Embedded devices on enterprise networks make attractive targets for hackers because they provide potential footholds.
These systems perform a variety of functions, often involving sensitive data or control of critical systems. Network gear,
printers, storage appliances and other equipment generally do not have end-point protection installed, making them an ideal spot for an attacker to lurk undetected.
Over the years, I have uncovered dozens and dozens of vulnerabilities within HTTP-based applications running on these systems, and I’ve had a good bit of time to think about how network administrators can minimize the risks posed by them.
In this article, I will share 5 tips I think will go a long way in reducing the chance of embedded device exploitation while, at the same time, increasing the chance of detecting an active attacker.
1. Never use the same browser environment when logging into a network device as you would to browse the Internet.
Many devices lack CSRF protection and may even fail to invalidate session tokens upon logout. Separate browser profiles should generally provide appropriate segregation since ambient authentication is not shared across this context.
2. Wherever possible, it is advisable to disable HTTP/HTTPS interfaces due to the risk of attacks being launched via a malicious website.
I have found that many devices contain code execution flaws exploitable by unauthenticated HTTP requests. SSH is an ideal alternative.
3. Restrict device access to systems with a legitimate reason for accessing it.
For example, there is no reason to allow everyone on a wireless network to have access to the HTTPS management portal. Likewise, there is no reason for a workstation used by an accountant to have access to the NAS containing source code or internal development tools.
4. Log all connections to and from network devices and flag unusual activity.
While it may not be trivial to notice abnormal inbound connections, unusual outbound activity is a strong indicator that a device has been compromised and must be inspected.
5. Reinstall firmware on a regular basis and inspect device configuration for abnormalities.
This helps ensure that your embedded device does not have an embedded attacker. It should go without saying that the most current firmware should always be installed.
Some in the audience may complain that these tips impede the conveniences gained from many embedded devices. This may be true but as we all know, operational security and convenience are almost universally conflicting goals.
While it is unfortunate that we cannot take advantage of the full conveniences of our technology, it is in fact necessary to stay safe due to the overwhelming prevalence of low-hanging vulnerabilities in embedded systems. These vulnerabilities are prominent in both consumer and enterprise products and will likely continue to be involved in breaches for years to come.
In many ways, the state of embedded security in the 2010s is much like the state of application security in the 1990s.
To learn more about a recent flaw I found in enterprise-class hardware,
click here.
