Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Operating Systems Software Technology

200 Million Devices -- Some Mission-Critical -- Vulnerable To Remote Takeover (arstechnica.com) 46

An anonymous reader quotes a report from Ars Technica: About 200 million Internet-connected devices -- some that may be controlling elevators, medical equipment, and other mission-critical systems -- are vulnerable to attacks that give attackers complete control, researchers warned on Monday. In all, researchers with security firm Armis identified 11 vulnerabilities in various versions of VxWorks, a slimmed-down operating system that runs on more than 2 billion devices worldwide. Billed collectively as Urgent 11, the vulnerabilities consist of six remote code flaws and five less-severe issues that allow things like information leaks and denial-of-service attacks. None of the vulnerabilities affects the most recent version of VxWorks or any of the certified versions of the OS, including VxWorks 653 or VxWorks Cert Edition.

For the 200 million devices Armis estimated are running a version that's susceptible to a serious attack, however, the stakes may be high. Because many of the vulnerabilities reside in the networking stack known as IPnet, they can often be exploited by little more than boobytrapped packets sent from outside the Internet. Depending on the vulnerability, exploits may also be able to penetrate firewalls and other types of network defenses. The most dire scenarios are attacks that chain together multiple exploits that trigger the remote takeover of multiple devices. "Such vulnerabilities do not require any adaptations for the various devices using the network stack, making them exceptionally easy to spread," Armis researchers wrote in a technical overview. "In most operating systems, such fundamental vulnerabilities in the crucial networking stacks have become extinct, after years of scrutiny unravelled and mitigated such flaws."
VxWorks-maker Wind River says the latest release of VxWorks "is not affected by the vulnerability, nor are any of Wind Rivers' safety-critical products that are designed for safety certification, such as VxWorks 653 and VxWorks Cert Edition used in critical infrastructure."

Wind River issued patches last month and is in the process of notifying affected customers of the threat.
This discussion has been archived. No new comments can be posted.

200 Million Devices -- Some Mission-Critical -- Vulnerable To Remote Takeover

Comments Filter:
  • by gweihir ( 88907 ) on Monday July 29, 2019 @05:48PM (#59008942)

    That is what is needed for the decision makers. Hired cheap coders with no clue about security? Did not pay for a competent external review? Though you could do things on the cheap? Got to jail!

    Nothing else will help.

    • by gweihir ( 88907 )

      I see I have acquired an entourage of cowards. Indicates nicely that what I say has merit. Some people are incapable of tolerating that.

  • The Mars rovers run on vxworks.

    VROOM VROOM.

  • Comment removed based on user account deletion
  • sitting non-firewalled either on the Internet or inside a corporate intranet?

  • In a lot of their telco Gear. Meaning the Cards in NGN telephony switches, mobile network equipment and in some routers.

    Some of you may say that those are backdoors planted by the USoA in Chinese equipment.

    Others may say that this gives the chinese plausible deniability if some spying is seen in afected equipment.

    In any case, I just tought the /. crowd would find that fact interesting.

  • by aberglas ( 991072 ) on Monday July 29, 2019 @06:32PM (#59009182)

    I am applying my patches from the internet.

    If you isolate the devices from the internet, then how will they be able to apply their monthly security patches in order to stay secure? And as Stuxnet showed us, an air gap is certainly not sufficient, so all devices need their monthly patches.

    The only alternative would be to keep the devices simple enough to be truly secure. And not use the C programming language. Both of which are unthinkable.

    • And as Stuxnet showed us, an air gap is certainly not sufficient, so all devices need their monthly patches.

      If you are at the level where you are the target of an attack like Stuxnet, you better also have an armed guard at each of your entrances watching out and have your data center in a secret bunker underground. Because before the US put resources into Stuxnet, they sent an assassin to kill the lead scientist on the project.

      In other words, Stuxnet is not a practical threat.

      • Well, it wasn't practical ... until the US government graciously donated all the necessary RND resources and leaked the final product to the Internet. The centrifuge-specific parts aren't terribly reusable, but the framework and detection algorithms they power could definitely be reused elsewhere, and probably already have been at this point.

    • I am applying my patches from the internet.

      If you isolate the devices from the internet, then how will they be able to apply their monthly security patches in order to stay secure? And as Stuxnet showed us, an air gap is certainly not sufficient, so all devices need their monthly patches.

      Internet access is not an all-or-nothing proposition. If the critical infrastructure is isolate to separate vlans, or totally separate switching hardware if necessary, it can be limited to only communicating with known internet servers. You can set up a private patching server or apply your patches manually. Manual patching is not likely to be feasible for any environment larger than a couple of machines. Air-gapping also means disabling removable media, WiFi, Bluetooth, etc. Then remove any speakers s

  • IOT elevators, the Big Ticket to Nightmareville. Imagine if some riff-raff locks millions at the same time. There won't be enough fix-it crews to go around, meaning you could be trapped for several days.

  • This isn't remote takeover -- but sounds like you'd go mad if you tried.

    I was at Sonic today for lunch, and the manager was outside running off customers. More to the point, he was telling them their systems had all crashed and it would take 5 minutes before they could even take their order. I saw 2 of them drive off. But I told him I could wait, and would block the drive-thru speaker until they got up. Put my blinkers on and waited.

    We chatted for a few seconds, and I remarked jokingly, "Wow, Windows
  • Windows again. It's abundantly clear that that's what we're talking about, right? In my humble opinion, using Windows in a medical device should be a firing offence together with criminal prosecution for negligence.

    • Windows again. It's abundantly clear that that's what we're talking about, right? In my humble opinion, using Windows in a medical device should be a firing offence together with criminal prosecution for negligence.

      Yah! Microsoft astroturds denying reality. Downmodding won't make it not true.

  • they can often be exploited by little more than boobytrapped packets sent from outside the Internet

    There's a computer network outside the Internet?!
    <Neo>Whoa...</Neo>

  • Comment removed based on user account deletion
  • Because it's used in some Volkswage nav products. That makes it REALLY interesting.
  • great very useful article it is bollywood news [news24online.com]

Science is to computer science as hydrodynamics is to plumbing.

Working...