A call to embedded system developers – think of the consumers and users

[Symantec]

A call to embedded system developers – think of the consumers and users
<p>Recently I bought a NAS (Network Attached Storage) solution for home to manage backups for the ever increasing number of storage devices we all seem to be accumulating. I did as most people would and selected a consumer solution from a well-known brand. The brand name on the box, as is not unusual in this day and age, was not the actual developer of the underlying reference design. Instead the system was developed by a third-party, including the controller and remote management software, which was subsequently modified to support some proprietary LEDs and gave the company license to slap their logo on it by the name on the box.</p>

<p>Anyway, this solution was built using GPL software components (Linux, Lighttpd and Perl among others); the vendor and original OEM abided by this license and released all the code on their site (including configurations). I did some digging around and was somewhat dismayed to discover that this product had a number of significant security issues. These vulnerabilities resulted in the ability for a remote attacker to bypass the authentication on the administrative interface through to achieving arbitrary code execution as root on the underlying Linux operating system.</p>

<p>You can imagine my chagrin when I discovered these over the weekend. The year is 2007 and vulnerabilities such as Web server misconfigurations, poorly written Perl scripts and everything running as root squarely belong in the last century. These problems, coupled with the reality that patching these systems in unlikely ever to happen, as well as the fact that people are just going to plug these in thinking that the advertised security actually does what it says on tin, pose a big security issue.</p>

<p>The result could be hundreds of thousands - if not millions - of potential root shells with vast amounts of storage sitting on the end of DSL, 802.11 access points and cable lines the world over. While I appreciate not all of these will be exposed to the Internet, that many of them will is a distinct possibility. </p>

<p>So, really this is a request - no actually, I’m pleading - to embedded systems developers: Just because it doesn’t have a screen, keyboard and mouse doesn’t mean security isn’t any less important. If you’re primarily a hardware designer and/or manufacturer and you are starting to dabble in network-connected devices, please engage a software developer/consultant/contractor with demonstrated knowledge and experience in secure systems and software development. If you’re a big corporation buying/licensing reference designs to repackage under your own brand, maybe do some due diligence that the advertised security exists and is up to scratch before slapping your logo on it. Doing so is going save all concerned embarrassment and more importantly protect the consumers and users from the risks they are unknowingly being exposed to.</p>

<p>Anyway, regarding the specific example alluded to above; I skipped the re-badger as I knew they weren’t going to have a security team and went straight to the OEM/OED. I’ll be interested if they respond at all, considering the fact it would appear that the guy that developed the Web interface did so under contract and has since left.<br />
</p>
http://www.symantec.com/enterprise/security_response/weblog/2007/08/a_call_to_embedded_system_deve.html
http://www.symantec.com/enterprise/security_response/weblog/2007/08/a_call_to_embedded_system_deve.html
Mon, 27 Aug 2007 05:00:00 -0800