Bigger On The Inside
Download as PPT, PDF0 likes371 views
The document highlights the security vulnerabilities of embedded systems, often overlooked by auditors due to their seemingly limited functions. It discusses the consequences of such oversights, including the potential for high-level attacks facilitated by lax security practices. The document emphasizes the need for better awareness and specific strategies to address these vulnerabilities in embedded systems.
![Shmoocon Talk: Femtocell Fail "Through the theoretical attack method outlined in our talk, the attacker would compromise the femtocell device to gain full root access over the device," Fasel said. "As the attacker has access to the device, any services the device offers [are] subject to the attacker's control, including voice, data, authentication and access to the femtocell's home network.“ Zfasel, jaku, the information wants to be free! http://www.flickr.com/photos/yourdon/4254008662/in/photostream/](https://image.slidesharecdn.com/biggerontheinside-100215191823-phpapp02/85/Bigger-On-The-Inside-9-320.jpg)
Bigger On The Inside
- 1. Bigger on the Inside: The Tardis Effect on the Security of Embedded Systems Image: http://www.flickr.com/photos/bupswee/2738391972/
- 2. Problem space Embedded systems are frequently overlooked during a security audit. This can have surprising results during an actual incident. Security auditors need to pay attention to devices that appear to be limited function, as they may be bigger in the inside.
- 3. What is an embedded system? “ An embedded system is a computer system designed to perform one or a few dedicated functions often with real-time computing constraints. It is embedded as part of a complete device often including hardware and mechanical parts.” -Wikipedia http://www.flickr.com/photos/squeezyboy/3300595223/
- 4. Why are they overlooked? Ubiquitous Small Appear limited Not sexy Lack of attack tools Cramped payloads http://www.flickr.com/photos/cogdog/3771231430/
- 5. Why are they vulnerable? Virtues of a programmer Laziness, Impatience, Hubris Code re-use: BSD Systems reuse: Linux, Windows Lack of security orientation
- 6. Who overlooks them? Rushed security auditors Busy sysadmins Unaware designers Tool-using hackers Internal bad actors? Well… High-level, determined attackers? Er… http://www.flickr.com/photos/sophos_germany/3321595771/
- 7. What happens when they fail? Device goes away Low-profile attack platform Opportunity to quietly mess with the victim Can operate quietly forever Possibly forensics resistant http://www.flickr.com/photos/heinousjay/517339489/
- 8. The Xerox Workcentre™ Unintentional Server BH 2006 Brendan O'Connor “Vulnerabilities in Not-So Embedded Systems” Multifunction copy/scan/print 1GHz AMD, 256MB, 80GB HDD Linux, Apache, Postgress Authentication Bypass by switching URL Command injection to iptables from admin interface Image: Courtesy of Xerox Corporation.
- 9. Shmoocon Talk: Femtocell Fail "Through the theoretical attack method outlined in our talk, the attacker would compromise the femtocell device to gain full root access over the device," Fasel said. "As the attacker has access to the device, any services the device offers [are] subject to the attacker's control, including voice, data, authentication and access to the femtocell's home network.“ Zfasel, jaku, the information wants to be free! http://www.flickr.com/photos/yourdon/4254008662/in/photostream/
- 10. A Radio, and a Whole Lot More The information wants to be free…but so do I. Unnamed Radio System (URS) Software Radios Embedded Linux controller Blank root password, root allowed Telnet Ancient version of the commercial Linux Image: http://www.flickr.com/photos/synthesisstudios/414382700/
- 11. How can they be addressed? Research Scanners Fingerprinting Others… http://www.flickr.com/photos/tjt195/380173157/
- 12. Let’s Review Frequently skipped Best intentions lead to failure Best intentions fail to find them Worst intentions seem to, though Real-world examples exist Mix of techniques http://www.flickr.com/photos/sheepbackcabin/3219647072/
Editor's Notes
- #4: Like probably everyone else in the room, I asked Google…which told me I should have started with Wikipedia. Note what is doesn’t say: nowhere does it say an embedded system can’t use general purpose software and hardware components, only that it isn’t designed to.
- #6: Laziness The quality that makes you go to great effort to reduce overall energy expenditure. It makes you write labor-saving programs that other people will find useful, and document what you wrote so you don't have to answer so many questions about it. Impatience:This makes you write programs that don't just react to your needs, but actually anticipate them. Hubris: Also the quality that makes you write (and maintain) programs that other people won't want to say bad things about. Common software components mean that existing techniques will work, albeit with custom payloads. People securing servers have pretty much gotten it. Hopefully your programming classes are showing it to you. If not, please ask your professors to stop hurting the world. The designers of small, limited function devices? Not so much.