Firms Slow To Secure Flaws In Embedded Devices

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/vulnerability-management/167901026/security/security-management/232200133/firms-slow-to-secure-flaws-in-embedded-devices.html

By Robert Lemos
Contributing Editor
Dark Reading
Nov 22, 2011

At the Black Hat Security conference earlier this year, Jerome 
Radcliffe, a security researcher who has diabetes, showed off weaknesses 
in the security of a popular insulin pump. Last month, another 
researcher at security firm McAfee expanded on the attack, showing how 
the pumps could be easily attacked and that manufacturers were 
unprepared to fix the problem.

The hack of the insulin pump demonstrates a major problem with embedded 
devices: Most systems were never designed to be easily updated. With 
researchers increasingly looking at software systems embedded in 
automobiles, network routers, printers, and industrial control systems, 
a growing number of vulnerabilities will be found. Yet fixing those 
flaws in the field is not easy, says Stuart McClure, general manager of 
risk and compliance for McAfee.

"It takes a year to get any bit on the device changed," he says. "It is 
a big problem that has to be overcome in order to secure the systems."

Android phones are another example. While Google fixes the flaws on the 
devices quickly, many patches languish in manufacturers' development 
shops or in quality assurance testing at the carrier.

[...]


_____________________________________________________
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn