Latest Research On Embedded System Security
Embedded device security is a topic that many will dismiss, in favor of more popular security concerns. I can understand this, to a certain extent, because mainstream press and information outlets often do not cover embedded security. They are focused on the more common threats, such as the latest Microsoft patches, network worm, Anti-Virus software, and social networking sites that have been hacked. While these are important stories to note, pay attention to, and react defensively, they do not cover all of the threats and associated risk for your organization. Embedded systems are in everyone’s network, and do things like route traffic, block packets, and in the control systems world, if Ethernet enabled, control critical infrastructure. Many believe that since the device is embedded, that no one would bother to attack it or take the time and effort to understand how it works. This is not always the case, in fact, by nature hackers are curious, and sometimes motivated by sheer curiosity (if we’re lucky).
There has been new research published on attacking embedded devices that has the potential to be much worse than the latest network work or XSS vulnerability (in my opinion anyhow). The first example comes from Graeme Neilson of Aura Software. Graeme gave a presentation at Ruxcon, a security conference held is Syndey, Australia, titled “Netscreen of the Dead: Developing A Trojaned Firmware for Juniper Netscreen Appliances”. He was able to reverse engineer firmware for the Juniper Netscreen firewalls and insert programs of his own choosing, manipulating the behavior of the firewall. So what, right? If we were to put our “evil hats” on for a few minutes and explore the evil things an attacker can do with this functionality, we might come up with a list like this:
1) Stealthily Modify The Configuration – If you have control of the firmware, you have the ability to load what is referred to by Graeme as “shadow configuration”. This configuration tells the device to behave in a certain way, but leaves no evidence that its happening. In the context of a firewall this means you can allow an external IP address full access through the firewall and/or mirror traffic from an interface to an outgoing data stream.
2) Persistent Infection – Embedded systems have a BIOS which acts similar to the one found in most PCs and servers. If you could infect the bootloader, you can then infect any subsequent firmware with you malicious programs. To put this into context, most will recommend that if you get infected with malware or viruses you should format your hard drive, re-install the operating system from clean media, and re-install all programs (Verifying that they are not trojaned). By infecting the boot loader, you can do all that but still be infected because the bootloader remains the same across OS and firmware upgrades (unless you are upgrading the bootloader itself).
3) Create Further Malware Delivery Mechanisms – It is conceivable that operators or administrators will access devices to manage them. In the case of a firewall, this typically means logging into the web GUI to make changes to firewall rules. A compromised device could contain malicious JavaScript or HTML of the attacker’s choosing, which then leads to the compromise of the operator’s workstation. This level of access is scary, as the operator most likely has access to other critical systems and data.
An additional feature of compromising an embedded device, would be collecting authentication credentials. This comes in two forms:
1) Usernames & Passwords – If there is one constant that I have found in many different networks, its that users re-use passwords. The sheer number of different passwords we have to keep memorized is frightening, so often people give in and use the same one for the firewall as they do for their domain login (for example). Collecting the usernames and passwords used to access devices could grant access to even more critical information.
2) “Secret” Keys – There are many protocols that require the use of a PSK, or Pre-Shared Key, as an authentication mechanism or encryption key. These can include SNMP, IPSec, RADIUS, and many others. Often many different devices will share the same key, for example maybe the read/write SNMP string is the same for all 10,000 devices in the network. Gaining access to this key now grants you control of every networking device in the environment.
The next embedded device security research I would like to highlight comes from none other than Felix “FX” Lindner, a security research with quite a bit of experience hacking embedded systems, and specifically Cisco devices. FX gave a presentation at the recent 25th Chaos Communications Congress titled “Cisco IOS attack and defense The State of the Art”. He has devised a way to exploit Cisco 1700 and 2600 series routers, based on PowerPC chips, in a reliable manner. He used similar techniques as Graeme Neilson and reverse engineered the firmware and crash dumps to create exploits. Of course, you will need a vulnerability in which to exploit to make this work. FX brought up several good points about the security of embedded network devices:
1) There Is No Reverse NAC – Network Access Control (NAC) attempts to verify that the client can connect to the network. There is no technology, to my knowledge, that can verify the network to the client. This means that clients will typically inherently trust the network and devices providing them access. For example, when you connect to a wireless router, do you have a way to verify that the firmware has not been modified to steal all of your credentials?
2) Embedded Systems Have Little OS Security Controls – Most embedded systems do not have a host-based intrusion prevention system, or any way to detect an attack against them. They usually are a shared memory environment with the concept of threads rather than processes. This means that taking over one thread gives you access to the entire operating system.
As Windows and UNIX computers become more difficult to attack due to advances in defensive technologies, attackers will continue to shift focus to embedded systems. As technology becomes smaller and just as critical as most servers in your environment, this will be a continuing concern for organizations. While the Zune faiure was due to programmer error, its a good example of how catastrophic the failure or compromise of an embedded system could be.
