back to article 207 thousand lights-out boxes are STILL hackable

Researchers have found 207,000 publicly-accessible Baseboard Management Controllers (BMCs) can be hacked with a "handful" of basic command and config flaws, despite previous warnings about the problem. The exposed devices were found during a global trawl of UDP 623 that netted 230,000 public BMCs, half of which ran holey 13- …

COMMENTS

This topic is closed for new posts.
  1. Howverydare

    "risks had been heeeded"

    Everyone should take heeed of any risks.

    1. Destroy All Monsters Silver badge
      Thumb Up

      Re: "risks had been heeeded"

      Heed on, gentlemen!

      1. Immenseness
        Pint

        Re: "risks had been heeeded"

        Reminds me of "Mine's a pint pal, and put a heeed on it or I'll put a heeed on you"

        Happy days!

  2. Destroy All Monsters Silver badge
    Big Brother

    One year after the Summer of Surveillance...

    Farmer was also highly critical of the protocol stating it was vulnerable by design and contained next to no documentation pointing users to ways to improve their security postures. "This was tantamount to major server manufacturers 'harming their customers', he said.

    Do not assign to stupidity what can easily be explained by well-funded malice.

    1. Robert Helpmann??
      Childcatcher

      Re: One year after the Summer of Surveillance...

      Do not assign to stupidity what can easily be explained by well-funded malice.

      Hanlon's razor? "Never attribute to malice that which is adequately explained by stupidity," or more to the point, "Any sufficiently advanced incompetence is indistinguishable from malice." I think the latter covers the issue at hand.

  3. Roo
    Windows

    Heres a suggestion...

    * Vendors get busted for wilfully or negligently selling stuff that is insecure by design - and failing to notify customers / public in a timely manner.

    * People wilfully/negligently exposing said stuff to the internet *after* being informed about it being broken get busted.

    I think that all the legislation required is already there, plod/trading standards need pull their finger out & enforce it... It's definitely possible - car manufacturers are already held to this standard.

    1. Destroy All Monsters Silver badge
      Pint

      Re: Heres a suggestion...

      People wilfully/negligently exposing said stuff to the internet *after* being informed about it being broken get buste

      60'000 sysops get dragged before the beak.

      DailyMailyMayhem ensues!

    2. Anonymous Coward
      Anonymous Coward

      Re: Heres a suggestion...

      "People wilfully/negligently exposing said stuff to the internet *after* being informed about it being broken get busted."

      12 million-odd PCs infected with malware in the UK, many of which will be consumer PCs. Are you saying security bulletins amount to informing people, and if so, have you ever met anyone outside IT who's read one? Should I make the arrests, or will you?

    3. Don Jefe
      WTF?

      Re: Heres a suggestion...

      Car manufacturers are only held to 'that standard' for a few safety related subsystems and for a limited amount of time. Same with medical devices.

      If you expect me to retrofit old products because issues are found way down the road, you've lost your damn mind. You have absolutely no concept of how much that would cost the end users. You realize that's who would pay right? It sure as fuck won't be me.

      It is the users responsibility to upgrade their 'stuff' to reflect the evolution of technology, not the manufacturers. A perfectly sound product today can be rendered wholly unsafe/insecure tomorrow by new developments, the end user isn't entitled to functionality that prevents them from having to make investments in the future to keep pace.

      Now, just because what you've suggested is completely and utterly unreasonable doesn't mean you can't go out and establish a company that retroactively updates their products as a value added component of the purchase. Do try to buy the latest in equipment though. When you're selling your assets at year end I'll get them for pennies and get a couple of years good use out of them.

      1. Roo
        Windows

        Re: Heres a suggestion...

        "If you expect me to retrofit old products because issues are found way down the road"

        No, I expect vendors (I'm guessing the 'me' in the sentence above) to inform their customers that their stuff is broken, ie: don't hide the faults a la GM, Ford et al. ;)

        "You have absolutely no concept of how much that would cost the end users."

