Embedded gaps in enterprise protection
February 9, 2008
Posted by on
Much publicity has been emerging recently on the Internet surrounding the hacking and abuse of embedded systems for home users and enterprises alike*. The use of hardware with embedded systems is an easy one to overlook for the busy administrator. Not many people think that their ADSL router, printer, security camera or video conference system needs to be protected from abuse. These systems are sometimes just as much a computer as anything else on your network, and it only takes one mistake to open you up to serious problems.
From a home user perspective the main concern is obviously the ADSL/cable router. Chances are it’s running an embedded version of GNU/Linux or a derivative thereof. Also it’s more than likely acting as a DNS forwarder, DHCP server, basic firewall and a local web-server for remote administration. Lets just hope it’s not also running telnet like some badly designed routers I’ve come across recently. So, would you allow a server running these services run with a 2 year old un-patched version of software ? Almost every day things are patched to block up holes and fix vulnerabilities. What makes your router any different. Well obviously you can’t just go out and patch it in a normal fashion like you would a windows box, you need to updated the firmware. This makes your router a prime target for attack. Especially since a lot of router companies only release a few firmware updates for current routers and then disown them once they move onto the newer model. Aside from the software version issue, some very well educated guesses can be made about your internal environment. Chances are you’re running on the 192.168.0.0 network (or 192.168.1.0 if you’re using NETGEAR hardware) So we can also guess your router is running on the .1 address (or in some rare instances the .254). With this information and a failure to recognise that you’re running services like UPNP (enabled on some routers as default) an attacker can change your DNS records, port blocking and almost any other setting without even prompting you by using authentication bypass techniques**. This is without even considering that the average home user is probably still running the default username/password, with WEP and not WPA(2) enabled.
In the enterprise things are obviously a lot more complex. As an example, consider your average large printer device. Chances are if you’re working in a large company you have a few of these about the place for running large print jobs with duplex, stapling and all manner of other nice features. If you’re company has truly splashed out, then it probably scans, emails, faxes and has a template storage space as well. All these features are really handy for the busy executive, but a nightmare for the security team. The printer (above and beyond the concerns of outdated embedded systems and vulnerable programs) is also running some very scary services totally unprotected. This kind of device can offer FTP, SMTP, HTTP, and hard drive for storing data. Some are even left with the default username and password enabled, after all it’s just a printer. If even one of these systems can be exploited, then it’s only a short step from there to setting the printer to store all print jobs on the internal disk (or even FTP/email them to external locations). This doesn’t even have to be from outside the company, as most companies wouldn’t look twice at an engineer checking the printer settings. After all if you want to steal some top secret information what better way than to exploit a printer or two on the network and just wait for the prints to begin rolling. Every company prints documents that are considered classified, and with very little thought to what happens on the way from the secured server to the printer. After the documents are read however, a security conscious company should shred or burn them. Getting the copy hot of the presses is a lot easier than dumpster diving for the 1 piece of information you really need to find. It also means that the attacker might not even need to be in the same timezone to pick a copy of your new merger plans off your printer.
Next time you plug in a device, take a few minutes to think about what can be done to secure it (even if just a little).
Other discussion on this topic can be found at the following locations .:
* Pauldotcom / ** GNUcitizen