John, maybe like Dustin Sullivan, wonders if those who bring embedded systems are ready
It's the weekend, and 'War Games' is on some crummy channel on Surf-o-Vision. What looks more young and immature, Matthew Broderick or those stunningly ancient computer graphics?
I thinking over Dustin Sullivan's blog and my earlier blog and my current experiences with embedded computers. Many embedded systems are written, poorly, in cryptic C. Emphasis is on out-to-market fast, and secure comes later.
In other worlds, I'm looking at Mac OS 7.x and Win 9x, both full of security assumptions that hackers could drive a truck through.
I bought a new wireless router. It keeps usage down because it drops connections. I installed the new firmware. Nope, half the functionality that the Internet verifies doesn't work, still doesn't. I can't even reload my config file, so I decide to explore it.
Oh my, it's an embedded linux, so half of the config file is viewable via strings or edit.com or even notepad. There's my carefully managed admin password, in plaintext. Later, there's my huge PSK, the one that keeps the wolves at bay, thanks to the wonders of WPA. Ok, Seth Fogie, stop laughing. (He knows more about wireless security than most. Read his articles on WEP if you have any doubts that that system is worthless.)
My point? The conf file has a static file name. Any bit o' toxic web trickery that gets that file gets the winner on my LAN. So you go to WPA, choose a massive PSK, and it's all unraveled by Skippy the Wonder Engineer, pressured to get the device on the market in 'good-enough' shape. How's that gonna work when my ECU firmware updates come to my car in real time?
Security is more than raw technology. It's a way of thinking. Sure, this modem and so many other embedded devices have all the right security buzz words. But actual secure handling of user input, of core config files, etc? Nah, that's waiting for the first Internet-borne virus strike.
Maybe we'll learn from past mistakes. Doubt it.