So, what can we do to defend our embedded systems? Stay tuned for next week’s blog post 
Author: Paul Asadoorian
Posted: January 8th, 2009 under Uncategorized.
Comments: 4
Comments
Comment from Samantha
Time: January 9, 2009, 5:01 am
If you need an all in one solution then I would look at something like unified threat managment also known as a UTM.Cyberoam firewall is the only UTM firewall that embeds user identity in firewall rule matching criteria, enabling enterprises to configure policies and identify users directly by the username rather than through IP addresses. Cyberoam’s powerful hardware firewall provides stateful and deep packet inspection, access control, user authentication, network and application-level protection.
The ICSA-certified Cyberoam firewall is available along with VPN, gateway anti-virus and anti-spyware, gateway anti-spam, intrusion prevention system, content filtering, bandwidth management and multiple link management, providing comprehensive security to small, medium and large enterprises, including remote and branch offices. Cyberoam is a Check Mark Level 5 certified UTM solution.
Key Features
1.Stateful Inspection Firewall
2.Centralized management for multiple security features
3.Embeds user identity in rule-matching criteria
4.Multiple zone security
5.Granular IM, P2P controls
6.ICSA certified
Comment from Erik H
Time: January 10, 2009, 5:12 am
Great post Paul!
I think that embedded systems will be the hackers second choise of systems to attack, right next after Windows hosts. There are, of course, several different types of embedded systems, so it is not always fair to just group them togeather as a common entity. I guess the more common high-end embedded OS’s will be more popular for attackers, such as uClinux, VxWorks and Montavista.
I’m looking forward to the follow-up post next week!
Comment from Al Sudduth
Time: January 10, 2009, 8:47 pm
The way to defend your embedded system devices is to ensure that once you have established the configuration, lock it down so that configuration can be changed only through the local physical access (serial) port on the device (assuming that changing the configuration through the network connection was ever an option). The second action to take is to ensure that the subnet to which the embedded system device is connected cannot be accessed for input from any subnet at a higher level in the heirarchy, unless absolutely necessary for passing real time control demand signals, ,by firewalling the traffic between the subnet to which the embedded system devices are connected.
If you do the networking design correctly, then embedded devices need not be a point of concern for security.
I agree with the previous comment – the absolute worst security decision that can be made in designing and implementing process control systems is to use Microsoft Windows as an operating system on any device in the system.
Al Sudduth
Comment from Kurt Stammberger
Time: January 13, 2009, 12:03 am
Paul:
Thanks for your thoughtful post. Our CTO and I took a special interest in it, because our engineering team has solutions purpose-built for embedded systems that address many of the problems you illustrate so well. So I apologize in advance for the product plugs….but since they are so directly applicable, I thought some of your readers who are suffering from these attacks would be specifically interested. (Plus trials of all of the packages are free). To wit:
1) Re: “Stealthily Modify The Configuration”
A possible (at least partial) solution might be to digitally sign the initial configuration scripts, so an outsider could not tamper with the configuration. A product like Mocana’s NanoUpdate package could be used to implement such protections. http://www.mocana.com/NanoUpdate.html
2) Re: “Persistent Infection”. Mocana offers a product which protects against attacks of this type: it’s called NanoBoot. http://mocana.com/NanoBoot.html
3) Re: “Create Further Malware Delivery Mechanisms”. For these attacks, a combination of NanoBoot and NanoUpdate, together with our embedded intrusion-detection system, NanoDefender, should do the trick. http://mocana.com/NanoDefender.html
Re: “Usernames & Passwords”: One of our packages, an embedded certificate management engine called NanoCert, stops this attack. Another product, called NanoRadius would stop access to the entire stored username/password of a device… although active attacks are feasible, but limited. http://mocana.com/NanoCert.html and http://mocana.com/NanoRadius.html
Re: “Secret Keys” – we posit that Pre-Shared Keys are, in general, a bad idea as they are inevitably compromized. Instead, using a certificate infrastructure like NanoCert would stop this attack as well, since no shared secrets would be required. RADIUS would still be vulnerable, though SNMP could use IPsec for security. (And yes, we have an embedded IPSec solution as well, called – you guessed it – NanoSec. http://mocana.com/NanoSec.html
Re: “There Is No Reverse NAC”: Our NanoEAP supplicant can, in fact, do the reverse checking that you’re looking for. http://mocana.com/NanoEAP.html
Re: “Embedded Systems Have Little OS Security Controls”…. you’re right on the money here. That’s why we developed our NanoDefender package. (see link above).
Again – great post – discusses a lot of the problems that we work on every day in embedded systems. We invite any and all of your readers to visit us on the web to download free trials of any of the products discussed above.
James Blaisdell, CTO, Mocana
Kurt Stammberger, CISSP & VP Marketing, Mocana
Write a comment