Embedded systems vendors careless says Metasploit author
AusCERT 2013 One of the reasons we can’t have nice things like a secure Internet is that vendors of consumer kit can’t be bothered.
That’s the conclusion The Register reaches after listening to a presentation by HD Moore, author of Metasploit and now chief research officer at Rapid7, at the AusCERT 2013 security conference today.
Moore told delegates that while systems administrators might be doing a decent job of protecting their systems (actually, too many aren’t – they leave things like default passwords open, for example), it becomes almost irrelevant in the face of the threats created by modems, routers, phones, because vendors of embedded systems in general just don’t care.
“You can probably own five percent of the total Internet without even blinking,” Moore said.
Without detailing Moore’s entire research methodology, he presented the results of a large-scale scan of the IPv4 address space, looking at TCP and UDP services, and turning up “endemic” vulnerabilities.
While people leaving unauthenticated Telnet open to the world is just stupid, he held his harshest criticisms for the way embedded systems manufacturers seemed happy to sling insecure systems into the world and, even with known vulnerabilities, decline to issue fixes.
UPnP remains, unsurprisingly, a big vector. “Two out of the top three UPnP stacks are exploitable,” Moore said – representing 63 percent of the devices in which UPnP is visible to the outside world. Then there’s Web servers, many of them embedded, and vulnerable SNMP systems.
Of SNMP, he noted that there are 75 million vulnerable systems worldwide (in Australia, oddly, the most common being a Campbell Scientific soil data logger), and he asserted that six percent of all Cisco devices visible on the Internet offered SNMP read access – making user ID and password exposures a cinch.
The length of the supply chain in the embedded/consumer system market is also problematic: the embedded software might ship from one vendor, be turned into a module by a second vendor, integrated into a finished system by a third, and branded by a fourth – none of which seem willing to protect end users who may not even own the vulnerable product (for example because it’s a cable modem).
“We’re going to have some really nasty incident … then there’ll be a knee-jerk reaction” before things are fixed, he said. ®