Embedded systems vendors careless says Metasploit author One of the reasons we can't have nice things like a secure Internet is that vendors of consumer kit can't be bothered. That's the conclusion The Register reaches after listening to a presentation by HD Moore, author of Metasploit and now chief research officer at Rapid7, at the AusCERT 2013 security conference today. Moore …
They seem to believe that networks can somehow be secure, their TCP/IP stack is a custom one running on a microcontroller to small to run Linux.
The big problem is that we are used to having our systems designed by people who know about networking since they are experienced with some form of unixoid system. However there is currently a wave of new devices comming from people to whom the idea of a port-scanner is novel and undocumented protocols are secure... since nobody could exploit a protocol they don't know about.
The problem is, as long as there is nobody who does it right, we will never see any decent solutions.
Stats tell you the vast majority of "new" embedded widgets are leveraging both Linux and to a lesser extent the reference microcontroller implementation provided by the industry.
So to a certain extent the view is "port linux (which is probably already done) and put our stuff on it; ship". The time to market is quite short - so the QA and field test part of it is just missing.
The vendors quite quickly move onto a new product - possibly with an entirely different team developing the solution. So there tends to be a little amnesia in the corporate "memory" and each thing is a bit of a seperate miracle.
Some of our international students have very interesting things to say about how this stuff is actually done!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
