Hey, big spender. Are you as secure as a whitebox vendor?
The Internet of Stuff is a HUGE LIABILITY
How Supermicro responds
Supermicro's approach to security is three pronged. It is determined to work hand in glove with security researchers to fix vulnerabilities they identify. It has an internal security team working to find vulnerabilities and patch them and is investing in trying to find completely novel ways to solve security problems.
If you're reading this sort of thing online, you best have a firewall installed
As part of the latter, Kalluri introduced me to Dr Alex Halderman from University of Michigan. Supermicro has been working very closely with Halderman in the hopes of finding new solutions to the problems presented by BMC vulnerabilities. The hope is that if they can come up with a better way to deal with BMC vulnerabilities these techniques can be applied to other unattended computers and eventually help firm up security for the internet of things as a whole.
I threw a lot of questions and ideas at Halderman. He proved both patient with my lack of knowledge and passionate about the topic. There were limits to what information I could work out of him, but ultimately he does seem to know his stuff.
Some of my ideas – like that of embedded application layer gateways, centralised command and control and the need some form of automatic update mechanism – seemed to trigger in Halderman a desire to really leap into conversations more in depth than could be discussed before they are ready to publish. It's unfortunate, but I was asked to pick the conversation back up in September, so I suspect we won't have to wait long before seeing the early results of Supermicro tie-up with the University of Michigan.
There are many problems faced by companies trying to secure small embedded computers. Like most embedded devices, BMCs have limited room for applications, so there are limits to how many security toys you can pack in. They are limited in compute power, so on and so forth.
That Supermicro is putting resources into tackling these problems head on is encouraging. We are in the middle of the transition from a world where security was the sole province of the customer to one where vendors of all sizes and market niches are accept that security must be a fundamental part of both the design of systems they sell and their ongoing research and development efforts. While we see that transition through, it's still up to us as systems administrators to hold down the fort.
Vendor, meet sysadmin
Right now, today, it's foolish for any systems administrator to put an embedded device – be it a BMC, a sensor or an internet of things branded and marketed superwidget – naked to the internet. It doesn't matter who makes the system in question: put a firewall between that device and the all-seeing eye of the Shodan search engine.
More critically, patch your systems. It does us all no good for vendors to busy themselves issuing patches if we aren't going to take advantage of them.
If Supermicro's efforts are anything to go by – and I do hope that other vendors are engaged in similar avenues of research – the next generation of embedded devices will be a lot more secure and a lot more able to take care of themselves. That said, it will be at least a decade – maybe more – before most of the existing embedded systems, sensors, BMCs and early internet of things widgetry is retired.
We need to do our part. We need to secure our systems and to educate others. We also need to talk with our vendors and ask the hard questions. What are their policies regarding security? How do they engage with the security community? What plans and/or programs do they have in place to push the frontiers of security and ensure that tomorrow's systems are more secure than today's?
A server isn't just a server anymore, and it hasn't been for some time. Your hardware vendor is responsible for selling you systems with embedded operating systems, firmware and other bits of software. Long term support matters.
If Supermicro is willing to commit to seven year life cycles, then I am sure as all hell going to expect at least that from those companies charging more. It's easy to wave those expectations around for enterprise hardware. We need to be doing so for consumer gear as well.
Price and performance aren't good enough metrics anymore. Security – both current and planned – matters at all levels. ®