Description: Paul Asadoorian (from PaulDotCom, and Product Evangelist at Tenable (Nessus)) starts his session by explaining that he has a so-called .special affinity. with embedded systems. He still feels that most of these systems are more vulnerable than other systems, and often overlooked at the same time.
Maybe this can allow him to take over the world.
From a general point of view, you need Money, Power, and need to be stealthy when executing the plan to take over the world.
So, how can he use embedded systems to meet those goals and gain world domination ?
Video games, entertainment systems, wireless routers, printers and faxes?
It.s clear that you can make money off video games, entertainment systems (in a legal way). But if you are after making a lot of money, fast, then you need a more aggressive approach.
You would need to be able to manipulate the traffic/information that travels through these embedded systems. Information = power. and money.
A lot of embedded systems are used to control water, electricity and so on. So if you can control those, you haz power.
The .nice. thing, Paul continues, about embedded systems is that nobody really cares about them, unless their broken. A lot of devices have no mouse, keyboard, or logging for that matter. On top of that, some vendors (driven by cost & economics), had to leave out security features to make devices cheaper and faster.
Think .routers..
Finding the right targets is not hard. Look at wigle.net, find open access points, look at the vendors and ssids. and you.ll know what brand to focus on. Paul quotes wired.com when mentioning that more than 21000 routers were found, having their management website accessible from the internet, configured with a default username/password. Low hanging fruit, sitting ducks, easy targets, quick wins. Name it the way you want, but Paul has a point there.
Luckily, as someone in the audience mentions, newer models of router vendors block the administrative websites from the untrusted interface. Paul replied that you can still find a lot of older systems connected to the web. If someone can connect to it, change configuration, or even upload custom firmware, then he would be one step closer to world domination.
Technically, printers/scanners/multifunctionals could be used for espionage. What if you can connect to a corporate printer and show the list with documents that were printed.. or even get documents off the device & save them to your local computer ? Information = power.
Your list of options is almost infinite. so if you are serious about taking over the world, you know where to start.
The take-away from this session is
Perimeter control is important. Any time you connect a device to the net, make sure you know/understand what that means. Does it allow for remote management ? Turn it off ! If you cannot disable a certain potentially dangerous protocol, then either cross fingers, disconnect the device or buy a different device.
Change default passwords, even if remote management is not allowed !
Only use secure management protocols (yes, even if you are only managing the device from the inside)
Be aware of the embedded devices you use at home / at work and make sure they are not in a default configuration. If the device works by default, just by plugging it into the network. then beware.
Finalizing his session, Paul mentioned www.securityfail.com, a brand new wiki were people can share their .Security horror / fail stories., which should help forcing vendors to make those take-aways become reality. Not sure if vendors will actually care. we.ll see.
That.s it for today. I.ll grab some dinner and then head on to the lightning talks. In those talks, people are given a very limited/short timeslot to talk about a specific topic. It might/will be hard to blog about those posts, but if there is something that really stood out between the others, I will certainly update this blog.
If you want to get more info about some of the other talks as well, you definitely should check out http://blog.c22.cc/
Tags: securitytube , Brucon-2010 , Bru con , hacking , hackers , information security , convention , computer security , Brucon 10 , Brucon , Brucon 2010 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.