Embedded Operating Systems
First Published: X-Force Monthly Magazine

Each week, as we sit and watch the news, we hear about the latest security vulnerability or worm that places our computer at risk. The story has been repeating itself for over a decade — with only the names changing on a weekly basis. Worms such as Slammer or vulnerabilities like Microsoft’s RPC DCOM have been consigned to the distant past and are now only referred to as case studies in computer security — after all, they are “ancient” and the flaws were fixed a long time ago.

Only the most naive organizations fail to ensure that all their desktop and server systems are patched on a regular basis. Whether they patch once a month or once a year, surely they do not have to worry about vulnerabilities that are several years old?

Unfortunately, and this may be a surprise to some people, there is no such thing as an old vulnerability or a dead worm. 

While our desktop and server systems are typically in good shape, the same can not be said for all the other devices around us. Nowadays, if a piece of electrical equipment costs more than a few hundred dollars, you can pretty much guarantee that it can be connected to something else, has a management interface, can send and receive data, and almost certainly has it’s own embedded operating system. Think about it — just look at a multi-function laser printer fax machine.

What does this mean — should I be worried about these embedded operating systems? In a nutshell, — yes.

Let us examine that ubiquitous multi-function printer (MFP) — the bastion of productivity —accounting for a quarter of all the networked devices in a typical office. Most MFPs run a Linux or BSD operating system to provide basic services such as printing, faxing, scanning, document management and storage. With some higher end MFPs, you can scan a document and get it e-mailed back to you automatically. To provide these services, an MFP will typically have hundreds of gigabytes of data storage (both RAM and hard drive), a very fast processor, networking connections (both wired and wireless) and a fax/modem connection — basically becoming a server. One thing you will not find on it, however, is a CD-ROM drive. So if the MFP is running an embedded operating system, how do you harden it or even apply patches?

The same problem applies to almost all embedded operating systems. If you are lucky, the manufacturer makes available Flash-based updates to the devices, which may or may not include security fixes. Otherwise you may have to rely on a technician with a screwdriver.

The problem compounds itself if you are not aware that the device actually has an embedded operating system. For example, a well-known British retail banking organization discovered that it had a Blaster worm outbreak last year, due to vending machines connected to the corporate network so employees could use swipe cards to pay for snacks. Similarly, most “smart” buildings elevators contain networked services for remote management (e.g., between 6 a.m. and 10 a.m. the lift should wait at the 1st floor, and between 4 p.m. and 8 p.m. the lift should wait at the 5th floor). They are almost always forgotten about — thereby missing several years of patches — but are easily found by network-scanning worms or in penetration tests. Once they are compromised, beyond the annoyance of the elevators not working (which happens frequently — just ask any of the Las Vegas hotels that have ever hosted a hacker conference), peoples’ lives may be in danger.

Perhaps the most disturbing threat from embedded operating systems can be found in hospitals and surgical wards. Most “cutting edge” equipment in these facilities will run very old mainstream operating systems, which are extensively networked but often missing several years’ worth of security patches due to regulatory issues (which are in turn linked to insurance coverage). Speak with some of the senior IT security people within these hospitals and you will hear stories of how a 3-year-old-worm shut down vital equipment in the middle of surgery, killing the patient, or how wireless hackers interrupted their network, which caused a heart monitor’s emergency “flat-line” message to never reach the nurse. So much for a non-newsworthy computer virus being a nuisance — next time your life may be on the line!

What can be done to protect these embedded operating systems? This is an area core to ISS — it is our Virtual Patch™ protection strategy! Every single blocking signature in our products extends this protection, and is also one reason why we do not remove or depreciate our signatures — unlike several of our competitors. No one provides better embedded operating system protection than ISS.

    Copyright 2001-2007 © Gunter Ollmann