Feeds

Embedded systems vendors careless says Metasploit author

'Own five percent of the Internet without even blinking'

Build a business case: developing custom apps

AusCERT 2013 One of the reasons we can't have nice things like a secure Internet is that vendors of consumer kit can't be bothered.

That's the conclusion The Register reaches after listening to a presentation by HD Moore, author of Metasploit and now chief research officer at Rapid7, at the AusCERT 2013 security conference today.

Moore told delegates that while systems administrators might be doing a decent job of protecting their systems (actually, too many aren't – they leave things like default passwords open, for example), it becomes almost irrelevant in the face of the threats created by modems, routers, phones, because vendors of embedded systems in general just don't care.

“You can probably own five percent of the total Internet without even blinking,” Moore said.

Without detailing Moore's entire research methodology, he presented the results of a large-scale scan of the IPv4 address space, looking at TCP and UDP services, and turning up “endemic” vulnerabilities.

While people leaving unauthenticated Telnet open to the world is just stupid, he held his harshest criticisms for the way embedded systems manufacturers seemed happy to sling insecure systems into the world and, even with known vulnerabilities, decline to issue fixes.

UPnP remains, unsurprisingly, a big vector. “Two out of the top three UPnP stacks are exploitable,” Moore said – representing 63 percent of the devices in which UPnP is visible to the outside world. Then there's Web servers, many of them embedded, and vulnerable SNMP systems.

Of SNMP, he noted that there are 75 million vulnerable systems worldwide (in Australia, oddly, the most common being a Campbell Scientific soil data logger), and he asserted that six percent of all Cisco devices visible on the Internet offered SNMP read access – making user ID and password exposures a cinch.

The length of the supply chain in the embedded/consumer system market is also problematic: the embedded software might ship from one vendor, be turned into a module by a second vendor, integrated into a finished system by a third, and branded by a fourth – none of which seem willing to protect end users who may not even own the vulnerable product (for example because it's a cable modem).

“We're going to have some really nasty incident … then there'll be a knee-jerk reaction” before things are fixed, he said. ®

Next gen security for virtualised datacentres

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Scale data protection with your virtual environment
To scale at the rate of virtualization growth, data protection solutions need to adopt new capabilities and simplify current features.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?