Embedded Files
Imagine a world where you can create a networkable solution built around a Linux based web server that can never be patched. Unfortunately, this is essentially what has been done as a result of the regulation of devices stamped with the FDAs seal of approval. In its efforts to ensure that vendors of technology that deal with regulated environments create secure and stable solutions, the FDA has inadvertently help to create the worst of scenarios - unpatchable technology solutions that control and monitor medical, pharmaceutical, food and bio materials.
Think on this a second - the medicines that you take, your blood results and lab products, and even the food that you eat in regulated environments are all managed by just FDA approved devices. Devices that, by the very fact that they are approved by the FDA, cannot be patched or have their software updated. What does this mean? Well, at a minimum, there is a good chance that there are numerous devices sitting inside most every regulated environment that are running outdated operating systems, unpatched web servers, and insecure applications and the following details one such device.
Vulnerability Scan Results
It all started with the following results from a typical network vulnerability scanner:
From these results, there are some indicators that this device is not very secure. Just to name a few items that indicate deeper problems include:
Unsupported OS - could indicate that there are operating system bugs that are easily exploitable.
XSS/HTML injection/httpOnly bugs - any one of these is a bad thing to see, but all four indicate that this program was either developed over 6 years ago, prior to all the XSS related exposure, or was very poorly developed.
Numerous CGI bugs - indicates that the CGI scripts are worth looking into. Chances are good that there is more to find.
Browsable Web Directories - a must review as web servers are generally not setup to list all the files contained in a directory. Chances are good that there is more to find.
Dissecting the Web Portal
Cracking the Code
Critical Credentialing Issues
Static root password for all devices
Static backdoor account for all devices
Hardcoded admin password algorithm
How did we get here?
Allowing regulation to trump proper security design
Allowing regulation to trump expected patching realities
Allowing vendors to excuse poor behavior
What can we do better?
Don't support poor products
Future proof yourself by ensuring upgrades and patches are mandatory
Communicate with each other and hold vendors accountable
Page updated
Report abuse