Sunday, September 28, 2014

Embedded Zombies

I have decided to coin a new term: embedded zombies. The security field has largely concentrated on IT devices: laptops, servers, phones.  But we have recently seen several examples of ways to hijack devices with embedded processors. These embedded zombies can then be used to attack IT systems, cyber-physical systems, IoT systems, you name it.

The shellshock bug is the latest example---see Bruce Schneier's blog post. Shellshock is a bug in the bash *nix shell.  It endangers *nix-based IT systems, such as Apple machines.  But since many embedded devices, ranging from the networking equipment that runs the Web to consumer devices, also run *nix and bash, those systems are in danger as well. A few months ago, researchers Karsten Noll and Jacob Lehl showed how to hijack the processors on USB devices. Once again, the zombie USB device can be used to attach IT, cyber-physical, or embedded systems.

A system is only as secure, private, and trustworthy as the lest secure/private/trustworthy component. Given the complexity of even simple, cheap systems, we have to limit our trust in  just about every system.