Almost everything can connect to the Internet these days – printers, of course, and webcams, radios and even refrigerators. HVAC systems for home and business and industrial SCADA systems are often online, too. These specialized devices typically do their work quietly and out of sight, unlike the machines we physically interact with on a daily basis.
But out of sight should not translate to out of mind. Embedded systems – all-in-one machines with on-board software baked into the device – pose potential security risks to networks large and small.
While any network-aware machine presents some degree of risk, embedded devices possess a cluster of characteristics worthy of particular notice:
- The software built into the device may be simpler and less sophisticated than software built for more powerful machines, potentially exposing more weaknesses.
- Manufacturers may be slow to build or release patches for devices with a niche market.
- Likewise, many embedded devices have a small user base, meaning less opportunity for end users to discover and report bugs.
- End users are more likely to "set it and forget it" when deploying embedded devices, particularly those without screens or those that operate out of sight.
- Limited memory and storage can translate into little or no activity logging, making it harder to detect malicious activity before or right after it takes place.
Embedded Devices: Online and Exposed
In 2012 an anonymous security researcher deployed software to infect over 400,000 embedded devices, creating a botnet called Carna. The software was designed to be non-malicious; it harvested information from infected machines to build a "census" of connected devices online. Putting aside the ethics of the project, Carna vividly demonstrates how vulnerable many printers, webcams and other embedded devices can be.
In this instance, the infected devices were vulnerable because they were Internet-facing and in default configuration states, either without authentication controls or default passwords.
Another security researcher, HD Moore at Rapid7, recently published about finding over 100,000 open serial ports accessible online. Serial access can provide attackers with live, unauthenticated access to a server when an authorized user has already opened a shell on the device. Again, these machines could have been configured with restrictions on their serial ports but simply were not. While open serial ports aren’t specific to embedded devices, they represent the kind of "forgotten" access routes that can fly under the radar in many organizations securing their networks.
As we've explored previously, tools like the public search engine Shodan have made it easier for both the malicious and the just curious to identify Internet-facing machines -- including embedded devices which likely have security shortcomings.
Assessing Security Risks of Embedded Devices
At first glance it is tempting to think, "What can an attacker really do with access to my company's printer? Waste a lot of ink and paper?" Yes, an attacker can very well interrupt operations of the embedded device itself, effectively a type of denial of service attack. While that may not seem like such a big deal for relatively innocuous devices like printers, it is critical to think of the bigger picture.
Of course, embedded devices that control important systems such as industrial processes are in and of themselves high risk targets. But even more limited embedded devices can become "mouseholes" into your network.
A particular embedded device might have limited capabilities itself, but an attacker who compromises it can gain valuable insight into your network. It’s like they are inside the mousehole looking into your house. Depending on the device, they may even be able to execute or load their own software onto it – like the Carna bot did -- potentially sniffing intranet traffic or performing other types of surveillance that give them tools for new avenues of attacks against your network.
Securing Embedded Devices
If there is an upside to the risks posed by embedded devices, it is that a few simple practices will secure the largest surface areas of vulnerability:
Inventory all embedded devices on your network. Because their nature lends them to be "hidden," it is important to start by thoroughly accounting for all network-aware machines on your network.
Ask which embedded devices really need Internet access. If you never access your network printer from outside the office (or outside a VPN), then block it from external access. If the printer's own configuration doesn't support this, any good firewall will.
Employ non-default passwords. As we've seen, many embedded devices are at risk simply because they are online in a default configuration mode.
Keep up to date on firmware updates. This is often a key weakness in embedded devices from two angles.
One, as we've said, is the tendency to forget about embedded devices. So don't. Unfortunately, manufacturers can forget about them, too. Maybe not "forget" in the literal sense, but embedded devices are more vulnerable to becoming stale. Firmware updates can stop coming, and the support lifetime may be shorter than for PC-based software. Consequently, it may be necessary to replace embedded devices with newer models if and when a manufacturer stops publishing updates.
Consider the UPnP vulnerability discovered in a library common to many devices. This particular flaw actually can expose UPnP-supporting devices to the public Internet even when their operation should be limited to a local intranet. Of course, anyone with an affected device should apply the most recent firmware updates. But invariably, some such devices have not been patched by their vendors and won't be – a case study in embedded devices that will need to be replaced with newer models.
Aaron Weiss is a technology writer and frequent contributor to eSecurity Planet and Wi-Fi Planet.