Depending on your perspective, Ruxcon 10 might have been devastating or inspiring. No matter who you were, it was interesting.
Alec Stuart-Muirk’s Cisco ASA talk demonstrated a series of serious, exploitable vulnerabilities in the company’s flagship network security devices. While Cisco has released a patched operating system for the devices, it has only just become available. Many attendees were sending urgent messages to their NOC teams alerting them to upgrade.
While the existence of remotely exploitable bugs granting administrative privileges is bad, it was the nature of the bugs that added insult to injury. Unsanitised URL parameters leading to arbitrary privileged code execution. Cisco should know better.
If we’re discussing simple classes of vulnerabilities that keep showing up, Ricky Lawshae’s talk on UPnP and SOAP showed that pushing devices out the door quickly and with as many features as possible trumps security practices almost every time. Unfortunately the devices being pushed out are going straight into people’s homes and businesses. Unfortunately, terrible implementations of these protocols exist on most consumer electronics with a network port, from TVs to network routers. With very little motivation for manufacturers to patch their products, it looks like we’ll be in for a very rough future from the products already deployed, let alone those still to come to market.
Finally on my list of highlights, two talks on vulnerabilities of RF products including baby monitors, home security systems, and car alarm/immobilisers. Deliberate security features on these systems ranged from none to not great. When you consider that in the case of home and car alarms, the system in question is a security system itself, the stakes are raised. As in so many security fails before, the designers of these products failed to anticipate what interested parties could, or would, interact with their products. Where security features were added (in the car alarm for example), it was done poorly, with codes able to be anticipated, and the apparent discovery of a backdoor code.
What are the big takeaways from the conference?
First, security vendors sell products (from baby monitors to enterprise grade firewalls) that have exploitable vulnerabilities. If that product is your only, or major, line of defence, you’re going to have serious problems.
Secondly, new categories of products are coming to market faster than developers can secure them. There is still a lack of proper incentive for manufacturers to sell secure products, so they go to market with no to little security. Unfortunately, we still buy these products, so the only incentive is to keep making more without learning from their mistakes.
Unfortunately, these flaws are hurting us, and will continue to hurt us as consumers - both individual and business - while ever we continue to use them. Worst of all, most people don’t know the products they have bought have such serious flaws, don’t understand the massive implications of using such a device, and even if they did, have no opportunity to do anything about it. They either don’t know what to do, or have nothing to do because the manufacturer won’t release patched firmware.
It’s not fair, but right now, this is our reality. Consumers must continue to demand better (and enforce these demands with their wallets). Conferences like Ruxcon provide a valuable platform for security researchers to inform the world about their work, and with that information, help us make better decisions about the products we buy and use in our lives.