Feeds

Embedded systems vendors careless says Metasploit author

'Own five percent of the Internet without even blinking'

SANS - Survey on application security programs

AusCERT 2013 One of the reasons we can't have nice things like a secure Internet is that vendors of consumer kit can't be bothered.

That's the conclusion The Register reaches after listening to a presentation by HD Moore, author of Metasploit and now chief research officer at Rapid7, at the AusCERT 2013 security conference today.

Moore told delegates that while systems administrators might be doing a decent job of protecting their systems (actually, too many aren't – they leave things like default passwords open, for example), it becomes almost irrelevant in the face of the threats created by modems, routers, phones, because vendors of embedded systems in general just don't care.

“You can probably own five percent of the total Internet without even blinking,” Moore said.

Without detailing Moore's entire research methodology, he presented the results of a large-scale scan of the IPv4 address space, looking at TCP and UDP services, and turning up “endemic” vulnerabilities.

While people leaving unauthenticated Telnet open to the world is just stupid, he held his harshest criticisms for the way embedded systems manufacturers seemed happy to sling insecure systems into the world and, even with known vulnerabilities, decline to issue fixes.

UPnP remains, unsurprisingly, a big vector. “Two out of the top three UPnP stacks are exploitable,” Moore said – representing 63 percent of the devices in which UPnP is visible to the outside world. Then there's Web servers, many of them embedded, and vulnerable SNMP systems.

Of SNMP, he noted that there are 75 million vulnerable systems worldwide (in Australia, oddly, the most common being a Campbell Scientific soil data logger), and he asserted that six percent of all Cisco devices visible on the Internet offered SNMP read access – making user ID and password exposures a cinch.

The length of the supply chain in the embedded/consumer system market is also problematic: the embedded software might ship from one vendor, be turned into a module by a second vendor, integrated into a finished system by a third, and branded by a fourth – none of which seem willing to protect end users who may not even own the vulnerable product (for example because it's a cable modem).

“We're going to have some really nasty incident … then there'll be a knee-jerk reaction” before things are fixed, he said. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.