Security experts have warned about the security of embedded devices and their potential for use by attackers to hack into systems and steal sensitive data, but until now the scope of the problem has been unknown.
Researchers at Columbia University's Intrusion Detection Systems Lab have identified tens of thousands of vulnerable embedded devices. The list of devices prone to attack includes home routers, video conferencing units, webcams and print servers. They estimate that globally millions of vulnerable devices are connected to the Internet and open to remote attack.
The Columbia University team scanned 200,000 IP addresses on the networks of Internet service providers in North America, Europe and Asia, and catalogued popular network appliances accessible over the Internet. The initial results found more than 755,000 devices remotely accessible on the Internet and more than 60,000 open to remote attack.
First reported in Wired News, the study began last year, focusing on consumer devices, such as home routers, but the researchers say their initial data does find vulnerable devices in enterprise networks. It has found enterprise devices more secure than VoIP or consumer devices. The vulnerability rate of enterprise devices was 2.4% compared to 41.6% for consumer devices, but the researchers warned that businesses are at risk.
Embedded device security:
Hidden endpoints: Mitigating the threat of non-traditional network devices: Organizations have many safeguards in place for network-enabled devices like PCs and servers, but few realize the threat posed by non-traditional devices like printers.
"This is certainly a threat to business," said Ang Cui, the researcher who developed the study. "Enterprise equipment is an interesting case. Although we found fewer instances of open routers, the vulnerable devices are found in more critical parts of the network like edge routers, IPSec VPN gateways and call managers."
Security experts have warned about the prevalence of holes in IP-enabled devices. Printers, security cameras and even vending machines that accept credit cards are potential targets. The non-traditional devices should be covered by network security policies outlining the use of such devices. Network scans can be conducted to discover devices opening the network to potential attack. At a minimum, security experts say business units should know to change default passwords and keep device software up to date.
Cui said the study will start to focus scans on enterprise networks to get a clearer picture of how vulnerable enterprises are to embedded device holes. For example, Cui said a misconfigured Cisco router would not only give access to internal networks, but will likely contain other administrative credentials used across the enterprise.
"In this case, the compromise of a single router can have much more impact than the compromise of an average workstation," Cui said.
More countermeasures need to be developed to defend against attacks targeting embedded devices, Cui said. So far little research is being conducted, he said.
"This is an area where the exploitation techniques are quickly maturing, while countermeasures are not being developed," he said. It's likely that we will need to seriously consider antivirus-like products for embedded devices in the near future."
The study, Brave New World: Pervasive Insecurity of Embedded Network Devices," was overseen by Salvatore J. Stolfo, a computer science professor and director of the Intrusion Detection Systems Lab at Columbia's Fu Foundation School of Engineering and Applied Science. The lab is sponsored by the Defense Advanced Research Projects Agency (DARPA), the Department of Homeland Security and other federal agencies. The report was written by Stolfo and co-authored by Cui and fellow graduate students Yingbo Song and Pratap Prabhu.