Just when you thought it was safe
cmw.osdude 120000QT77 Visits (1879)
Today I got this article, "Spoiler alert: Your TV will be hacked". Essentially the author reminds us that as our televisions become Internet devices that they are prone to the same sorts of attacks that any computer could suffer. It's not just televisions, either. All so-called "smart devices" are basically computers and need the same sort of care.
In the author's case they were doing some white-hat hacking to see if they could exploit a television set-top box. The box was likely running a variety of Linux and did not give them many opportunities, but then they found a web server. The manufacturer had chosen an old open-source application which had been abandoned several years ago. There had been no patching of this application and at was vulnerable to several attacks. They were able to root the box and controlled the entire system.
In general, an exploit has to either be run by a user, like Trojan Horse sort of application, or it needs to be able to interact with running software that can be forced to misbehave due to flaws brought about by the humanity of its creators. In an embedded device it is unlikely that you will be running strange software, though as games and little plugins become more available for these things one needs to be careful about the pedigree of anything you add. The vulnerability of the embedded applications is more complicated. As a user you can choose not to install weird stuff on your device. You can't control the choices that the manufacturer made.
Think about the scenario in the article. The set-top box had a web server. Why? Perhaps this was a method to allow the cable company to interact with the system for updates and such. I don't know. If it wasn't critical to the function of the system it should have been removed. When something moves from development into prototyping and production any bloat fromt he operating system should be removed. Anything that is not required for function is a potential exploit. We may not know what it is at the time of production, but if it's discovered later then your system is vulnerable, all because of something that you didn't even need.
The second, more damning thing is this open-source web server. I don't have a problem with it being an open-source project. Obviously I encourage that sort of thing. The thing I found troubling was the fact that it was an obscure project that had been abandoned several years ago. Wow! Really? Perhaps it was an active project when development began and was abandoned later. If that was the case, then the manufacturer should have replaced that project with something that was more current. Everything will become vulnerable over time as exploitation technology develops. If it can't be updated it must be replaced or else its a lurking vulnerability.
I guess that brings me to my last thought on this. As all of our devices become "smart", there needs to be a solid way to update them regularly. Updating firmware should just be a part of our lifestyle. Of course, that capability adds another vulnerability in that if someone can hack the updating mechanism they can install their own software. As consumers we need to develop awareness of this sort of thing and be able to manage devices just like we check to make sure our doors and windows are locked. We need to not be annoyed by these things when they are necessary and look at them as a part of owning the device. At the same time, developers and manufacturers need to not shield their consumers from this necessity. I know that the prevailing wisdom is that consumers are lazy and not to bright... but I think that if they are trained on the importance of maintenance and the procedures are straight-forward then it will all work out fine.
Of course, if devices had more openness to them in general it would make it easier for white hats to come up with ways to protect them... but that's a whole other discussion.