Educause Security Discussion mailing list archives
Re: potential security issues with embedded systems?
From: Cal Frye <cjf () CALFRYE COM>
Date: Thu, 11 Dec 2003 17:16:48 -0500
H. Morrow Long wrote:
Kyle -- Many of the new 'building automation systems' being deployed by facilities and construction management folks feature full-blown embedded OSes, often with SNMP and/or embedded webservers included for management. While these devices used to be on proprietary networks in the past, or even just on closed systems with RS232/422/etc, now they are often on IP-based Ethernets (and many enterprises may possibly use their regular enterprise network to connect these devices for ease of access....).
And if you're really lucky, your Facilities subcontractor will just hang these on the network with no warning, let along forethought. If they can get a DHCP address, they're good to go. Devices we've seen hacked and have had to protect (since the vendor was unable to do so) include: 1) a full-blown Unix system used as a print server for a giant printer/copier from vendor X, 2) various workstations in the science departments that were installed as part of the package as consoles for scientific equipment (X-ray diffractometers and the like) from several vendors, and 3) laptops used as remote monitoring devices for our HVAC equipment. I'm wary of all turnkey systems brought in here. The track record is bad, and if the vendor is not obligated to log into each and every system weekly to check the patch level (if it's a Windows system), then whose responsibility is it? Some of these things were installed with default or even blank Administrator passwords! In many cases, the folks responsible for installing the gear aren't computer savvy at all; they're following the book, step by painful step, and if it's online when they're done, they're done! Ongoing maintenance is not a common concept in this crowd. It's a given -- you're going to get involved with these devices more than you want. Better to do so up front, if you can, rather than after something's just made a mess on the carpet... Thanks for letting me rant a bit ;-) -- --Cal Frye ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- potential security issues with embedded systems? Kyle Barger (Dec 11)
- <Possible follow-ups>
- Re: potential security issues with embedded systems? Paul Russell (Dec 11)
- Re: potential security issues with embedded systems? H. Morrow Long (Dec 11)
- Re: potential security issues with embedded systems? Gary Flynn (Dec 11)
- Re: potential security issues with embedded systems? Scott Bradner (Dec 11)
- Re: potential security issues with embedded systems? Cal Frye (Dec 11)
- Re: potential security issues with embedded systems? Jere Retzer (Dec 11)
- Re: potential security issues with embedded systems? Randy Marchany (Dec 11)
- Re: potential security issues with embedded systems? Jack Suess (Dec 11)
- Re: potential security issues with embedded systems? Dewitt Latimer (Dec 12)
- Re: potential security issues with embedded systems? Scott Bradner (Dec 12)
- Re: potential security issues with embedded systems? Don Westlight (Dec 12)
- Re: potential security issues with embedded systems? Tom Jackson (Dec 12)