Even the lifts are listening

By on
Even the lifts are listening

When did you last check the security of your door-control system, wonders Gunter Ollmann

Every day, networking kit gets faster and easier to manage. If a device has room for a network connection and costs more than £60, it probably has its own web server and can be remotely managed by an ever growing range of tools. This all great for centralised management, fantastic for a bit of mischievous tinkering or hacking – and a security administrator's worst nightmare.

In the "good old days", an onsite infrastructure assessment for a medium-sized organisation would yield a few hundred workstations, a dozen servers and a firewall – each running a few services that were only vulnerable to attacks that had probably only been disclosed since the last major patch release.

Today, we expect another two dozen network appliances, almost every one running multiple "manage-this-manage-that" services, and each one vulnerable to its own unique suite of attacks.

These new "managed" network-aware appliances come in a variety of guises. What was once a dumb hub, is now a managed switch running web services, telnet, SSH, FTP, TFTP, SNMP, syslog and even its own mail service so it can email the administrator if the cooling fan overheats.

But while it's great that you can log into the corporate ISDN telephony control system over HTTPS and configure it using one of ten levels of user access, it's a real problem if you're responsible for network security.

For organisations that don't regularly scan their networks with port scanners or vulnerability assessment tools, it's unlikely they even realise they have so many devices listening and waiting for network-based administration.

In far too many cases, some of their most critical network infrastructure has been deployed with out-of-the-box configurations running services they never expected, along with blank or default passwords, ripe for the picking by any inquisitive staff.

Many of these appliances are now so sophisticated they run their own instance of a mainstream operating system; when scanning them from a network perspective, there is nothing to differentiate a Linux-based multi-function printer from a business-critical file server.

Here's a recent example of the kind of problems that I come across during consulting engagements. Only after having gained root on the system, and asking a confused network administrator what the IP address actually belonged to, did we discover that we had full control of the building's door-entry system.

Then, having cracked a few bad passwords, we were soon able to compromise another mystery device – this time, the controller for all the building's lifts.

While the "business critical" hosts were fully patched and secured, these additional – unknown – systems were not. Most were running operating systems many years out of date, but could be patched (once administrators located which cupboard they were in, or which desk they were under), but a few could not.

Some of the devices that couldn't be patched by the network administrators included their large multifunction printers and the lift system. These required third-party engineers to come onsite and apply the latest updates. A few of the printers even needed processor boards to be physically replaced.

Perhaps many of these systems should have been classed "business critical" earlier on. Certainly, the obvious safety threat of tampering with the lift's programming was of great concern. The ability to take over all networked printers and shut them down could have caused great problems – especially if it would have taken a service engineer to replace the hard-drives.

To date, it's been unfortunate that in all the consulting engagements where we were able to compromise intelligent fax-printers, we haven't had time to take full control of any built-in modem functionality. But one day we'll have more time during an engagement (or a client will commission us to do just that) and we'll be able to convert one into a remote-access server. That should give the client's security department a scare. Then again, perhaps someone less ethical has already done that to their intelligent fax-printers. After all, when was the last time they checked?

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?