“[An embedded system] has all the same components as your regular computer that you probably have on your desk, or your laptop, except its much smaller and its typically built with a specific purpose in mind.”
In layman’s terms, they’re devices like wireless routers or MP3 players. They can also be part of more complex systems, such as nuclear power plants.
Asadoorian explains that the security of an embedded system is important, but overlooked a lot because it often has to be manually managed.
A lot of embedded systems aren’t secure out of the box for a variety of reasons.
“Number one, like with most things, is cost. There are lots of wireless router manufacturers out there . . . And they all make, essentially, the same router that does the same function. So, when you go to the store, obviously, you’re just going to look for the cheapest one. In that competition, to drive cost down, people start taking out features, such as security. One of the other problems, too, is that in order to fit all the stuff in a neat little embedded systems package, they don’t have a lot of the processing power to do some of the more advanced security things. For example, you could put antivirus software on your computer and most of the time it runs pretty [well]. There’s such limited space and processing power in an embedded system, that a lot of those enhanced security features are left out.”
So, this might be just a pain for the average consumer, but what if you’re a CISO at a federal agency?
Asadoorian says it’s a pretty elusive problem, but there is hope.
“From an organizational perspective, you have to include everything that looks and feels like a computer into your normal, every day computer operations and security operations. If you put a server or a desktop system on your network, you should have some kind of policy that says the server or desktop needs to meet some minimum security standard.”
This is where regulations like FDCC come in, and it might take some legwork to secure an embedded system along with your desktops.
“My advice to everyone is to make sure that you’re applying your same security standards [to embedded systems]. In other words, if you say — no one should be managing a device that doesn’t provide an SSL certificate in order to manage it over a secure HTPS connection. A lot of these embedded systems are getting away with using these antiquated protocols and they’re not falling inside people’s policies.”
One of the biggest challenges is that a lot of people have the misconception that attackers don’t want to compromise items like printers, or couldn’t do a lot of damage even if that were their goal.
Asadoorian suggest you start thinking like a hacker, and realize that embedded systems do a lot more than simply talk to printers these days.
“As Linux has evolved over the past 5 to 7 years, it’s become the platform of choice for these embedded systems and what’s happening is, especially with newer editions of the Linux kernel such as 2.6, they’re able to add a lot more functionality to these embedded systems. So, when these vulnerabilities exist, and I compromise an embedded system, now I can do a lot more than I could 5 years ago. So, it’s becoming a platform that’s allowing me to act as a jumping off point to then compromise other systems. For example, a lot of these embedded systems are managed via HTTP and they have a web server built in. If I can compromise the system and put some malicious code within that web server, when someone connects it with a web browser I can then compromise their system or compromise their credentials.”
The Psybot, discovered earlier this year, is an example of a worm that invaded home PCs through routers.
There was also the Chuck Norris botnet, which did some harm and was widely reported on this past Feburary.
Asadoorian explains that his ultimate goal is to get vendors to build better security into their embedded systems, but also admits that it’s up to the consumer to be aware of what’s going on.
“There’s a lot of considerations to be made about your embedded systems security. There’s a lot of scary areas that you may not realize. For example, these multi-function devices — that big device that does scanning, copying, printing and faxing. A lot of those have a hard drive and an operating system and they’re storing every document that runs through it. You need to make sure that those are on your radar and that you’re evaluating the security of everything that plugs into the network.”