Bigger On The Inside


Published on

Talk for Penn State SRA Club on the challenges of doing security audits on systems including embedded devices in limited time and with a limited budget.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Like probably everyone else in the room, I asked Google…which told me I should have started with Wikipedia. Note what is doesn’t say: nowhere does it say an embedded system can’t use general purpose software and hardware components, only that it isn’t designed to.
  • Laziness The quality that makes you go to great effort to reduce overall energy expenditure. It makes you write labor-saving programs that other people will find useful, and document what you wrote so you don't have to answer so many questions about it. Impatience:This makes you write programs that don't just react to your needs, but actually anticipate them. Hubris: Also the quality that makes you write (and maintain) programs that other people won't want to say bad things about. Common software components mean that existing techniques will work, albeit with custom payloads. People securing servers have pretty much gotten it. Hopefully your programming classes are showing it to you. If not, please ask your professors to stop hurting the world. The designers of small, limited function devices? Not so much.
  • Bigger On The Inside

    1. 1. Bigger on the Inside: The Tardis Effect on the Security of Embedded Systems Image:
    2. 2. Problem space <ul><li>Embedded systems are frequently overlooked during a security audit. </li></ul><ul><li>This can have surprising results during an actual incident. </li></ul><ul><li>Security auditors need to pay attention to devices that appear to be limited function, as they may be bigger in the inside. </li></ul>
    3. 3. What is an embedded system? <ul><li>“ An embedded system is a computer system designed to perform one or a few dedicated functions often with real-time computing constraints. It is embedded as part of a complete device often including hardware and mechanical parts.” </li></ul><ul><li>-Wikipedia </li></ul>
    4. 4. Why are they overlooked? <ul><li>Ubiquitous </li></ul><ul><li>Small </li></ul><ul><li>Appear limited </li></ul><ul><li>Not sexy </li></ul><ul><li>Lack of attack tools </li></ul><ul><li>Cramped payloads </li></ul>
    5. 5. Why are they vulnerable? <ul><li>Virtues of a programmer </li></ul><ul><ul><li>Laziness, Impatience, Hubris </li></ul></ul><ul><li>Code re-use: BSD </li></ul><ul><li>Systems reuse: Linux, Windows </li></ul><ul><li>Lack of security orientation </li></ul>
    6. 6. Who overlooks them? <ul><li>Rushed security auditors </li></ul><ul><li>Busy sysadmins </li></ul><ul><li>Unaware designers </li></ul><ul><li>Tool-using hackers </li></ul><ul><li>Internal bad actors? Well… </li></ul><ul><li>High-level, determined attackers? Er… </li></ul>
    7. 7. What happens when they fail? <ul><li>Device goes away </li></ul><ul><li>Low-profile attack platform </li></ul><ul><li>Opportunity to quietly mess with the victim </li></ul><ul><li>Can operate quietly forever </li></ul><ul><li>Possibly forensics resistant </li></ul>
    8. 8. The Xerox Workcentre™ Unintentional Server <ul><li>BH 2006 Brendan O'Connor “Vulnerabilities in Not-So Embedded Systems” </li></ul><ul><li>Multifunction copy/scan/print </li></ul><ul><li>1GHz AMD, 256MB, 80GB HDD </li></ul><ul><li>Linux, Apache, Postgress </li></ul><ul><li>Authentication Bypass by switching URL </li></ul><ul><li>Command injection to iptables from admin interface </li></ul>Image: Courtesy of Xerox Corporation.
    9. 9. Shmoocon Talk: Femtocell Fail <ul><li>&quot;Through the theoretical attack method outlined in our talk, the attacker would compromise the femtocell device to gain full root access over the device,&quot; Fasel said. &quot;As the attacker has access to the device, any services the device offers [are] subject to the attacker's control, including voice, data, authentication and access to the femtocell's home network.“ </li></ul><ul><li>Zfasel, jaku, the information wants to be free! </li></ul>
    10. 10. A Radio, and a Whole Lot More <ul><li>The information wants to be free…but so do I. </li></ul><ul><li>Unnamed Radio System (URS) </li></ul><ul><li>Software Radios </li></ul><ul><li>Embedded Linux controller </li></ul><ul><li>Blank root password, root allowed Telnet </li></ul><ul><li>Ancient version of the commercial Linux </li></ul>Image:
    11. 11. How can they be addressed? <ul><li>Research </li></ul><ul><li>Scanners </li></ul><ul><li>Fingerprinting </li></ul><ul><li>Others… </li></ul>
    12. 12. Let’s Review <ul><li>Frequently skipped </li></ul><ul><li>Best intentions lead to failure </li></ul><ul><li>Best intentions fail to find them </li></ul><ul><li>Worst intentions seem to, though </li></ul><ul><li>Real-world examples exist </li></ul><ul><li>Mix of techniques </li></ul>
    13. 13. Wake up!