Barnaby Jack, a Juniper Networks security researcher, gave a tutorial at the CanSecWest conference here on how bug hunters can find exploitable vulnerabilities in such devices and demonstrated an attack on a D-Link router using a yet-to-be-patched hole.
"Security flaws are abundant on these devices," Jack said. "Security needs to reach further than a home PC. Insecure devices pose a threat to the entire network. Hardware vendors must take security into consideration."
There hasn't yet been a large amount of security research into the type of software Jack looks at. This is code that runs gadgets equipped with ARM, MIPS, XScale and PowerPC microprocessors. However, researchers appear increasingly interested in finding ways to attack routers and other such "embedded" devices.
In examining software from various devices, Jack found that there are many exploitable "null pointers" in the code. "Vulnerabilities that are near dead in the PC realm are abundant," he said. "This is a new class of attack...This is a remote attack the same way as a buffer overflow or a heap overflow, but it is more reliable."
Null pointers have often been disregarded as insignificant bugs, but according to Jack, the bugs can in fact allow full compromise on embedded devices. A null pointer is a command used in programming to direct a software program to an empty location in memory.
An attacker could run unauthorized software on a device connected to a network. Criminals could use this kind of attack to steal sensitive information from mobile phones and PDAs or monitor and redirect Internet traffic on routers.
To find bugs, the software needs to be extracted from the device and analyzed, Jack said. This could be done using a gadget that connects to hardware interfaces, such as JTAG (Joint Test Action Group) or UART (Universal Asynchronous Receiver Transmitter), commonly available on the devices, he said. Alternatively, manufacturers sometime conveniently make their software available online.
In a demonstration, Jack launched an attack on a D-Link router. He showed how he could remove password protection on the router and enable remote administration capability. He subsequently uploaded modified software to the router that included a "watchdog" tool he created to monitor activity.
The particular D-Link hole Jack used in the demonstration is not exploitable over the Internet--an attacker has to be connected to the vulnerable device. However, many other vulnerabilities of this type exist that do allow attacks via the Internet, he said.
One way hardware makers can prevent bug hunters from finding flaws in their code is by hiding their software better, Jack said. For example, commercial devices should not have JTAG traces that let people copy the software. "No debugging functionality needs to remain," he said.