Security Issues With Network Devices
Thursday, September 24, 2009 22:01
In securing your computer network, you have probably thought about servers, desktops and laptops, but what about the other devices that you have on the network such as webcams, printers, network switches, routers, voice over IP phones, or NAS (network attached storage that can store 1 terabyte or more of information)? All these devices recently were studied and tested by researchers at Stanford University, and out of the 21 devices they tested, not one was secure. Because the devices were manufactured by sixteen different manufacturers, the security issue is not limited to one manufacturer.
Security Problem!
So what is the security issue with these types of devices? The problem, according to the researchers, is that these devices usually have web interfaces which allow the user to easily configure and manage them, but the low-cost devices were not built to withstand attacks. Web interfaces allow you to type in the IP address, for example, to a router through your browser, get a log-in screen, and then, after logging onto the unit, configure and change settings to the device. They basically allow you to configure the device through your browser. According to the Stanford researchers, the NAS (network-attached storage) devices were susceptible to all five classes of attacks the testers used on the network devices.
One of the most interesting attacks against the NAS devices happens simply by someone entering certain Javascript commands when they try to log onto the device. Every time someone logs onto the device and views the log that includes the failed log-on attempt from the attacker, the device will perform a cross-site scripting attack. This allows the attacker to execute commands on your computer. Anytime someone can execute commands on another computer without permission, you are in trouble. There are other types of attacks that be carried out against NAS and other devices, but the main concern is the way these types of devices can be used to attack other computers on your business or home network. Webcams, NAS, routers, VOIP phones, and other similar types of devices can all be affected.
Once these devices have been penetrated by an attacker, they will continue to attack other computers because the
attack code is stored in the configuration pages, device logs and other places in the device. You can clean an infected computer, but if the network device is not cleaned, it will continue to infect or attack computers in your network. Currently, these type of devices are not usually protected by anti-virus and other security related programs. Most of the security software and devices you have protecting your business information are geared towards servers and personal computers.
Should I Give Up?
The purpose of this article was not to spread fear, uncertainty and doubt (FUD) but to make you aware that almost any networked device can be attacked and is vulnerable to the same type of security issues as your servers and personal computers. Many of these devices provide convenient and sometimes essential services for a business, especially small and medium sized business. Technology is what makes your business competitive against larger organizations and businesses. What I would suggest is that you talk to your vendors about security of these devices before making a company-wide purchase. Also, don’t look just at cost but the features of the device and security measures built into the devices.
Currently, there are not many manufacturers addressing this issue, but that should change as more users become aware of the security issues with these devices. The researchers stated that the network devices that are being used with web interfaces will soon outnumber the number of servers. Whether this is true or not, the number of these devices being used by businesses as well as private individuals is increasing because of the ease of use and the functionality of them.
One ray of sunshine is that the Standford University researchers are considering developing a set of lightweight tools that could be included in these types of devices by the manufacturers, allowing some protection against such attacks. Remember there is never one hundred percent security, and this is just another development in the on-going battle with those that want to harm your business!!
Related posts: