August 20, 2013
An article on eSecurity Planet discusses the risks associated with embedded systems, which it says can expose the owner of smaller devices like printers to larger security risks once an attacker hacks into the device.
Likening the situation to an attacker being “inside the mouse hole looking into your house”, the article highlights the importance of securing all devices on a network, even if at first the security risk seems insignificant.
Embedded devices are particularly prone to security risks due to their simpler software; slow or non-existent release of patches for devices with a niche market; and smaller user base, meaning that there is less chance of end users discovering and reporting attacks. Furthermore, users of such devices, particularly those that operate out of sight, are more likely to “set it and forget it” when deploying the devices.
To investigate the risks facing embedded devices, a security researcher in 2012 set up software to non-maliciously infect over 400,000 devices, creating a “botnet” called Carna that was able to harvest information from infected machines to build a “census” of connected devices; thus demonstrating the vulnerability of such devices when internet-facing and in default configuration states.
In a similar study, another security researcher was able to find over 100,000 open serial ports accessible online, which means that attackers would be able to gain “live, unauthenticated access” to a server once an authorised user has already opened a shell on the device.
In terms of what an attacker could do once they have accessed an embedded device, the article states that as well as being able to interrupt that device’s operations, the attacker can “gain valuable insight into your network” and “may even be able to execute or load their own software into it […] potentially sniffing internet traffic or performing other types of surveillance that give them tools or avenues of attacks against your network”.
Options of how to protect embedded devices are offered in the article, including creating an inventory of all devices on a network so that none are forgotten about; ensuring that only appropriate devices are able to access the internet, for example if a network printer is never used from outside of the office then block it from external access; using non-default passwords; and keeping up to date with firmware updates.
Categories : Products and Technology