Reports have surfaced about a group of vulnerabilities in OS VxWorks that impacts more than 200 million critical devices. It appears that VxWorks is primarily designed for medical equipment, elevator controllers and satellite modems.
According to reports, there is a cluster of 11 vulnerabilities in the platform’s networking protocols, six of which could conceivably give an attacker remote device access, and use a worm to spread the malware to other VxWorks devices around the world. The patching process is expected to be long and difficult, so presenters will be sharing their findings at the Black Hat conference in Las Vegas next week.
This is not the first time a ‘long term’ vulnerability has been exposed in an underlying operating system, and unfortunately it won’t be the last.
In this case, it begins to show the pervasiveness of various systems and the widespread use across the globe and across organisations. The challenge we all have (either professionally or personally) is the we need to trust the devices we use as we cannot understand how they work or the security implications due to (un)known vulnerabilities. Pandora’s Box is open and there is no going back, but there needs to be better testing, including penetration testing of devices to help (re)build assurances that in using them we are not compromising our companies, homes and persons.
While it is of consequence that a home router is compromised, it is of far greater consequence if medical devices, or utility SCADA devices are compromised. Once discovered, there is then a need to patch the devices, but in many, many cases this is not possible for a number of reasons. The person responsible may not know about the issue, they may not have the skills to upgrade it or the time to do it in a timely manner, they may not have the money to change it, or the device may not be capable of being upgraded. In this case there are 11 vulnerabilities, one or more of which impact billions of devices – exploiting them could ultimately lead to loss of life, which makes ‘data loss’ look trivial in comparison.
Organisations need to look at which devices they have which are effected and put in place a plan to mitigate the risk. They should also inform their staff of the issue to help in identifying devices, and also for them to see if they have devices at home which need to be updated or replaced.
Recent disclosures about vulnerabilities in VxWorks highlight the critical importance of a proactive approach to security.
Discovering critical vulnerabilities after product release is expensive, to say the least. Imagine the cost of patching the operating system on 200 million devices worldwide. Not all devices will be patched, and not all will be patched fast enough to avoid being exploited, so add to that the costs of compromises and breaches.
By contrast, had these vulnerabilities already been discovered and mitigated during product development, the cost to all involved would be zero.
From a product development perspective, a secure development life cycle, including static analysis, software composition analysis, and fuzzing, results in a safer, more secure, more robust product. Every vulnerability that is located and squashed during development might mean millions of dollars saved.
From a supply chain perspective, giving your component suppliers proper scrutiny leads to lower risk for your product. Asking questions about secure development and security testing can give you a way to evaluate the risk of software components. Performing your own security testing on components gives you a more complete picture, and could give you leverage to work with suppliers to improve security.
Legacy systems that were developed without stringent security requirements are turning into a hunting ground for vulnerabilities. While these systems were at one time difficult to obtain or test, the proliferation of the internet and connected devices have removed that barrier. Specialized systems are becoming more exposed and this will inevitably lead to new vulnerabilities being discovered and published.