Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: "There's a Patch for that" (or maybe not) - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
"There's a Patch for that" (or maybe not)

Yesterday's story on delayed patching or situations where patching is blocked by policy created a lot of discussion, and I thought it was worth another go, from a different perspective.

There are lots of things we use daily that have an OS, applications and security issues that we NEVER patch. Sometimes because we don't think of it, sometimes because we are denied by regulations. Very often we don't patch them because the manufacturer treats them as throwaway devices - there simply are no patches.

What especially brings this to mind is that I was that after yesterday's story, I was explaining the concept of "malware" to my son (he's 10). My explanation was that it was software that someone wrote, to make a system do something that it wasn't intended to do. Pretty much straight out of my SEC504 notes come to think of it (thanks, Ed!)

Anyway, that brought a few examples to mind - I'll list a few:

Windows (and other) hosts in the Pharmaceutical industry:

Machines used in pharmaceutical manufacturing need to be "re-certified" after every change. This confuses me somewhat, since the owner of the unit defines the testing procedure for re-certification (things like "copy a file, do a transaction etc), so it should be easy right?  Long story short, this recert process tends to freeze things in time on devices that are directly involved in manufacturing of pharmaceuticals. I cringe whenever I walk past that Windows 95 machine at one customer of mine

Embedded LINUX (and *nix) OS devices:

We tend to think of these the same way we think of lightswitches, but in most cases they run a full Linux OS. Nothing too critical, you know, trivial things like elevator controls, security cameras, HVAC (Heating/Ventilation/Air Conditioning) Systems come to mind for instance. 

Embedded Devices in Healthcare (both Windows and Linux)

Again, we think of these as devices rather than computers. Things like IV pumps, controls for X-RAY and CAT-Scan machines, Ultrasounds and the like. There have been very public disclosures (and responses to yesterday's post) about Conficker and other malware running on gear of this type, and as far as I can tell neither the manufacturers or the regulators are too-too excited about it, and I think they should be - the hospital system administrators sure aren't happy about it.

Prosthetics are getting more and more complex - huge advances in prosthetic limbs, hearing and sight aids all involve computers embedded in the device.

And even simple devices like pacemakers are re-programmed remotely (and wirelessly). When my dad told me how cool getting his unit re-calibrated was, I couldn't help but see the down side (but didn't discuss it with him). Do you want to take bets on how many heads of state, or CEOs for that matter have a pacemaker? Or how much a well placed "cardiac incident" might influence global or financial affairs?

It's a good thing that there's no direct transport for malware across the silicon / carbon unit boundary. One day we'll go to the hospital for a simple procedure, and instead of worrying about MRSA or C-DIF, we'll worry about catching CONFICKER-YYZ instead !

And a lot closer to home ... Did you drive to work today?

Aside from your entertainment system, your car has a fully documented, >>unsecured<< network and operating system with an open and documented API (google "ODB II" sometime). Even better, by law this unsecured network and OS has a wireless link in it (your tire pressure sensors are short range, remotely activated wireless transmitters). No risk there if someone else started a remote control session on your car between the house and the grocery store - this might seem over the top, but not by too much

We talk about protecting our nations critical infrastructure, but I think we're missing the boat on loads of critical infrastructure that doesn't involve generating electricity, pumping oil or running water systems. Remember that definition of malware above, and remember (not too far back) that STUXNET was targeted and written to make nuclear plant systems behave "to make a system do something it wasn't intended to do".

I think we don't need to think much harder to make a long, long list of critical systems that we'd have a hard time dealing with if they stopped working properly.

Again, I invite you, our readers to comment - describe any devices or systems that we deal with on a daily basis, that we wouldn't normally patch or update, or cannot patch or update. Extra points for critical type devices, but if your toaster has a USB port that's sure interesting as well (I want one !)

=======================
Rob VandenBrink
Metafore

Rob VandenBrink

515 Posts
ISC Handler
Manufacturosclerosis - Where the recertification costs cause a hardening of the workflow despite the fact that equipment replacement and restructuring the operation could deliver more efficiency and better quality.

