Bigger On The Inside

Post on 11-Nov-2014

1.013 views 1 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

Talk for Penn State SRA Club on the challenges of doing security audits on systems including embedded devices in limited time and with a limited budget.

Transcript of Bigger On The Inside

Bigger on the Inside:

The Tardis Effect on the Security of Embedded Systems

Image: http://www.flickr.com/photos/bupswee/2738391972/

Problem space

Embedded systems are frequently overlooked during a security audit.

This can have surprising results during an actual incident.

Security auditors need to pay attention to devices that appear to be limited function, as

they may be bigger in the inside.

What is an embedded system?

“An embedded system is a computer system designed to perform one or a few dedicated functions often with real-time computing constraints. It is embedded as part of a complete device often including hardware and mechanical parts.”

-Wikipedia

http://www.flickr.com/photos/squeezyboy/3300595223/

Why are they overlooked?

• Ubiquitous• Small• Appear limited• Not sexy• Lack of attack tools• Cramped payloads

http://www.flickr.com/photos/cogdog/3771231430/

Why are they vulnerable?

• Virtues of a programmer– Laziness, Impatience, Hubris

• Code re-use: BSD• Systems reuse: Linux, Windows• Lack of security orientation

Who overlooks them?

• Rushed security auditors• Busy sysadmins• Unaware designers• Tool-using hackers• Internal bad actors? Well…• High-level, determined attackers? Er…

http://www.flickr.com/photos/sophos_germany/3321595771/

What happens when they fail?

• Device goes away• Low-profile attack platform• Opportunity to quietly mess with the victim• Can operate quietly forever• Possibly forensics resistant

http://www.flickr.com/photos/heinousjay/517339489/

The Xerox Workcentre™ Unintentional Server

• BH 2006 Brendan O'Connor “Vulnerabilities in Not-So Embedded Systems”

• Multifunction copy/scan/print• 1GHz AMD, 256MB, 80GB HDD• Linux, Apache, Postgress• Authentication Bypass by switching URL• Command injection to iptables from admin

interface

Image: Courtesy of Xerox Corporation.

http://blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#O%27Connor

Shmoocon Talk: Femtocell Fail

"Through the theoretical attack method outlined in our talk, the attacker would compromise the femtocell device to gain full root access over the device," Fasel said. "As the attacker has access to the device, any services the device offers [are] subject to the attacker's control, including voice, data, authentication and access to the femtocell's home network.“

Zfasel, jaku, the information wants to be free!

http://www.flickr.com/photos/yourdon/4254008662/in/photostream/

A Radio, and a Whole Lot More

• The information wants to be free…but so do I.• Unnamed Radio System (URS)• Software Radios• Embedded Linux controller• Blank root password, root allowed Telnet• Ancient version of the commercial Linux

Image: http://www.flickr.com/photos/synthesisstudios/414382700/

How can they be addressed?

• Research• Scanners• Fingerprinting• Others…

http://www.flickr.com/photos/tjt195/380173157/

Let’s Review

• Frequently skipped• Best intentions lead to failure

• Best intentions fail to find them• Worst intentions seem to, though

• Real-world examples exist• Mix of techniques

http://www.flickr.com/photos/sheepbackcabin/3219647072/

Wake up!

http://www.flickr.com/photos/walkn/3526522573/

Top related

Headlines Headlines serve four functions on a newspaper page: They summarize story contents. They prioritize stories, since bigger stories get bigger.
 Documents
Bigger Tides, Less Flooding: Effects of Dredging on ...
 Documents
WELCOME TO HAPPYFORD CLhappyfordcl.co.uk/word.doc  · Web view, on Broadbank has been named a History Tardis – bigger inside than outside! The back-lit Panorama of Louth – one
 Documents
Get a bigger office without getting a bigger office.online.wsj.com/public/resources/documents/BA_FUNDSCORE...2007/10/15  · Get a bigger office without getting a bigger office.
 Documents
Grow Your Business with Bigger Deals, Bigger Customers.
 Documents
Tricks on making smaller rooms look bigger
 Real Estate
Rally on 2015 bigger room planning prepare for sanity tabaka
 Software
Apple iphone 6 bigger than bigger digital launch – content analyses
 Marketing
HHY at Yates HS eBooks- Bigger on the Inside
 Education
Sky Bigger Picture Impact Report...2 Sky Bigger Picture Impact Report 2018 Sky Bigger Picture Impact Report 2018 3. Taking action on plastic Overfishing Globally, a third of fish stocks
 Documents
1980s Fashion Bigger brighter the better. Females wore bigger shoulder pads, bigger jewelry.
 Documents
THE ECONOMIC TIMES FIRST PRINCIPLES A monthly column on ... · germs eat all the food in our stomach and grow bigger and bigger, they turn into worms and bite us from inside." \Did
 Documents
SUSANNA BIGGER LEO BIGGER WHEN AM I EASILY HURT?
 Documents
THINKING BIGGER ON TAX IN SCOTLAND - Home | IPPR · 44 IPPR SCOTLAND Thinking bigger on tax in Scotland Using Scotland's local tax powers to their full potential could be levied on
 Documents
Doctor Who: Bigger on the Inside
 Education
HUMAYUN Faculty Council taking bigger role on both campuses
 Documents
Countdown to comet landing attempt - gov.uk · 2014. 11. 12. · Countdown to comet landing attempt Spaceport UK: Britain leads the way. Bigger on the inside: Small satellite success.
 Documents
Will Bigger Data Mean Bigger Problems or Opportunities?
 Business
BlueBoxSeries.it IT’S BIGGER ON THE INSIDE Il TV-addicted ...TV-addicted+enigmistico+1... · BlueBoxSeries.it -IT’S BIGGER ON THE INSIDE 10 Agosto 2015 ... Trova i nomi di alcune
 Documents
Over 130 NEW Products inside! · For Bigger, Better Products There’s something new on nearly every page of this catalog — just look for the red “New” symbol shown at the left.You’ll
 Documents

Copyright © 2022 FDOCUMENTS