The evil men (can) do with embedded systems

Embedded IT infrastructure is everywhere, controlling the flow of water and electricity and maintaining the equilibrium of sewage treatment and nuclear power plants. Forget about car bombs and crude atomic devices. That’s the stuff Dr. Evil would use to fail.

To take over the world, the bad guys are better off hijacking all those embedded systems. That’s exactly what they’re trying to do, and there are plenty of vulnerabilities for them to choose from.

So says Paul Asadoorian, a volunteer at the SANS Institute, founder and CEO of PaulDotCom Enterprises and host of a popular podcast of the same name. He says it’s time the security community did something to blunt the threat, and hopes his new SecurityFAIL.com wiki will help move the needle along.

Think of it as something like the data breach list the Privacy Rights Clearinghouse keeps, except the items listed are embedded system flaws instead of who suffered the latest breach. There’s not much on the wiki right now, as it’s brand new. But Asadoorian expects people to fill it up quickly. From there, the hope is that critical infrastructure providers running the flawed technology will take steps to fix it before the bad guys make an example of them.

He explained the danger he’s trying to flag in a presentation he gave at SOURCE Boston last week. “Using embedded systems to gain power is easy,” he says. “Lots of information flows through them, information is power and the ability to manipulate information is powerful. Multiple computers can be controlled at once.”

When picturing embedded systems, don’t limit your thinking to the big critical infrastructure. The damage can begin with your own laptop or the videogame you play religiously.

Asadoorian gives a few examples of how embedded systems are used to make money:

• Video games: Most are involved in commerce and network connected.
• Entertainment: Things like Apple TV and Roku all link back to your credit card somehow.
• Wireless routers: Route your traffic when doing online banking, Paypal, Ebay, etc.
• Printers/Fax: How many times have you printed sensitive information?

The benefits of attacking embedded systems are myriad, he says: No one pays attention to them until they break, security and logging are often sacrificed to save money, and there’s often no interactive user to deal with. “Embedded systems contain vulnerabilities that go unnoticed (because) vendors are focused on profit, which never equals security,” he said.

In one chilling part of his presentation, Asadoorian points to how researchers scanning the Internet for vulnerable embedded devices have found nearly 21,000 routers, webcams and VoIP products open to remote attack. Their administrative interfaces are viewable from anywhere on the Internet and their owners have failed to change the manufacturer’s default password.

So if Dr. Evil smartened up and decided to go after this target-rich environment, what might he do? Asadoorian offered up the following examples:

• Using Google to find the most popular ISPs that provide cable modem routers to users
• Using ARIN to discover the IP address ranges assigned ISPs
• Using Nmap to discover all devices that have port 80 open and identify the service
• Manually poke through results and find “interesting stuff”

Enter SecurityFAIL.com, which the security community can use to put pressure on embedded system providers to close their security flaws. It’s a public wiki where people can write mini-articles on security failures. The first section is dedicated to embedded systems and participants can offer up personal anecdotes on how embedded security have failed them personally.

Participants will have to sign up for an account, and Asadoorian says registration will be active in a few weeks. Meantime, those interested in getting started can e-mail him a request or send him their stories anonymously, which he will post.