The evil men (can) do with embedded systems
Embedded IT infrastructure is everywhere and full of holes evil-doers can use for world domination. How SecurityFAIL.com could stem the tide.
By Bill Brenner , Senior Editor
April 27, 2010 — CSO —
Embedded IT infrastructure is everywhere, controlling the flow of water and electricity and maintaining the equilibrium of sewage treatment and nuclear power plants. Forget about car bombs and crude atomic devices. That's the stuff Dr. Evil would use to fail.
To take over the world, the bad guys are better off hijacking all those embedded systems. That's exactly what they're trying to do, and there are plenty of vulnerabilities for them to choose from.
So says Paul Asadoorian, a volunteer at the SANS Institute, founder and CEO of PaulDotCom Enterprises and host of a popular podcast of the same name. He says it's time the security community did something to blunt the threat, and hopes his new SecurityFAIL.com wiki will help move the needle along.
Think of it as something like the data breach list the Privacy Rights Clearinghouse keeps, except the items listed are embedded system flaws instead of who suffered the latest breach. There's not much on the wiki right now, as it's brand new. But Asadoorian expects people to fill it up quickly. From there, the hope is that critical infrastructure providers running the flawed technology will take steps to fix it before the bad guys make an example of them.
He explained the danger he's trying to flag in a presentation he gave at SOURCE Boston last week. "Using embedded systems to gain power is easy," he says. "Lots of information flows through them, information is power and the ability to manipulate information is powerful. Multiple computers can be controlled at once."
When picturing embedded systems, don't limit your thinking to the big critical infrastructure. The damage can begin with your own laptop or the videogame you play religiously.
Asadoorian gives a few examples of how embedded systems are used to make money:
- Video games: Most are involved in commerce and network connected.
- Entertainment: Things like Apple TV and Roku all link back to your credit card somehow.
- Wireless routers: Route your traffic when doing online banking, Paypal, Ebay, etc.
- Printers/Fax: How many times have you printed sensitive information?
The benefits of attacking embedded systems are myriad, he says: No one pays attention to them until they break, security and logging are often sacrificed to save money, and there's often no interactive user to deal with. "Embedded systems contain vulnerabilities that go unnoticed (because) vendors are focused on profit, which never equals security," he said.
In one chilling part of his presentation, Asadoorian points to how researchers scanning the Internet for vulnerable embedded devices have found nearly 21,000 routers, webcams and VoIP products open to remote attack. Their administrative interfaces are viewable from anywhere on the Internet and their owners have failed to change the manufacturer's default password.