Windows CE, a decades-old operating system originally designed for embedded systems, remains a crucial component of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) environments.
However, despite its widespread use in human-machine interfaces (HMI), kiosks, and even vehicle infotainment systems, its legacy nature presents significant cybersecurity risks.
Recent research from Claroty has looked into Windows CE vulnerabilities, uncovering security gaps that could expose industrial and medical infrastructure to cyber threats. In fact, when they examined an HMI panel using Windows CE, they found several potential dangers and vulnerabilities that could be exploited by bad actors.
Outdated, Unsupported
One of the most pressing concerns with Windows CE is its outdated architecture. Microsoft has officially ended mainstream support for most versions of Windows CE, leaving many systems without regular security updates.
This means vulnerabilities remain unpatched, making these systems easy targets for cyber threats like:
- Remote Code Execution (RCE): Unpatched vulnerabilities allow malefactors to execute malicious code remotely and take control of industrial systems.
- Denial of Service (DoS) Attacks: Attackers can crash or overload Windows CE devices, causing disruptions to operations in critical infrastructure environments.
- Weak Authentication Mechanisms: Many devices running Windows CE use default or weak authentication credentials, making them child’s play to exploit.
- Lack of Modern Encryption Standards: Older versions of Windows CE often do not support modern cryptographic standards, again putting them at risk of data breaches and unsanctioned access.
Understanding the Vulnerabilities
In their research, Claroty’s team built a simple Windows CE application to better understand the system’s vulnerabilities.
One key issue is that Windows CE was not designed with today’s threat landscape in mind. Its embedded nature makes patching difficult, and many entities don’t have the resources or expertise to update or replace legacy systems.
Consequently, attackers who identify exploits in these environments can use automated scanning tools to locate and compromise vulnerable devices.
Mitigation Strategies
While rippling and replacing Windows CE-based systems is not immediately feasible for many firms, there are steps that can be taken to lessen risks. Firstly, isolate Windows CE devices from internet-facing networks to reduce exposure, implement strict authentication policies and disable default credentials, and use intrusion prevention systems (IPS) and endpoint protection tools to mitigate known vulnerabilities.
Also, develop a long-term strategy to replace Windows CE systems with modern, supported alternatives, and deploy security monitoring tools to detect and respond to potential threats in real-time.
Forever Vulnerable, Easy to Exploit
According to Donovan Tindill, Director of OT Cybersecurity at DeNexus, the Windows CE operating system is a custom-built edition of Microsoft Windows that is trimmed down to only the basic features required for the hardware it runs on.
“It allows faster development of solutions, as manufacturers can leverage parts of the Microsoft foundation. However, unlike full Microsoft Windows, the roots of Windows CE began with Windows NT/95 as far back as the 1990s. It has been replaced by Windows IoT, with support ending in late 2023. Like the VxWorks vulnerabilities of 2018, there are still devices like industrial switches/routers that run today and remain in operation. We can expect Windows CE devices to run reliably for another decade.”
Tindill says anything discovered in a legacy operating system like Windows CE or older VxWorks, is forever vulnerable and easy to exploit, meaning, the only mitigations are compensating controls that limit access to the device, or replacing them.
“We worked with a customer with dozens of end-of-life Hirschmann switches that were critical to their operations, with VxWorks vulnerabilities. Located in hard-to-reach locations, it was over $10k per device to replace. Over half a million was estimated to replace them all, not because they are unreliable, but because they have a cybersecurity vulnerability and perform a critical function,” he adds.
Prohibitive Costs
In the industrial space, CE and VxWorks are found on HMI operator stations, switches, routers, medical devices, and more, explains Tindill. “It may cost more than double the hardware cost to replace if you include the labor for design, implementation, testing, and training that must go with it.”
In real life, he says asset owners are challenged to find these vulnerabilities because discovery tools may have limited visibility. “If they are aware they are unable to patch the device, they must exert costs to apply compensating controls to reduce the risk. They are most likely to operate the device until its reliability comes into question and address the cyber risk when it is replaced.”
He says financial quantification of cyber risk can help justify replacing the device or implementing compensating controls. “Risk quantification can establish a baseline of the environment today with these vulnerable devices and monitor changes to risk as exploits become available or new vulnerabilities appear. Having a baseline allows simulating a what-if scenario of replacing the device. If the replacement cost is $500k, and the estimated losses due to downtime, regulatory, equipment damage, etc. can be reduced by $250k by replacing them, there is a financial offset of reduced cyber risk.”
Oftentimes, said Tindill, the loss reduction exceeds the cost of the project (but not always). “Only with cyber risk quantification is it possible to have a business-level discussion like this to determine how much a vulnerable device like Windows CE or VxWorks is driving risk of loss for the company, and enable better decision making.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.