        Informing folks about the flaws in your products should not be a major expense, chip vendors publish errata. As a vendor you really should be tracking flaws, the information can be used to improve customer satisfaction and generate repeat/ongoing business.

        "You realize that's who would pay right? It sure as fuck won't be me."

        Sure, the folks who buy the gear, just as they do today...

        "It is the users responsibility to upgrade their 'stuff' to reflect the evolution of technology, not the manufacturers."

        The suggestion is worded quite carefully. As we all know anyone (Yahoo, your grand father etc) hooking gear up to the inet can be pwned, and while they may not give a fuck, other folks can and do get screwed over through no fault of their own (eg: smtp open relays, DoS attacks etc).

        The aim is to ensure folks are informed that the junk they're hooking up to the inet is broken by the vendor, and having been informed they will then have an obligation to make sure their junk is fixed/removed from the inet. As I said I suspect that we don't need new laws for this, it just requires a bit of education & enforcement.

  4. jake Silver badge

    Marketing is in charge.

    Engineering weeps.

    1. Michael Wojcik Silver badge

      Re: Marketing is in charge.

      In this case engineering is equally to blame, since - as the article explains - various versions of the protocol have gone from horrible to merely very badly flawed. We've seen this time and time again when the developers couldn't be bothered with security.

  5. Paul J Turner

    Maybe more wiring-related than protocol-related

    The linked article does say that baseboard management controllers provide out-of-band monitoring etc, so the problem is really people not keeping their management network separate or firewalled. Then the protocol can safely be horribly flawed, if no miscreant can access it.

    1. Flocke Kroes Silver badge

      Re: Maybe more wiring-related than protocol-related

      The turnip-brained idea was that IPMI could share the only ethernet connector on the motherboard with the internet connection to save money and reduce the number of cables. Add to that the fact that you are dependent on the vendor for security updates and you can see the disaster train accelerating hard towards the cliff. It could have been worse... Imagine what would happen if firmware upgrades required a digital signature from the vendor.

      1. petur
        FAIL

        Re: Maybe more wiring-related than protocol-related

        In that case, the related comment goes: why isn't their firewall blocking access to the IPMI port?

      2. James R Grinter

        Re: Maybe more wiring-related than protocol-related

        it does share the port, yes. it doesn't share the IP address, so it doesn't take much to realise that you can use a non-routed address range across your IPMI devices.

    2. pierce

      Re: Maybe more wiring-related than protocol-related

      thats difficult for single computers in an internet colocation environment.

  6. Caff

    logo

    But will anyone care unless this exploit gets its own logo and mascot?

    1. Destroy All Monsters Silver badge

      Re: logo

      Goatse?

  7. batfastad

    Open to the internet?

    Management stuff going into the same switch/LAN? Ooof. Left open to the internet? Wow, someone should get sacked for that.

  8. heyrick Silver badge

    What I worry about with home routers

    Mine is running the latest firmware. It dates from 2012. God knows how old the kernel actually is, but I'd reckon a few vulns have been discovered since then. And don't talk about my little DLink hub. It is old enough that it is firewalled from the internet using physical means.

    1. asdf

      Re: What I worry about with home routers

      All the more reason to verify openwrt or one of the other open sources projects supports your router BEFORE you buy it. Yes Yes I understand this is not an option for Grandma and many on here don't want to mess with custom firmware but from what I see at least in the home router space its the only way your router has any chance of not being trivial to pwn (all the major brands firmware are garbage security wise and most performance wise as well). If you are super serious about security you will run OpenBSD or pfsense on a dedicated PC router between your home network and the intertubes but the setup, fan noise and increase in electric bill are a bridge to far for most non nerds.

  9. Goat Jam
    Trollface

    contained next to no documentation pointing users to ways to improve their security postures

    hehe

    He says that like it's a bad thing.

  10. herman

    It's OK, they could have been using Windows POS and then they would have been as vulnerable as any cash register and ATM.

This topic is closed for new posts.

Other stories you might like