Embedded Device Security Is Easy to Overlook

Aaron Weiss, Tech Journalist / Humorist | 5/23/2013 | 22 comments

Aaron Weiss
As the Internet increasingly becomes an Internet of Things, individuals and businesses alike are deploying evermore products with built-in network access like Internet-available printers, webcams, and media streaming gadgets.

In the enterprise there are business-class routers, perimeter security devices, and network attached storage. Specialized industrial control systems can manage everything from building climate control to production machinery.

But these embedded devices -- with firmware baked into the hardware -- can easily be overlooked as potential vectors for security exploits. The famous Stuxnet virus, for example, deliberately sabotaged Iranian Uranium enrichment by altering the rotational speed of centrifuges through exploiting specialized control software. Because embedded device are often non-interactive and without displays, they tend to be vulnerable to a "set it and forget it" mentality. As a result, widespread security flaws can go unnoticed long after a product is released.

Maybe these discoveries will raise a few eyebrows:

  • Over 100,000 devices have been identified online with Internet-facing open serial port connections. These often do not require any authentication to pass commands to their host devices, which are typically industrial control equipment.
  • Millions of devices apparently possess a flaw in their UPnP implementation which exposes its command API to the Internet. UPnP is intended to enable device discovery within an intranet, where a trusted relationship is assumed. While some manufacturers have released software updates to patch this vulnerability or have fixed it in new products, the nature of how embedded devices are put into use suggests that many older products will remain in the wild and unpatched possibly for years.
  • Perhaps the boldest demonstration of embedded device insecurity, the 2012 Carna botnet infected over 400,000 Internet-accessible embedded devices that were configured with minimal authentication. Interestingly, the client software executed on infected devices was part of a census research project. The anonymous author used the botnet to create a detailed census of Internet-connected devices including details such as which ports and services they were running and where they were located.

Although the Carna botnet is not believed to have spawned any malicious activity, the fact that a simple C program could be executed on hundreds of thousands of deployed embedded devices should be a major wake-up call. If a hacker can access your embedded device and replace its firmware with their own modified version, that device could be running espionage activity on your network without raising any alarms. The ability to access any device on your organization’s network potentially gives attackers access to information flowing through the network, and potentially bigger targets.

Further hindering detection of compromised embedded devices is that these machines often have limited to no logging capabilities. Without the ability to perform thorough forensics or make use of a logfile-based intrusion detection system (IDS), organizations can easily be misled into thinking their network is secure.

Have you performed a census of all the network-available objects in your network? You’re probably aware of most of your vulnerabilities on the factory floor, but are you sure you got them all? Have you checked your break room? Increasingly, you’re going to find devices in places you never bothered to check before. Be sure to get a firm handle on the problem before the Internet of Things and industrial automation explode and turn a vulnerability into a full-fledged breach.

View Comments: Newest First | Oldest First | Threaded View
Page 1 / 3   >   >>
Susan Nunziata   Embedded Device Security Is Easy to Overlook   5/30/2013 9:33:15 PM
Re: minimizing risk
@Ashish: Yes, good old politics once again.

The technology is surely there to enable us to create standards that would presumably improve the security of embedded device. It's people getting in theor own way once again. 

Let's face it, agreeing standards has always been a challenge. The world could not even settle on a single standard for TV (PAL vs. NTSC in the early days), VHS (remember BetaMax). Even in the US alone we didn't have a single standard for cell carriers, which added who knows how many millions of dollars to that infrastructure buildout. Let's not even talk about WiMAX.

It's a miracle there were standards vinyl LPs and CDs -- we still can't even agree on a single codec for digital music.

And those are all low-stakes compared with the power to do harm with the embedded devices that Andrew is talking about in his blog. 

 
eethtworkz   Embedded Device Security Is Easy to Overlook   5/30/2013 10:02:40 AM
Re: minimizing risk
Susan,

That's the whole problem is'nt it?

On the one side we have the Enthusiasts and Private Companies who built the Internet part by Part(working of DARPA's Initial Invention) and on the other side we have Governments which want to Control and Regulate every single thing.

Thing is that Innovation and regulation don't go together(for obvious reasons) but the Twain has to meet somewhere if we are to have a better Tommorow for all Users concerned.

But Do Governments trust each other enough here for Common/Open Standards to be enforcable Globally?

