Beware the next circle of hell: Unpatchable systems

Insecure by design and trusted by default, embedded systems present security concerns that could prove crippling

Microsoft's decision to end support for Windows XP in April was met with a collective gulp by the IT community. For good reason: Approximately 30 percent of all desktop systems continue to run XP despite Microsoft's decision to stop offering security updates. Furthermore, a critical security flaw in Internet Explorer 8 disclosed recently by HP's TippingPoint Division opens the door to remote attacks on XP systems that use IE8.

But Windows XP is just the tip of an ever-widening iceberg: software and hardware that is unpatchable and unsupportable -- by policy or design. In fact, the trend toward systems and devices that, once deployed, stubbornly "keep on ticking" regardless of the wishes of those who deploy them is fast becoming an IT security nightmare made real, affecting everything from mom-and-pop shops to power stations.

[ Verse yourself in the 7 sneak attacks used by today's most devious hackers, 14 dirty IT security consultant tricks, 9 popular IT security practices that don't work, and 10 crazy security tricks that do. | It's time to reconsider security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

This unpatchable hell is a problem with many fathers, from recalcitrant vendors to customers wary of -- or hostile to -- change. But with the number and diversity of connected endpoints expected to skyrocket in the next decade, radical measures are fast becoming necessary to ensure that today's "smart" devices and embedded systems don't haunt us for years down the line.

Trouble close to home

The problem of unsupported or undersupported devices hits close to home for millions of broadband users in the United States and Europe. Broadband routers humming away peacefully in attics and home offices have become the latest targets of sophisticated cyber criminal groups.

A string of incidents in recent months have underscored the vulnerability of this population of loosely managed and configured devices. In March, the security consultancy Team Cymru warned that hackers had compromised some 300,000 small- and home-office broadband routers made by firms D-Link, Micronet, Tenda, and TP-Link, among others.

That attack followed a similar incident in which compromised home routers were used in attacks on online banking customers in Poland and the appearance, in February, of a virus dubbed "The Moon," which spreads between Linksys E-Series home routers, exploiting an authentication bypass vulnerability in the systems.

Worse, these attacks relied on the same set of problems common to embedded systems: poor (or "commodity") engineering, insecure default settings, the use of hard-coded (permanent) "backdoor" accounts, and a lack of sophistication on the part of device owners, Team Cymru reported.

"As embedded systems begin to proliferate in both corporate and consumer networks, greater attention needs to be given to what vulnerabilities these devices introduce," Team Cymru concluded in its report. "Security for these devices is typically a secondary concern to cost and usability, and has traditionally been overlooked by both manufacturers and consumers."

1 2 3 Page 1
Page 1 of 3