I spent a fair bit of time doing stuff relating to voting systems, which all have embedded systems. (I am not one of the experts who pulls them apart, lest anyone think I'm claiming credit for them.) They are supposedly closed systems, but every time someone competent has tried to attack them, they've been successful - even if there are no published APIs or documents, all of them have attack surfaces. It might be something like the ability to insert a card in a PC slot (as in the Princeton attack on Diebold touchscreen systems), a USB stick (some of the UC Santa Barbara attacks - I think that was ES&S touchscreen machines), Harri Hursti's attacks via a memory card on Diebold optical scanners, Princeton's attacks via a proprietary memory card on Sequoia systems, etc. (There are others too - the machines in my county use USB sticks and run Windows CE, so I believe they're susceptible to even trivial attacks via an autorun.) I also worked with a team that did some attacks on another embedded system in a voting machine, although we didn't get far enough to publish results before we ran out of students to do the grunt work.
So I'd 1000% agree with Arian - not only is assuming you're safe dangerous, but it's also wrong. There's lots of attacks on other types of embedded systems - there have been a few against electric power control systems, water control systems, etc. And there are more that haven't seen the light of day.... I just heard about a very serious attack the other day that hasn't ever made it into the news. --Jeremy On Thu, Aug 20, 2009 at 2:09 PM, Arian J. Evans<arian.ev...@anachronic.com> wrote: > Rafael -- to clarify concretely: > > There are quite a few researchers that attack/exploit embedded > systems. Some google searches will probably provide you with names. > > None of the folks I know of that actively work on exploiting embedded > systems are on this list....but I figure if I know a handful of them > in my small circle of software security folks - there have to be many > more out there. > > Assuming you are safe is not just a dangerous assumption: but wrong. > > Specifically - > > One researcher I know pulls boards & system components apart and finds > out who the source IC and component makers are. > > Then they contact the component and IC makers and pretends to be the > board or system vendor who purchased the components, and asks for > documentation, debuggers, magic access codes hidden in firmware (if he > cannot reverse them). > > If this fails, the researcher has also befriended people at companies > who do work with the IC or board maker, traded them information, in > exchange for debuggers and the like. > > This particular researcher does not publish any of their research in > this area. They do it mainly (I think) to help build better tools and > as a hobby. (Several of you on this list probably know exactly whom > I'm talking about. This person would prefer privacy, and I think the > person's employer demands it, unless you get him in person and feed > him enough beer.) > > If I were a bettin' man I'd figure if I know a few person doing this > type of thing for quite a few years now -- there are bound to be many, > many more.... > > Not sure what list to go to for talks on that type of thing. > Blackhat.com has some older presentations on this subject. > > -- > Arian Evans > > > > On Wed, Aug 19, 2009 at 8:36 AM, Rafael Ruiz<rafael.r...@navico.com> wrote: >> Hi people, >> >> I am a lurker (I think), I am an embedded programmer and work at >> Lowrance (a brand of the Navico company), and I don't think I can't >> provide too much to security because embedded software is closed per se. >> Or maybe I am wrong, is there a way to grab the source code from an >> electronic equipment? That would be the only concern for embedded >> programmers like me, but I just like to learn about the thinks you talk. >> >> Thank you. >> >> Greetings from Mexico. >> >> _______________________________________________ >> Secure Coding mailing list (SC-L) SC-L@securecoding.org >> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l >> List charter available at - http://www.securecoding.org/list/charter.php >> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >> as a free, non-commercial service to the software security community. >> _______________________________________________ >> > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