I don't think so.

Look at Telecom Networks for instance-Nobody trusts Chinese Equipment Suppliers (rightly or wrongly) and the Chinese wanna do everything their own way-Why not just go with GSM/CDMA???

As you said it rightly-Its one big Hodgepodge!

 

Regards

Ashish.

 
Susan Nunziata   Embedded Device Security Is Easy to Overlook   5/30/2013 12:56:15 AM
Re: minimizing risk
@Ashish: Thank you for the excellent guidance here. Interesting thought to compare back to Fortran. Are we even close to having that level of informal standardization when it comes to the Internet of Things?

My understanding of the state of affairs when it comes to the Internet of Things right now is that it is quite the hodgepodge and lacking standards and best practics.

 
Damian Romano   Embedded Device Security Is Easy to Overlook   5/28/2013 11:53:07 PM
IDS
Further hindering detection of compromised embedded devices is that these machines often have limited to no logging capabilities. Without the ability to perform thorough forensics or make use of a logfile-based intrusion detection system (IDS), organizations can easily be misled into thinking their network is secure.


Without divulging too much detailed information that could get me in trouble, from the organizations I've assessed in this manner I'm terribly surprised at how many do not have an IDS that offers logging capabilities. Or an IDS altogether, for that matter. 
ProgMan   Embedded Device Security Is Easy to Overlook   5/28/2013 11:27:04 AM
Very apropos now considering
every other day we are reading about US defense systems getting hacked into by other countires.  If we are having trouble protecting devices like that, I would think any other type of non critical device is probably fair game.
SaneIT   Embedded Device Security Is Easy to Overlook   5/28/2013 7:39:13 AM
Re: Embedded OS security
Well if they wait much longer they're going to be running unpatched OSes on some equipment doing very sensitive transactions.  Doesn't sound like a great plan to me.
SaneIT   Embedded Device Security Is Easy to Overlook   5/28/2013 7:28:50 AM
Re: Embedded OS security
I really haven't heard much about Win 7 embedded much.  I know it exists but i never heard about a big push to move from XP embedded to 7 embedded.  I think it would be interesting to hear how some of these systems are being addressed with XPs support coming to an end and the security patches drying up.
Hospice_Houngbo   Embedded Device Security Is Easy to Overlook   5/27/2013 2:36:08 AM
Re: Embedded OS security
@nasimson,

"Maybe the people are too lethargic to try something new."

You are right, lethargy and buraucracy can be one the reasons such important issues dealt with efficiently. Also, as you said, people take time to learn new things.
Hospice_Houngbo   Embedded Device Security Is Easy to Overlook   5/27/2013 2:30:50 AM
Re: Embedded OS security
@singlemud,

It also depends on the degree of understanding on those who make the policie and the laws. As most of them don't come from a technology backround, they often need time to get accustomed to the subject matter.
singlemud   Embedded Device Security Is Easy to Overlook   5/26/2013 10:51:55 PM
Re: Embedded OS security
It all depends on policy or law, if there is no law and effective enforcement, these kinds of security problem will exist forever.
Page 1 / 3   >   >>


The blogs and comments posted on EnterpriseEfficiency.com do not reflect the views of TechWeb, EnterpriseEfficiency.com, or its sponsors. EnterpriseEfficiency.com, TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.

