Presentation is loading. Please wait.

Presentation is loading. Please wait.

Embedded Linux Conference6 April 2009Jake Edge - LWN.net Security Issues for Embedded Devices Jake Edge LWN.net Slides:

Published byLenard Wells Modified over 7 years ago

Similar presentations

Presentation on theme: "Embedded Linux Conference6 April 2009Jake Edge - LWN.net Security Issues for Embedded Devices Jake Edge LWN.net Slides:"— Presentation transcript:

1 Embedded Linux Conference6 April 2009Jake Edge - LWN.net Security Issues for Embedded Devices Jake Edge LWN.net jake@lwn.net Slides: http://lwn.net/talks/elc2009

2 Embedded Linux Conference6 April 2009Jake Edge - LWN.net Overview Examples – embedded devices gone wrong Attack surface Attacks and attackers Similarities and differences with “regular” security Specific security ideas to keep in mind It's a thinking process

3 Embedded Linux Conference6 April 2009Jake Edge - LWN.net Examples ● Airtel DSL modem – multiple problems ● 3Com OfficeConnect wireless modem/router – authentication bypass password disclosure ● Nokia N95 smartphone – JPEG crashed phone ● Ralinktech wireless drivers – malformed 802.11 probe allowed remote code execution ● SonyEricsson smartphones – malformed WAP Push message crashed the phone ●...

4 Embedded Linux Conference6 April 2009Jake Edge - LWN.net Attack Surface The attack surface of a system is the “sum” of the inputs that can be controlled or influenced by untrusted users It “measures” the system vulnerability potential Reducing the attack surface is one important way to increase the security of a system

5 Embedded Linux Conference6 April 2009Jake Edge - LWN.net Inputs “Inputs” includes obvious things like the network and the services provided over the network It also includes less obvious things: serial ports, USB, flash devices,... The least obvious are in some ways the most dangerous

6 Embedded Linux Conference6 April 2009Jake Edge - LWN.net Devices and their attack surface ● Print server – user/admin interface, print jobs ● NAS – network, admin interface ● Voting machine – user interface, data storage, maintenance port ● Home router – admin interface, wifi, WAN ● Television – video inputs?, network?, remote control ●...

7 Embedded Linux Conference6 April 2009Jake Edge - LWN.net Android ADP1 Obvious inputs – wifi, bluetooth Less obvious – Cell, GPS receiver Requires physical access – touchscreen, SD slot, USB, accelerometer?

8 Embedded Linux Conference6 April 2009Jake Edge - LWN.net Attacks Successful attacks can do different things depending on the device: ● router – capture traffic, reroute DNS queries ● print server – grab sensitive print jobs (budget?) ● voting machine – steal elections ● TV – show more ads, record viewing habits ● phone – steal pictures, contacts, credentials

9 Embedded Linux Conference6 April 2009Jake Edge - LWN.net Attackers The kinds of attackers will vary based on the kinds of results an attack could bring Phishing and other money-making schemes likely to attract sophisticated, funded attackers Also true for targeted attacks (against an individual or company)

10 Embedded Linux Conference6 April 2009Jake Edge - LWN.net Attackers II Attackers are not necessarily “external” (employees for example), firewall ineffective The internet is obviously a major source of attacks Wireless (of all sorts) is particularly dangerous – no access required, hard to detect

11 Embedded Linux Conference6 April 2009Jake Edge - LWN.net Consider the attack surface It may not be practical or sensible to try to secure all inputs – they should at least be considered Creating a “threat model” will help you decide Some threats (physical access, rogue administrator, etc.) may well fall outside of the threat model

12 Embedded Linux Conference6 April 2009Jake Edge - LWN.net What's different about embedded ● Often have attack surfaces other systems don't ● Code is “fixed”, hard to upgrade ● People don't treat them like computers ● Monocultures

13 Embedded Linux Conference6 April 2009Jake Edge - LWN.net What's the same about embedded ● Same programs, protocols, etc. as desktops and servers ● Thus the same vulnerabilities/exploits ● All of the same rules for securing systems

14 Embedded Linux Conference6 April 2009Jake Edge - LWN.net Specific things to look at ● Default and/or easily guessed passwords for admin accounts should be eliminated ● Be especially careful with programs that allow user interaction (web, command line, ssh) ● In-house code may need more scrutiny than code that is already running on many systems ● Need to keep an eye on security alerts and have a strategy for field upgrades

15 Embedded Linux Conference6 April 2009Jake Edge - LWN.net Remove unneeded things ● Protocols – IPv6, SMB, NFS,... ● Services – telnet, NTP, sshd, SMTP,... ● User accounts ● Software packages – Perl, C compiler, wget, sendmail,... ● Minimize kernel configuration ● Minimize the abilities of the inputs to only those that are needed by the application

16 Embedded Linux Conference6 April 2009Jake Edge - LWN.net It's a thinking process Think beyond the “rules” Think of how things can be broken, rather than how they will work Consider attack surface, threat model, and sensitivity of the data or device to make security tradeoffs

17 Embedded Linux Conference6 April 2009Jake Edge - LWN.net Questions?

Download ppt "Embedded Linux Conference6 April 2009Jake Edge - LWN.net Security Issues for Embedded Devices Jake Edge LWN.net Slides:"

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.

Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.
Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.

Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.
Presented by Serge Kpan LTEC 4550.020 Network Systems Administration 1.

Presented by Serge Kpan LTEC Network Systems Administration 1.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Wi-Fi Structures.

Wi-Fi Structures.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Securing a Wireless Network

Securing a Wireless Network
DIR-657 HD Media Router 1000 Sales Guide Wireless & Router Product Div. Feb 2011 D-Link WRPD.

DIR-657 HD Media Router 1000 Sales Guide Wireless & Router Product Div. Feb 2011 D-Link WRPD.

Similar presentations

Ads by Google