Bigger On The Inside

Bigger on the Inside: The Tardis Effect on the Security of Embedded Systems Image: http://www.flickr.com/photos/bupswee/2738391972/

Problem space
Embedded systems are frequently overlooked during a security audit.
This can have surprising results during an actual incident.
Security auditors need to pay attention to devices that appear to be limited function, as they may be bigger in the inside.

What is an embedded system?
“ An embedded system is a computer system designed to perform one or a few dedicated functions often with real-time computing constraints. It is embedded as part of a complete device often including hardware and mechanical parts.”
-Wikipedia
http://www.flickr.com/photos/squeezyboy/3300595223/

Why are they overlooked?
Ubiquitous
Small
Appear limited
Not sexy
Lack of attack tools
Cramped payloads
http://www.flickr.com/photos/cogdog/3771231430/

Why are they vulnerable?
Virtues of a programmer
Laziness, Impatience, Hubris
Code re-use: BSD
Systems reuse: Linux, Windows
Lack of security orientation

Who overlooks them?
Rushed security auditors
Busy sysadmins
Unaware designers
Tool-using hackers
Internal bad actors? Well…
High-level, determined attackers? Er…
http://www.flickr.com/photos/sophos_germany/3321595771/

What happens when they fail?
Device goes away
Low-profile attack platform
Opportunity to quietly mess with the victim
Can operate quietly forever
Possibly forensics resistant
http://www.flickr.com/photos/heinousjay/517339489/

The Xerox Workcentre™ Unintentional Server
BH 2006 Brendan O'Connor “Vulnerabilities in Not-So Embedded Systems”
Multifunction copy/scan/print
1GHz AMD, 256MB, 80GB HDD
Linux, Apache, Postgress
Authentication Bypass by switching URL
Command injection to iptables from admin interface
Image: Courtesy of Xerox Corporation.

Shmoocon Talk: Femtocell Fail
"Through the theoretical attack method outlined in our talk, the attacker would compromise the femtocell device to gain full root access over the device," Fasel said. "As the attacker has access to the device, any services the device offers [are] subject to the attacker's control, including voice, data, authentication and access to the femtocell's home network.“
Zfasel, jaku, the information wants to be free!
http://www.flickr.com/photos/yourdon/4254008662/in/photostream/

A Radio, and a Whole Lot More
The information wants to be free…but so do I.
Unnamed Radio System (URS)
Software Radios
Embedded Linux controller
Blank root password, root allowed Telnet
Ancient version of the commercial Linux
Image: http://www.flickr.com/photos/synthesisstudios/414382700/

How can they be addressed?
Research
Scanners
Fingerprinting
Others…
http://www.flickr.com/photos/tjt195/380173157/

Let’s Review
Frequently skipped
Best intentions lead to failure
Best intentions fail to find them
Worst intentions seem to, though
Real-world examples exist
Mix of techniques
http://www.flickr.com/photos/sheepbackcabin/3219647072/

Wake up! http://www.flickr.com/photos/walkn/3526522573/

Bigger On The Inside

by Michael Carson on Feb 15, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 84

Statistics

Bigger On The Inside — Presentation Transcript