Educause Security Discussion mailing list archives
Re: potential security issues with embedded systems?
From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 11 Dec 2003 16:19:10 -0500
Kyle Barger wrote:
The recent story about Diebold teller machines being hit by the Nachi worm started me thinking. In the past few months I've seen demonstrations of a PBX system and of a "one card" debitcard/building access system that were both based on Windows. We all know what we've had to deal with in terms of security issues for Windows as a server and desktop OS. What has the track record been for embedded systems that use Windows? Is this enough of a concern to take such products out of the running for future consideration? What about other operating systems? If I buy a firewall appliance that's built on Linux, should I worry about how fast the vendor will be releasing firmware upgrades to handle Linux security issues that crop up? Any experiences or thoughts are appreciated.
No experience. Just some random thoughts. Like the present situation with desktops, we may not realize how vulnerable we are until a critical mass of devices are in existence and people start paying the wrong kind of attention to them. Then we're left to cope with a population of devices designed and deployed in an environment that has transformed into something they were not meant to deal with. A lot has to do with the level of accessibility and user interaction. If a client system ships with listening ports, be wary. It means the vendor hasn't learned any lessons about leaving doors open to software which could later be found to have problems (or is just behaving irresponsibly in that regard). Lacking listening ports, and assuming core functionality is solid (like properly subtracting withdrawals from balances), leaves user interaction and communications as the risk points. A lot of the problem with general purpose computers is that they're general purpose, totally under the control of the generally computer-uneducated end user, and loaded up with multi-purpose, high functionality software. That leaves the designers with having to deal with almost infinite variables. Single function devices with limited functionality should have less complexity and a smaller risk footprint regardless of vendor. The interface to a 10 digit keypad with menu selected choices should be easier to verify than the interface to a web browser. Kind of like a VT100 or thin client. :) Of course, if functionality starts getting layered on (customized internet streamed music while you wait for your receipt, check your email while you get your money, remote administration web servers, ATM access from a cell phone, etc.) then all bets are off. That isn't so much a security problem with the product as it is a demonstration of poor judgment and discipline on the part of the vendor and purchaser. The other consideration is whether a mission critical or high value target should use a public network for communications when it does not need to be accessed by the general public over the public network. SCADA systems and ATM machines come to mind. Finally, regarding vendor support, ideally it would be contractual. Vendor has X days or weeks to retrofit security patches into the product. But how many of you have been told by a vendor that a service pack or security patch hasn't been tested or isn't supported on your configuration? When we sign licensing contracts that state the software isn't guaranteed to do anything and limits damage to the lessor of actual loss or $5.00, its difficult to force vendors to act responsibly. :) Viewing the dichotomy between certain vendor's marketing web sites and their licensing terms and security recommendations reminds me of the cigarette manufacturers' commercials touting their smoking and health information web sites. Its nauseating. Interesting related item: http://www.microsoft.com/automotive/windowsautomotive/ http://www.usatoday.com/tech/news/techinnovations/2003-03-27-car-windows_x.htm http://www.microsoft.com/presspass/press/2002/jul02/07-15TelematicsWorldwidePR.asp -- Gary Flynn Security Engineer - Technical Services James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- potential security issues with embedded systems? Kyle Barger (Dec 11)
- <Possible follow-ups>
- Re: potential security issues with embedded systems? Paul Russell (Dec 11)
- Re: potential security issues with embedded systems? H. Morrow Long (Dec 11)
- Re: potential security issues with embedded systems? Gary Flynn (Dec 11)
- Re: potential security issues with embedded systems? Scott Bradner (Dec 11)
- Re: potential security issues with embedded systems? Cal Frye (Dec 11)
- Re: potential security issues with embedded systems? Jere Retzer (Dec 11)
- Re: potential security issues with embedded systems? Randy Marchany (Dec 11)
- Re: potential security issues with embedded systems? Jack Suess (Dec 11)
- Re: potential security issues with embedded systems? Dewitt Latimer (Dec 12)
- Re: potential security issues with embedded systems? Scott Bradner (Dec 12)
- Re: potential security issues with embedded systems? Don Westlight (Dec 12)
- Re: potential security issues with embedded systems? Tom Jackson (Dec 12)