Educause Security Discussion mailing list archives

Re: potential security issues with embedded systems?

From: Cal Frye <cjf () CALFRYE COM>
Date: Thu, 11 Dec 2003 17:16:48 -0500

H. Morrow Long wrote:

Kyle -- Many of the new 'building automation systems' being deployed by
           facilities and construction management folks feature
full-blown
       embedded OSes, often with SNMP and/or embedded webservers
       included for management.

       While these devices used to be on proprietary networks in the past,
       or even just on closed systems with RS232/422/etc, now they are
       often on IP-based Ethernets (and many enterprises may possibly
       use their regular enterprise network to connect these devices for
ease of access....).


And if you're really lucky, your Facilities subcontractor will just hang
these on the network with no warning, let along forethought. If they can
get a DHCP address, they're good to go.

Devices we've seen hacked and have had to protect (since the vendor was
unable to do so) include:
1) a full-blown Unix system used as a print server for a giant
printer/copier from vendor X,
2) various workstations in the science departments that were installed
as part of the package as consoles for scientific equipment (X-ray
diffractometers and the like) from several vendors, and
3) laptops used as remote monitoring devices for our HVAC equipment.

I'm wary of all turnkey systems brought in here. The track record is
bad, and if the vendor is not obligated to log into each and every
system weekly to check the patch level (if it's a Windows system), then
whose responsibility is it? Some of these things were installed with
default or even blank Administrator passwords! In many cases, the folks
responsible for installing the gear aren't computer savvy at all;
they're following the book, step by painful step, and if it's online
when they're done, they're done! Ongoing maintenance is not a common
concept in this crowd.

It's a given -- you're going to get involved with these devices more
than you want. Better to do so up front, if you can, rather than after
something's just made a mess on the carpet...

Thanks for letting me rant a bit ;-)
--
--Cal Frye

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

potential security issues with embedded systems? Kyle Barger (Dec 11)
- <Possible follow-ups>
- Re: potential security issues with embedded systems? Paul Russell (Dec 11)
- Re: potential security issues with embedded systems? H. Morrow Long (Dec 11)
- Re: potential security issues with embedded systems? Gary Flynn (Dec 11)
- Re: potential security issues with embedded systems? Scott Bradner (Dec 11)
- Re: potential security issues with embedded systems? Cal Frye (Dec 11)
- Re: potential security issues with embedded systems? Jere Retzer (Dec 11)
- Re: potential security issues with embedded systems? Randy Marchany (Dec 11)
- Re: potential security issues with embedded systems? Jack Suess (Dec 11)
- Re: potential security issues with embedded systems? Dewitt Latimer (Dec 12)
- Re: potential security issues with embedded systems? Scott Bradner (Dec 12)
- Re: potential security issues with embedded systems? Don Westlight (Dec 12)
- Re: potential security issues with embedded systems? Tom Jackson (Dec 12)