Establishing Digital Trust: Don't Sacrifice Security for Convenience
You see, the average hacker is only looking for a place from which tolaunch attacks, store warez, and play games. It doesn't matter to them ifyou see an IP address and think networked printer. They see ram and diskspace. They don't care if it's a printer or a garage door opener. If it'srunning Windows, it's definitely fresh meat. It only gets better whenit's your grandmother's Windows 98 machine that she leaves online overher dialup modem every night when she falls asleep in front ofCSI:Sheboygan. (I know you've always wondered why her phone was busy atthe oddest times.)
In the last several months, I've seen several different types ofappliances compromised. I have been asked to evaluate the securityaspects of some Internet-capable devices, and help devise solutions totheir security issues.
Most of you are familiar with networked printers. They allow you toconnect to them using TCP/IP so many people can share one centralizedprinter, saving money, space and supplies. There also are networkedthermostats, networked door controllers and other networked devices.Most run some form of underlying Windows operating system. Occasionally,I work with companies using proprietary operating systems in theircomponents.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i One printer manufacturer, which enjoys a majority of the business market,sells networked printers that run on Windows NT. In and of itself, thisis problematic, but when was the last time you saw an NT machine capableof auto-updates for OS security patches? For that matter when was thelast time Microsoft delivered a patch for NT? The problem isn't so muchwhen the patches are released, as when the owner of the printer rolls amonitor and keyboard over to the printer and plugs in to download andinstall the patches.
If it looks like a printer, acts like a printer and sounds like aprinter, why should anyone think of it as a computer?
Unfortunately, on the Internet, it just looks, acts, and sounds like anunpatched NT system with default passwords. Oh, right... actually,there's no password at all.
The hacker in me is happy to upload my little ftp server with all myzipped warez files for my pals to trade around. Or I might load a littleIRC chat bot that I can use to control other machines, so I can, forinstance, launch distributed denial-of-service attacks. When they tracethe attack back, it points to a printer, owned by a group of people whohave no idea what a bot is.
And to boot, the little bit of memory needed for the Webpage anddocuments legitimate users have won't be adversely affected by myoperations.
Other products boast proprietary operating systems as a means of securingthe networked device. But a proprietary operating system offers littlemore protection. It only makes it more difficult to break into if theproper authentication procedures are set. If the vendor only supportsunencrypted telnet or HTTP (and not HTTPS) then it doesn't matter. Alittle brute force dictionary attack of the root/login password and thesystem is there for the taking. This is of course, assuming there was apassword to brute force in the first place.
Ease-of-use for the consumer, means ease-of-use for all consumers.
Don't Make it Too Easy
Up to this point, we've been assuming the hacker is remote to the networkthe appliance or printer resides on. If the intruder is physicallyproximate, and can sniff the traffic on the wire, it's a different gamealtogether. The attacker then simply needs to copy enough traffic torecover the passwords, since HTTP and telnet send their passwords in theclear (as does FTP).
One vendor suggested that rather than build an SSL component or an sshdaemon to go with their proprietary operating system, they could use aform of 'light encryption' to protect the data while in transmission. Onthe surface, this sounds like a reasonable alternative, except if youhave an attacker motivated enough to sift through copied traffic torecover your passwords and gain control of your system. Then offering upthe additional challenge of cracking your encryption algorithm is justmaking the game that much more exciting. Not only that but you've givenhim all of your systems up front.
(I'm thinking here that if you're not willing to invest in building anssh daemon, you aren't going for any heavy weight elliptical curveencryption algorithm either. And I'm also guessing you won't usedifferent cipher keys for different systems sold to different locations.)No, at this point, all you've accomplished with light-weight encryptionis offer your clients a false sense of security.
The hazard of the proprietary operating system is that it lends a senseof security through obscurity.
If no one knows how our operating system works, then it can't be used forbad behavior. But the operating system still must be integrated into thelarger networked world using well-defined traffic protocols. If thoseprotocols aren't secure, or the passwords aren't well chosen, thepropriety operating system looks just like every other piece oflow-hanging fruit on the Interenet waiting to be exploited.
Proprietary operating systems have another disadvantage, as well.
In open source operating systems, there is a community of developers whowork on projects that benefit everyone in the community. For example, anSSH daemon only has to be built once. (In reality it will be builtseveral times to provide particular features or security measures thatone group might wish to enhance more than a different set.) Once theparticular protocol has been built, it's available to everyone who usesthat particular operating system.
On the other hand, a propriety operating system has to have all theprotocols written by those who have the source code and know how itworks. This can be an enormous financial burden for the owner of theoperating system. If you happen to be Bill Gates, you can throw yourmoney away on bad implementations before you get it right. If you're alittle guy, you can't afford to get it wrong, because, really, you can'tafford to have to write the protocol in the first place.