Security of Internet Appliances

In years past, embedded devices were programmed with very limited hardware (slow cpus, not much memory, and little storage) that tended to be very proprietary. If a device was intended to be a camera, or a copier, it was purpose built, in terms of its firmware (embedded software), to do just that task.

Even if an attacker could guess a password or exploit the unpatched firmware to gain access, it was very hard to modify the device to do anything other than what it was intended to do by the manufacturer.

Hardware appliances these days are very different in nature. Often, they are actually an embedded PC that runs a standard CPU, with plenty of memory, and storage that can be very useful for an attacker, like compact flash or even a small solid state disk. The manufacturers are building their products in software code that runs on top of what is basically a small, general purpose computer.

This is a VERY attractive target for attackers because the hardware can be easily modified to do many useful things for an attacker such as:

launch attacks on other systems;
launder (hide) connections to other systems for illegal activities;
denial of service attack victims on the internet;
launch further brute force break-in attempts on other computers; and/or
spy on the victim’s local network and gather more valuable data to steal.

Busybox is a powerful program that packs the functionality of 60 to 100 popular utilities and commands into one single binary. BusyBox is often installed on these devices to allow developers and administrators to interface with the device. If an attacker can get remote access to a device Busybox makes it much easier to modify the system to suit the attackers purpose(s) above (and new ideas the attacker may consider/discover).

How to defend against this threat?

Don’t install devices on your production network if you don’t have time to administer (patch and monitor) them. Consider putting the device on a guest network and disconnect the device when its intended purpose has come and gone, otherwise an attacker will find a NEW purpose for your forgotten device.
Password Safety:
Always change the password to a secure account.
Always record the password in a database or file that is regularly backed up / archived.
NEVER leave a device with its default password.
Having passwords written on paper in an envelope in a safe is also a good backup. IT workers lose countless dolars/time each year on lost passwords.
Disable remote access to your devices, especially edge routers and firewalls. Your support vendor should have a set of static (NON-CHANGING) ip addresses that he/she will do remote administration from at all times.
Retire devices and disconnect them from your network if they are no longer supported by the vendor. Install vendor security patches for your device(s). If you can’t for any reason, build a secure vlan to house your devices that cannot be secured via conventional methods.
Don’t assume your home network is secure. For example, if your game console is hacked, then your entire home network can be at risk. Put your game console on a protected vlan or guest wireless network.