Whether withdrawing
money from an ATM, purchasing a train ticket from a self-service machine or simply
looking at a digital sign, it's safe to say that we all use embedded systems in
our everyday lives; but when it comes to ensuring that security protection on
these devices is up to date, they are often overlooked by the organizations who
are supposed to be maintaining them. This poses serious security risks.
To put this into a
real world application, Microsoft plans to terminate support for Windows 7,
Windows 2008 and Windows Mobile on January 14, 2020, and as such, the company
will no longer need to release updates and necessary security patches for these
systems. Research reveals that 71% of 1.5-million examined embedded medical
devices are still running on these versions of Windows. In contrast, according
to internet usage statistics, the share of these operating systems (OS) still
run on desktops is less than 30%.
Another example is the
embedded devices that still function on Windows XP, even though Microsoft has not
supported devices using this OS for several years. Mainstream support for Windows
XP Embedded ended on January 12, 2016, with Windows Embedded for Point of
Service support ending on April 12, 2016. While there are no statistics that indicate
how widespread the use of Windows XP in business is, security enthusiasts have stumbled
upon numerous instances where this legacy OS is still being used, such as a self-service terminal in a pharmacy, a checkout desk at a grocery store and an interactive billboard.
With so many active
embedded systems with outdated OS's being used every day, organizations are
widening the gap for cyber criminals to breach private information, leaving their
business and customers vulnerable.
Why do companies ‘forget' to update embedded devices?
It would be an exaggeration
to say that organizations do not pay any attention to the security of their
embedded systems. For example, ATM and Point of Sale (POS) systems deal with private
credit cards and therefore need to be PCI DSS-compliant which requires strict security
measures to be applied.
However, embedded
systems include many different types of devices beyond ATM and POS systems. From
our experience, when a system isn't linked to a direct monetary or compliance
risk, it tends to be overlooked. In
simple terms, interactive kiosks, ticket machines for virtual queueing, hotel
registration desks and digital signage are likely to have little or even no up-to-date
security protection.
Another reason many
organizations do not update the security on embedded devices is due to the challenges
associated with upgrading them. Older embedded systems often use low-end
hardware and have limited capacity that allows them to smoothly perform only the
dedicated function for which they are intended. However, if a company installs
a modern OS, the device is less likely to work as it should because the OS is
too advanced for the device. For instance, an experiment showed that it would
take a computer built in the XP-era, with Windows 10 installed, 41 seconds to open a folder. It is also worth mentioning that some embedded
devices cannot be upgraded to the newest OS available, so they should be
wiped clean and have Windows 10 installed.
Alternatively, custom
or tailor-made software also keeps companies tied to legacy OS. Oftentimes
vendors will not release new versions of their off-the-shelf products for
unsupported systems, which is a driver for user
migration. Software developed for a specific company is often only compatible
with a certain outdated system which is especially true for migration from
Windows XP.
For these reasons, companies can be guilty
of either overlooking these embedded devices or choose not to update their
security systems until they are confident they will work as they should.
How to manage and protect a legacy OS
It goes without saying
that running outdated systems is an obvious security risk. Without regular
updates, devices are vulnerable to modern threats or, if left unpatched, existing
threats that hackers continue to use. For example, Kaspersky experts uncovered exploits of the 2010 zero-day vulnerability in
Microsoft Windows despite a patch being released in the same year. Six years later,
this vulnerability was still the most widely used by threat actors accounting
for 25% of all users who encountered exploits that year. If forgotten about,
embedded systems can serve as a main point of entry for targeted attacks.
Due to compatibility
issues, installing
a recent version of an OS on an embedded device is time consuming and more expensive
than doing the same to an endpoint; however, leaving embedded systems without
the proper security protections in place is not an option.
We recommend taking the
following steps to safely secure embedded devices:
- Make an inventory of embedded devices across your IT infrastructure to
ensure that you have an up-to-date list and are aware of all devices on the
network.
- Determine which devices are outdated or coming to the end of the OS
version's vendor support.
- Find the most resource-effective strategy to update all devices. For
some, the best decision might not be to upgrade the OS, but to change the
device when it comes to its scheduled replacement. In these cases, it is essential to use a security
solution that is specially designed to protect the embedded devices.
##
About the Author
Rob
Cataldo, Vice President, Enterprise Sales, Kaspersky
North America
As vice president, enterprise sales, Kaspersky North
America, Rob is responsible for leading the enterprise sales teams across the
region and overseeing all B2B sales activities for organizations with 1,000 or
more employees.
Rob has nearly two decades of sales experience and a
proven track record of securing enterprise customer wins during his four-year
tenure at Kaspersky. Prior to his current role at Kaspersky, he also held enterprise
sales roles at Bromium, Gryphon Networks and Sophos.