Recently I had the opportunity (privilege actually) of writing an article for INSECURE Magazine which appeared in issue 14 and is titled “Attacking Consumer Embedded Devices”. It covers reasons why you would want to attack embedded devices, the goals of exploitation, example vulnerabilities and exploits, discovering vulnerabilities, and finally defense.
In researching and writing this article I had some thoughts that I will share (for those still reading this posting and not INSECURE magazine issue 14 :). First, its somewhat sad that the security industry as a whole is heavily focused on vulnerabilities and exploits, instead of attacks methodologies and protection of information. I think that far too many vendors, and the community as a whole, puts too much time and effort into what ultimately boils down to software bugs/vulnerabilities. I know this is true because so many times I go into the first meeting with a customer to discuss a security assessment and they automatically think that I should just be scanning the network for vulnerabilities. When in reality their organization, and most importantly their information, may be at risk due to other insufficient security measures such as poor physical security, end-users that will click on anything, and weak passwords. None of those problems can be solved by the latest and greatest intrusion prevention system, firewall, or vulnerability scanner. The best example that I can give is in the form of a question, if you can entice users to click a link and install software, why do you need a vulnerability to be present? This idea was underscored in “Tactical Exploitation” by HD Moore and Valsmith. I believe this is some of the most signifigant research/presentation to come out of the latest onslaught of conferences, including Blackhat, Defcon, and Toorcon.
So go check out this months INSECURE mag, and remember that software vulnerabilities are but a small part of the problem we must face as security professionals.