You see, the average hacker is only looking for a place from which to launch attacks, store warez, and play games. It doesn't matter to them if you see an IP address and think networked printer. They see ram and disk space. They don't care if it's a printer or a garage door opener. If it's running Windows, it's definitely fresh meat. It only gets better when it's your grandmother's Windows 98 machine that she leaves online over her dialup modem every night when she falls asleep in front of CSI:Sheboygan. (I know you've always wondered why her phone was busy at the oddest times.)
In the last several months, I've seen several different types of appliances compromised. I have been asked to evaluate the security aspects of some Internet-capable devices, and help devise solutions to their security issues.
Most of you are familiar with networked printers. They allow you to connect to them using TCP/IP so many people can share one centralized printer, saving money, space and supplies. There also are networked thermostats, networked door controllers and other networked devices. Most run some form of underlying Windows operating system. Occasionally, I work with companies using proprietary operating systems in their components.
One printer manufacturer, which enjoys a majority of the business market, sells networked printers that run on Windows NT. In and of itself, this is problematic, but when was the last time you saw an NT machine capable of auto-updates for OS security patches? For that matter when was the last time Microsoft delivered a patch for NT? The problem isn't so much when the patches are released, as when the owner of the printer rolls a monitor and keyboard over to the printer and plugs in to download and install the patches.
If it looks like a printer, acts like a printer and sounds like a printer, why should anyone think of it as a computer?
Unfortunately, on the Internet, it just looks, acts, and sounds like an unpatched NT system with default passwords. Oh, right... actually, there's no password at all.
The hacker in me is happy to upload my little ftp server with all my zipped warez files for my pals to trade around. Or I might load a little IRC chat bot that I can use to control other machines, so I can, for instance, launch distributed denial-of-service attacks. When they trace the attack back, it points to a printer, owned by a group of people who have no idea what a bot is.
And to boot, the little bit of memory needed for the Webpage and documents legitimate users have won't be adversely affected by my operations.
Other products boast proprietary operating systems as a means of securing the networked device. But a proprietary operating system offers little more protection. It only makes it more difficult to break into if the proper authentication procedures are set. If the vendor only supports unencrypted telnet or HTTP (and not HTTPS) then it doesn't matter. A little brute force dictionary attack of the root/login password and the system is there for the taking. This is of course, assuming there was a password to brute force in the first place.
Ease-of-use for the consumer, means ease-of-use for all consumers.
Don't Make it Too Easy
Up to this point, we've been assuming the hacker is remote to the network the appliance or printer resides on. If the intruder is physically proximate, and can sniff the traffic on the wire, it's a different game altogether. The attacker then simply needs to copy enough traffic to recover the passwords, since HTTP and telnet send their passwords in the clear (as does FTP).
One vendor suggested that rather than build an SSL component or an ssh daemon to go with their proprietary operating system, they could use a form of 'light encryption' to protect the data while in transmission. On the surface, this sounds like a reasonable alternative, except if you have an attacker motivated enough to sift through copied traffic to recover your passwords and gain control of your system. Then offering up the additional challenge of cracking your encryption algorithm is just making the game that much more exciting. Not only that but you've given him all of your systems up front.
(I'm thinking here that if you're not willing to invest in building an ssh daemon, you aren't going for any heavy weight elliptical curve encryption algorithm either. And I'm also guessing you won't use different cipher keys for different systems sold to different locations.) No, at this point, all you've accomplished with light-weight encryption is offer your clients a false sense of security.
The hazard of the proprietary operating system is that it lends a sense of security through obscurity.
If no one knows how our operating system works, then it can't be used for bad behavior. But the operating system still must be integrated into the larger networked world using well-defined traffic protocols. If those protocols aren't secure, or the passwords aren't well chosen, the propriety operating system looks just like every other piece of low-hanging fruit on the Interenet waiting to be exploited.
Proprietary operating systems have another disadvantage, as well.
In open source operating systems, there is a community of developers who work on projects that benefit everyone in the community. For example, an SSH daemon only has to be built once. (In reality it will be built several times to provide particular features or security measures that one group might wish to enhance more than a different set.) Once the particular protocol has been built, it's available to everyone who uses that particular operating system.
On the other hand, a propriety operating system has to have all the protocols written by those who have the source code and know how it works. This can be an enormous financial burden for the owner of the operating system. If you happen to be Bill Gates, you can throw your money away on bad implementations before you get it right. If you're a little guy, you can't afford to get it wrong, because, really, you can't afford to have to write the protocol in the first place.