VANCOUVER, B.C.--Software that runs home routers, cell phones and personal digital assistants is rife with security bugs, an expert said Thursday.
Barnaby Jack, a Juniper Networks security researcher, gave a tutorial at the CanSecWest conference here on how bug hunters can find exploitable vulnerabilities in such devices and demonstrated an attack on a D-Link router using a yet-to-be-patched hole.
"Security flaws are abundant on these devices," Jack said. "Security needs to reach further than a home PC. Insecure devices pose a threat to the entire network. Hardware vendors must take security into consideration."
There hasn't yet been a large amount of security research into the type of software Jack looks at. This is code that runs gadgets equipped with ARM, MIPS, XScale and PowerPC microprocessors. However, researchers appear increasingly interested in finding ways to attack routers and other such "embedded" devices.
In examining software from various devices, Jack found that there are many exploitable "null pointers" in the code. "Vulnerabilities that are near dead in the PC realm are abundant," he said. "This is a new class of attack...This is a remote attack the same way as a buffer overflow or a heap overflow, but it is more reliable."
Null pointers have often been disregarded as insignificant bugs, but according to Jack, the bugs can in fact allow full compromise on embedded devices. A null pointer is a command used in programming to direct a software program to an empty location in memory.
An attacker could run unauthorized software on a device connected to a network. Criminals could use this kind of attack to steal sensitive information from mobile phones and PDAs or monitor and redirect Internet traffic on routers.
To find bugs, the software needs to be extracted from the device and analyzed, Jack said. This could be done using a gadget that connects to hardware interfaces, such as JTAG (Joint Test Action Group) or UART (Universal Asynchronous Receiver Transmitter), commonly available on the devices, he said. Alternatively, manufacturers sometime conveniently make their software available online.
In a demonstration, Jack launched an attack on a D-Link router. He showed how he could remove password protection on the router and enable remote administration capability. He subsequently uploaded modified software to the router that included a "watchdog" tool he created to monitor activity.
The particular D-Link hole Jack used in the demonstration is not exploitable over the Internet--an attacker has to be connected to the vulnerable device. However, many other vulnerabilities of this type exist that do allow attacks via the Internet, he said.
One way hardware makers can prevent bug hunters from finding flaws in their code is by hiding their software better, Jack said. For example, commercial devices should not have JTAG traces that let people copy the software. "No debugging functionality needs to remain," he said.
Apple says it's got a third-party group looking for issues at manufacturing partners it uses. Read CNET's FAQ to find out how we got here and what the next steps are.
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.
After a higher-than-expected fourth quarter, the video subscription service unburdens itself of a pending yearlong class action suit and settles for $9 million.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
This week, we pass around Sony's new PlayStation Vita for some hands-on testing, check out HP's newest Beats Audio laptop, and debate the best and worst Valentine's Day gadget gifts.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
"In examining software from various devices, Jack found that
there are many exploitable "null pointers" in the code"
... seems to implicate the lightweight software/OS system on the
devices themselves, which can be running PPC processors
among others.
I see no way to warp that into a Mac vulnerability.