Beware the next circle of hell: Unpatchable systems

Insecure by design and trusted by default, embedded systems present security concerns that could prove crippling

Page 2 of 3

A green light for attacks

Beyond traditional IT, the problems are even worse. Embedded systems are proliferating in nearly every corner of daily life. But even large-volume vendors pushing the hardware to consumers and businesses are often heedless of the need to manage the underlying software, says Cesar Cerrudo, CTO of security firm IOActive Labs.

Worse, these customers often defer to the hardware vendors on matters relating to security or conclude (wrongly) that embedded systems are too obscure to warrant protection, Cerrudo says.

The opposite is true. In its research, IOActive has uncovered the routine use of insecure or hidden protocols, backdoor administrative accounts with hard-coded credentials that cannot be changed, and vulnerable user authentication features.

For industrial control systems, customer trust in unsupported and unsupportable embedded devices is a disaster in waiting. In one recent example, Cerrudo and his colleagues investigated the security of in-pavement wireless vehicle detection technology made by Sensys Networks. The technology has been deployed in 40 U.S. cities, including Washington, New York, Los Angeles, and San Francisco.

They discovered a wide range of design faults and insecurities in the Sensys products. Notably, the in-road sensors did not secure communications with access points used to collect data. That would allow a knowledgeable attacker to spoof the sensors and send bogus data to traffic management systems or to take control of critical infrastructure such as traffic lights.

Presented with IOActive's findings, Sensys Networks told Cerrudo that more recent releases of the company's hardware had fixed some of the prominent software vulnerabilities he had discovered. The problem: There is no way to update the hardware.

"Vendors will try to sell you on it being easy to use and low maintenance," Cerrudo says. "The problem is that when the system has a security issue, you don't have the proper mechanism to update them."

When security is absent from the design of the device, there are few options for securing it after the fact, short of replacing the hardware and software entirely, Cerrudo says.

Insecure by design

Industrial control systems too are being targeted by attacks, thanks to security problems stemming from embedded devices and other legacy hardware.

One example: The Department of Homeland Security's Industrial Control System CERT (ICS-CERT) recently issued an alert about a "sophisticated attack" on an "unprotected, Internet-connected, control system operating a mechanical device" by manipulating a SCADA protocol. "The device was directly Internet accessible and was not protected by a firewall or authentication access controls," ICS-CERT wrote.

Dale Peterson, CEO of Digital Bond, a consulting firm that works with industrial control system vendors and critical infrastructure operators alike, says exhorting infrastructure operators to patch misses the bigger point: Many industrial control systems and protocols are "insecure by design."

"An attacker with ICS knowledge would use the features rather than an unpatched [vulnerability] to compromise the system," Peterson says.

Of course, not all IT systems are the same. Security experts agree there are scenarios in which a lower level of security is acceptable.

Perry Pederson, a principal at The Langner Group, says those customers who have taken steps to harden and isolate systems should be more confident that they are protected. However, it is harder than ever for companies to know for sure that air-gapped systems aren't accessible from the Internet or an adjacent network. Critical infrastructure vendors and operators often rely on cellular networks and wireless technology to remotely manage their infrastructure.

This presents a tremendous convenience, but customers and vendors often fail to comprehend the risks that go along with that convenience. The result has been the increasing exposure of systems that were long viewed as unreachable, thereby surfacing security failings not considered meaningful enough to address when those systems were designed.

| 1 2 3 Page 2