Saw it completely close an aerospace operation. The FAA required recertification costs were too high and it was easier to just close the operation than retool. This of course drives up the prices so someone else can afford to upgrade their operation.
Anonymous
Mobile phones are particularly irritating to me right now. Providers who insist on their customized UI (and the preinstalled marketed applications that come with it) on top of the phone's native OS. If a vulnerability is uncovered, the OS vendor may have a patch in very short order. The wireless provider may take months. Some users may subvert the system, but the majority of users will not, and will continue to be vulnerable all the while. As more and more information (financial and otherwise) becomes commonly available on phones, that sort of system cannot survive.
Anonymous
Smartmeters http://en.wikipedia.org/wiki/Smart_meter are almost wide open, are wireless in 2 different ways both zigbee and 2 way RF and are networked. They have the capability to remotely turn off the residence/business they are attached to. Its not too big a stretch to see a virus/trojan that spreads unattended meter to meter shutting off whole cities.. These are being deployed worldwide and have little if any thought to security.
Anonymous
Having worked in the pharma industry, I can tell you that the validation process can be especially difficult, time consuming and costly..and many times unavoidable given FDA regulations.

The other situation I find troubling is the "if it ain't broke, don't fix it" mentality. Patches usually encompass security fixes, bug fixes and performance improvements. My preference is to always be running at the latest versions but some people feel otherwise. Would be curious to hear the general concensus of others.
Anonymous
While the ODB II is documented for diagnostics, many of the rest of the car systems, are not.
Though it doesn't take much... cars can be completely pwned. See the IEEE papers attached to this article http://www.gizmag.com/vehicle-computer-systems-hacks/15156/

I flinch every time I see one of these TV ads where the car is unlocked or controlled from a cell phone.
dave

21 Posts
Thanks for the follow up and great information, Rob.

@Dave..... I, too, cringe at the car commercials. :)
dave
2 Posts
Oh man--a Stuxnet aimed at world leader's medical implants. Someone is probably working on it, too. If you're looking for an idea for a spy novel, it might work. "Day of the Pacemaker."
John

88 Posts
I can tell you from a consulting gig I just finished that at one power company, the SCADA systems were aweful. Windows Servers running W2k SP-nothing. We had a virus outbreak at it sought out an old vulnerbilty that was present on the W2k servers (only about 70+). When I was called into manage the incident, the AV DAT's were a little over year old. The plant managers considered DAT updates "modifying the system" and fought them tooth and nail. One final note, these boxes used local accounts so the plant staff would not have to change passwords and could login during the night shift so they could surf the web.

The SCADA boards have a web server on them. It looks like linux when you TELNET into the interface (SSH not supported). No patching these Web Servers which mind you do not support SSL/TLS, only good old port HTTOP. These controller boards can shutdown the steam turbines.
John
10 Posts
Final note, since we are talking about patching. The sheer number of patches being released for Blu-Ray players is astounding. I think the QC at Samsung is questionable. Also, Onkyo now has Ethernet ports on the receivers so firmware can be downloaded. I never thought I would be patching my receiver after my PS3, Xbox and Blu-Ray player.
John
10 Posts
Speaking of pacemakers being pwned. Rain Fall by Barry Eisler has an assassin using his pda to control the output of a pacemaker in his target, which results in the target having a heart attack. This from a novel printed in 2003.

The real problem here is that even now, so many companies still don't consider security a high priority in network and computer operations. Plus the fact that the general populace don't really care, unless they have their ID or money stolen.

It is a major battle to get people to take security seriously.
Rojiru

2 Posts
The State of Minnesota is delaying deploying patches indefinitely. Almost all the IT workers have been laid off. The ones that are still working are doing the minimal stuff to keep computers running for those who provide safety-of-life support. That does not include deploying updates, so almost all the engineers are now collecting unemployment.

Although, they weren't doing a great job of this in the first place. Most agencies lack the IT staff to keep all Microsoft security patches deployed to an acceptable percentage, so you can forget about patching Flash, Reader, QuickTime, and any other 3-rd party plug-ins. Luckily, there aren't any IT Security staff around to notice as the systems get eviscerated.

If a tree falls in the woods and hits a poor person, does the MN Legislature care?
Rojiru
2 Posts
Hopefully there are less of them in the wild now but several years ago parts of our corporate wan were brought to their knees by an infected, Windows Based and highly expensive VOIP-enabled phone switch.
Rojiru
1 Posts

Sign Up for Free or Log In to start participating in the conversation!