Why your security appliance will be hacked

I’m no world-class hacker/penetration tester, but I’ve been able to break into any organization I’ve been (legally) hired to do so in an hour or less, except for one place that took me three hours. That was on my second engagement with the customer after it had implemented many of the protections I had recommended during my first visit.

Hackers and pen testers typically have areas of specialization. Some hack point-of-sale terminals, some hack web servers, some hack databases, and some specialize in social engineering. My own area has been focusing on computer security defense appliances—followed by hijacking elevated service/daemon accounts once I was in. This combination allowed me to break into about 75 percent of my targets. Sure, there were many other weaknesses, but this one was so prevalent I always went after it first.

Why I targeted security appliances

I got the idea to hack security appliances from doing InfoWorld reviews. I loved testing these appliances for vulnerabilities. In all my years of testing, only one, a McAfee eOrchestrator, arrived without one or more well-known vulnerabilities.

I found this pretty shocking. Even when I told vendors about the vulnerabilities I discovered, they rarely fixed them in a timely manner.

Why are appliances so insecure, especially compared to the software we normally consider more vulnerable? Because most programmers are not trained in secure coding techniques, which is very strange to think about when the programmer is being paid to write code for a security appliance.

The typical security appliance programmer is no different than any other programmer. Yes, the programmer may know how to add encryption or certificate handling, but not necessarily how to improve the security of the appliance. Like most programmers, they probably haven’t been trained in secure development lifecycle methods. They don’t pen test their own code. If the software runs, great.

Appliance vulnerabilities get announced all the time. Security researcher Scott Helme has claimed that Nomx, an email security appliance, has numerous vulnerabilities and contains unpatched software. Though Nomx denies the report, it points out a larger issue. 

Bob Noel, director of strategic relationships and marketing for the security firm Plixer, explains:

The vulnerabilities found in this Nomx device is a further example of why companies themselves must take responsibility for securing and monitoring the technology they purchase and implement. Companies should no longer implicitly trust the safety of products as they arrive directly from the manufacturer.  It is important for all companies to deploy monitoring solutions like network traffic analytics which inspect traffic to and from every device and apply behavior analysis to uncover anomalous device behavior.     

Slow testing cycles

Part of the problem is that appliances have longer testing cycles. The code gets “locked down” longer for testing and sales purposes. If the appliance is going to be sold to a government or medical customer, the lockdown period can be a year or more as the appliance goes through a certification or accreditation process. I’ve frequently seen appliances running operating system versions that are five to 10 years old, many no longer supported by the vendor. This means well-known, easy-to-exploit bugs are often in the appliance code software for years.

Firmware is simply harder-to-patch software

For reasons unknown to me, buyers and sellers of appliances that run on firmware seem to think firmware is harder to hack than regular software. In fact, the opposite is true. Firmware runs code that can only be formally updated by writing to the firmware. That takes special software with the appropriate access. A hacker can exploit firmware code by modifying the runtime bytes in memory. Although the latter method will be erased when the appliance is rebooted, appliances are rebooted far less than regular computers, so exploits can remain active for months to years.

No customer patches allowed

When I contact appliance vendors about newfound vulnerabilities, they’re surprised to hear that an exploit that’s been around for years has also been in their appliance for years. But when I ask if I can patch the vulnerable software component, I’m usually told that doing so without using the vendor’s official patch will void the warranty of the appliance.

Slow patching cycles

The most popular operating systems and software programs are frequently patched on a daily to monthly basis. With appliances, you’re lucky to see a patch once a quarter or, in many cases, once a year. Remember, most appliances run operating systems that contain the same bugs that are patched once a month by the OS vendor. You can understand why appliance hackers love this.

What can you do?

Appliance security is improving, albeit slowly, but most security appliances still have one or more vulnerabilities.

Here’s what to do: Before buying a new appliance, ask the vendor what it does to minimize security issues. Have the programmers received security development lifecycle training? Do they do code analysis or pen testing? How often do patches come out, and what do they cover?

Find out if the vendor patches bugs in a timely manner. Can you patch your appliance if you discover a bug and the vendor doesn’t fix it? Everything can be hacked. Everything has bugs. But when a bug gets known, how long does it take for the vendor to respond? Does the vendor proactively warn you when bugs become known? If so, how? Find out if you can pen test the appliance without violating the warranty.

The intent is to determine if your appliance vendor is even aware of the problem of insecure code. If so, do they take it seriously?

Think defensively

If an appliance, with a configuration that’s not completely under your control, gets owned, how can you prevent that asset from being used against you? Because these devices are supposed to be your bastion defenses, treat them as special.

Don’t reuse credentials on the device with other devices or software. For example, your appliance admin credential shouldn’t have the same password as your Active Directory domain administrator. If the device doesn’t need to be connected to your Active Directory forest or *nix realm, don’t connect it. Make it standalone. Limit its ability to connect to the rest of the network and enterprise. That way, if it’s compromised, the attacker will have a hard time using access credentials to reach further into the environment.

Most of all, realize that your trusted security components can be used against you. Treat every computer security software program, appliance, and device as if it were as insecure as regular software or more so. That’s usually the hard truth.