At this year’s Black Hat and DEF CON security conferences, talks focused on attacks against the embedded operating systems found in thousands of digital gadgets now in use.
Any Internet-addressable device is threatened, including smart meters, medical monitors, and similar dedicated-use equipment. But the threat also encompasses those multifunction, printer/scanner devices (MFPs) found on almost every network.
Convenience might translate into less security
With the rollout of IPv6, there will soon be enough Internet addresses to connect any digital device to the Web — for decades to come. As one security expert put it: if the number of available IP addresses under the current IPv4 standard is a grain of sand, the number under IPv6 is an entire galaxy. Consider that soon, every electrical device in your house could have its own IP address.
That level of connectivity promises a host of new capabilities, both good and bad. The good includes using a smartphone or tablet to remotely control and monitor anything connected to the Web: turn on the house lights and heat while driving home, start the laundry and the coffee maker, record a TV show; or, if you live in snow country, start your car from your office.
The flaw in this vision of a vastly connected future? There’s almost no effective antihacking protection built into the dedicated operating systems that control and connect these smart devices — at least for now — and upgrading them is either too costly or technically impossible. Or, as in the case of MFPs, we simply don’t know that they pose a security risk.
Web servers are here, there, everywhere
In his Black Hat talk, “Corporate espionage for dummies: the hidden threat of embedded Web servers,” security company CEO Michael Sutton noted the increasing presence of Web servers in common products such as printers and routers. Unlike software-based Web servers, which provide access to the Internet, embedded Web servers generally serve as an administrative interface to the host hardware. (They’re typically part of the device’s chipset; they tend to be low-performance and have very limited functionality.) The administrative access is often where the threat exists.
Sutton said that most wireless home networks — and many small-office networks — in use today were likely set up by someone who didn’t know much about network security (typically through some sort of setup wizard during the installation process). That can leave wireless, small-network products such as printers and scanners exposed to any hacker on the Net.