More Blogs from Aaron Weiss
Aaron Weiss   10/22/2013   46 comments
Obligatory old-person declaration: In my day, we were lucky to get a free pencil at school on standardized test day. At lunch, we lined up for bacon and mayonnaise sandwiches. Times were ...
Aaron Weiss   8/22/2013   65 comments
If Facebook were a character in a raunchy fraternity movie, you could picture it standing on the bar goading all the partygoers. A little bit tipsy and overconfident, Facebook shouts at ...
Aaron Weiss   7/18/2013   17 comments
Thanks to the success of the philosophy and deployment of open-source software, developers and businesses continue to create and embrace software with underlying code that is available for ...
Aaron Weiss   7/15/2013   18 comments
Reading official government reports is usually a helpful sleep aid. But last month, an audit performed by the US Department of Commerce on a malware incident response at the Economic ...
Aaron Weiss   7/12/2013   60 comments
You can hardly go a week without reading about huge dollars being thrown at a hot tech firm. To pick just one piece of low-hanging fruit, how about the $60 million recently bequeathed upon ...
E2 IT Migration Zones
IT Migration Zone - UK
Why PowerShell Is Important
Reduce the Windows 8 Footprint for VDI
Rethinking Storage Management
IT Migration Zone - FR
SQL Server : 240 To de mémoire flash pour votre data warehouse
Quand Office vient booster les revenus Cloud et Android de Microsoft
Windows Phone : Nokia veut davantage d'applications (et les utilisateurs aussi)
IT Migration Zone - DE
Cloud Computing: Warum Unternehmen trotz NSA auf die „private“ Wolke setzen sollten
Cloud Computing bleibt Wachstumsmarkt – Windows Azure ist Vorreiter
Like Us on Facebook
Twitter Feed
Enterprise Efficiency Twitter Feed
Site Moderators Wanted
Enterprise Efficiency is looking for engaged readers to moderate the message boards on this site. Engage in high-IQ conversations with IT industry leaders; earn kudos and perks. Interested? E-mail:
moderators@enterpriseefficiency.com
SPONSORED BY DELL
A Video Case Study – Translational Genomics Research Institute
e2 OEM Video


On the Case
TGen IT: Where We're Going Next

7|11|12   |   08:12   |   10 comments


Now that TGen has broken new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions, the company discusses what will come next for it and for personalized medicine.
On the Case
Better Care Through Better Communications

6|6|12   |   02:24   |   11 comments


The achievements of the TGen/Dell project could improve how all people receive healthcare, because they are creating ways to improve end-to-end communication of medical data.
On the Case
TGen IT: Where We Are Now

5|15|12   |   06:58   |   6 comments


TGen is breaking new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions.
On the Case
TGen IT: Where We Were

4|27|12   |   06:45   |   10 comments


The Translational Genomics Research Institute wanted to save lives, but its efforts were hobbled by immense computing challenges related to collecting, processing, sharing, and storing enormous amounts of data.
On the Case
1,200% Faster

4|18|12   |   02:27   |   12 comments


Through their partnership, Dell and TGen have increased the speed of TGen’s medical research by 1,200 percent.
On the Case
IT May Improve Children's Chances of Survival

4|17|12   |   02:12   |   8 comments


IT is helping medical researchers reach breakthroughs in a way and pace never seen before.
On the Case
Medical Advances in the Cloud

4|10|12   |   1:25   |   5 comments


TGen and Dell are pushing the boundaries of computing, and harnessing the power of the cloud to improve healthcare.
On the Case
TGen: Living the Mission

4|9|12   |   2:25   |   3 comments


TGen's CIO puts the organizational mission at the heart of everything the IT staff does.
On the Case
TGen Speeding Up Biomedical Research to Save More Lives

4|5|12   |   1:59   |   6 comments


The Translational Genomics Research Institute is revamping its computing to improve speed, storage, and collaboration – and, most importantly, to save lives.
On the Case
Computing Power Helping to Save Children's Lives

3|28|12   |   2:13   |   3 comments


The Translational Genomics Institute’s partnership with Dell is enabling them to treat kids with neuroblastoma more quickly and save more lives.
Curtis Franklin Jr.
OEMs Change Roles

1|18|13   |   1:55   |   3 comments


OEMs can change markets – here's why IT should have a say in the decision.
Tom Nolle
The Enterprise Side of Amazon Fire

9|29|11   |   2:04   |   6 comments


Amazon Fire’s split-browser model hosts some of the GUI in the cloud, which could have a major impact on virtual desktop thinking.
Curtis Franklin Jr.
The OEM Relationship

9|13|11   |   02:02   |   1 comment


The growth of OEM relationships means that enterprise IT execs must pay closer attention to who's responsible for support and development.
Pablo Valerio
Can't Land on the Runway Behind You

8|15|11   |   1:36   |   1 comment


One lesson from aviation also applies to big IT projects: Give yourself plenty of leeway and have room to maneuver.
Ivan Schneider
Flecksequence Explained

7|28|11   |   2:46   |   3 comments


How to use the term in a sentence and, more importantly, how flecksequence can help manufacturers.
Sara Peters
E2 Has a New Look!

7|20|11   |   2:53   |   6 comments


E2's gotten a makeover. Take a tour through some of our new features.