Smart devices have become pervasive in the enterprise environment, causing challenges for IT departments, reports Angela Moscaritolo.

Networking giant Cisco issued a warning last spring that flaws affecting one of its devices could leave a building’s security, lighting, energy and ventilation systems susceptible to attack.

The vulnerabilities affected Cisco Network Building Mediator, a technology that is used to interconnect critical building systems. Left unpatched, the bugs could have allowed an attacker to obtain administrative passwords, read system configuration files or worse, and gain complete control over the device and the building’s key systems.

The flaws were among an ever-growing class of threats affecting so-called embedded devices.

It is a well-known fact that more and more traditionally offline machines are being connected to the internet these days. From networked printers, smartphones and security cameras to door locks, air conditioning units and lighting systems, embedded devices are everywhere. Even microwaves, airplanes, cars, medical devices and systems used to control the country’s energy supply are connected. In total, there are currently about 20 billion non-PC-connected devices, about five times the number of PCs and servers on the internet today, according to a survey of 269 organizations released last year by embedded device security firm Mocana.

Businesses in the security, health care, industrial, transportation and energy sectors are becoming increasingly interested in acquiring IP-enabled devices to drive up efficiency, says Paul Pishal (right), vice president of product management at Lantronix, a device networking company. Embedded devices can decrease the cost of repairs by allowing remote service personnel to access them for monitoring and maintenance, he says.

But if left unprotected, embedded devices are prone to malicious acts that are only limited to the imagination of an attacker, says Ira Winkler, chief security strategist at IT consultancy TechnoDyne.

Networked printers, in particular, are a dominant threat vector to the enterprise, says Adrian Turner (left), CEO of Mocana. Cybercriminals could launch a buffer overflow attack, for example, to gain remote access and steal sensitive information stored on the printer’s hard disk. Even worse, this entryway could be used to access other systems communicating with that device.

In September, researchers discovered that certain models of HP combination printer and scanner devices contained a feature that could allow for corporate espionage. The capability, called WebScan, allows a user to remotely trigger the scanning functionality and retrieve scanned images via a web browser. This feature could allow anyone on the local area network to remotely connect to the scanner and retrieve documents that have been left behind.

HP argued that when used as intended on a secured network, WebScan allows consumers and small to midsize businesses to share information quickly and conveniently. But, researchers warned that a disgruntled employee could hypothetically write a script to regularly run the scanner in hopes of capturing a forgotten confidential document.

And then there was Stuxnet
Similar to traditional cybercrime, the motives for attacking an embedded device vary. Some strive to gain notoriety, but many more seek monetary gains. Other attackers aim to carry out industrial espionage and – in the most dangerous cases – to threaten national security.

Highlighting the most severe risks posed by embedded devices is the now-infamous Stuxnet worm. Called a “game-changer” by many, Stuxnet was designed to target industrial control systems used to manage operations at power plants and other critical infrastructure facilities.

Though it is uncertain who unleashed the Stuxnet worm, experts say its purpose was to cause a damaging physical response. The worm did not result in any destruction, but it did take affected facilities offline in Iran.
Despite the scathing risks, embedded devices are becoming pervasive, according to the Mocana survey. In fact, two-thirds of respondents said their organization uses non-PC-connected devices – such as smartphones, network printers, routers and data communication equipment. In addition, more than half of respondents said they use VoIP (voice over internet protocol) devices or networked building security features, such as digital cameras and computerized electronic locks.

Alarmingly, 71 percent of respondents said they expect a serious incident within the next 24 months due to attacks or problems affecting embedded devices, according to the report.

What to do
Moreover, 65 percent of respondents said that attacks against their non-PC smart devices already require the attention of their IT staff or will start requiring it this year. But mitigating the risk posted by embedded devices is a responsibility that extends beyond the IT department, says TechnoDyne’s Winkler. For starters, organizations must draft a corporate security policy that includes embedded devices.

In addition, a risk assessment should be performed during the acquisition of any device that has outside connectivity. As part of the assessment, it should be determined which security controls are available for the device. Finally, the organization must seriously consider whether the device is worth the risks.

While organizations must consider the risks before procuring embedded devices, much of the onus for securing such technologies rests on the manufacturer’s shoulders, Mocana’s Turner says.

As a minimum level of security, encryption should be used to protect data that is stored on the machine and to safeguard information as it passes among devices. Also, the firmware on a device should be hardened against malware and viruses. And finally, a mechanism for patching security flaws must be present.

Some manufacturers have been taking steps to improve the security of their connected devices, Turner says. Networked printer makers, in particular, are taking security seriously, he says. In addition, the Stuxnet worm has prompted other device manufacturers to take notice that the threat landscape has dramatically evolved and that more proactive steps are needed to protect embedded devices.

Despite these improvements, however, there is currently no way for manufacturers to clearly and easily communicate to buyers the level of security included in an embedded device. Turner suggested that something akin to the Energy Star mark, used to show that a device is energy efficient, is needed for security.

“Security has to be built in, not bolted on and delivered after the fact,” Turner says.

[sidebar]

TIMELINE: Latest threats 

November 2008 Two traffic engineers in Los Angeles hack a computer system that controls traffic lights and disconnect signals at four busy intersections.

February 2009 Researchers discover mobile malware targeting Symbian smartphones propagating in the wild.

April 2009 U.S. officials warn that foreign spies have penetrated the national power grid.

October 2009 Columbia University researchers discover nearly 21,000 routers, webcams and VoIP products are susceptible to attack because their default passwords were not changed.

December 2009 U.S. military surveillance drone aircrafts are hacked by insurgents in Iraq who intercept video feeds.

January 2010 Researchers warn that the Novatel MiFi portable router contains flaws that could allow an attacker to discover its GPS location.

March 2010 A former Texas Auto Center employee remotely attacks 100 cars equipped with web-based immobilization systems to set off horns.

July 2010
Stuxnet infects 30,000 Windows PCs in Iran in its search for industrial control systems.

August 2010 A malicious program targeting smartphones running Google’s Android operating system is detected.

September 2010 Researchers warn that certain HP printers could facilitate espionage due to a feature called WebScan.