been widely reported and discussed, particularly on the legal side, and therefore I'm not going to dive into this any further.
Built-in concern
The concern to me is that embedded devices, whether they are multi-media units, car control units, networking appliances, or refrigerators, are all being connected to networks and people are beginning to look for ways to take advantage of these devices. Do I really want my refirgerator participating in a denial of service attack on the Heinz factory? What happens when a vulnerability is found in the fridge operating system, is there a automated way for it to download a patch? Should your fridge be firewalled, or need an IDS for someone raiding the salami in the middle of the night?
Cisco has been making networking equipment for years, I would hope that they would be aware of the risks that a network can pose to their devices. The truth is, even they still don't always get it. Some have argued that the very reponse from Cisco really shows that they don't get it. They are okay with admitting vulnerabilities (which these days is pretty much expected) but they have never believed that attacker supplied code can be run on their operating system.
If Cisco isn't willing to admit to themselves the truth, what about Ford? Do the engineers really understand what can happen with a bluetooth installation in their cars that is not properly secured? For better or worse, everything is becoming networked. Right now it's luxury goods, but invariably these features will filter down to the rest of us common folk. As that happens, the cost will go down and the pressure to put more features inside for less money will continue to rise. As companies cut corners, vulnerabilities are left open. But what is scary to me is that often no plans may be in place for fixing these things proactively. Once you fridge starts DoS'ing Heinz, should you have to get a repairman out to "update" the software? Imagine how busy the appliance repair guy will be if today's computers with antivirus and autoupdate are an indication. Embedded devices are supposed to just work.
Networking with embedded devices
I want all manufactures to make the following pledge before putting a WLAN, Bluetooth or hardlined network connection into their device. Put your hand up and say the following, along with me:
1. I will not develop my own operating system. BSD, QNX or embedded Windows is good enough for me.
2. I will realize that these operating systems do contain vulnerabilities, as will my own code.
3. I will make a plan to update and deal with these problems in a way that does NOT involve a repairman coming with a USB drive.
And, for extra points and an offical badge of honor:
4. I will find a way to update my embedded system silently and flawlessly so no-one has to interact with it at all.
Vulnerabilties happen to every company, what sets companies apart is the way they respond. Cisco showed what I think is tremendous arrogance, and then fear, when confronted by the fact that they were no better off than anyone else.
