Whether withdrawing money from an ATM, purchasing a train ticket from a self-service machine or simply looking at a digital sign, it's safe to say that we all use embedded systems in our everyday lives; but when it comes to ensuring that security protection on these devices is up to date, they are often overlooked by the organizations who are supposed to be maintaining them. This poses serious security risks.

To put this into a real world application, Microsoft plans to terminate support for Windows 7, Windows 2008 and Windows Mobile on January 14, 2020, and as such, the company will no longer need to release updates and necessary security patches for these systems. Research reveals that 71% of 1.5-million examined embedded medical devices are still running on these versions of Windows. In contrast, according to internet usage statistics, the share of these operating systems (OS) still run on desktops is less than 30%.

Another example is the embedded devices that still function on Windows XP, even though Microsoft has not supported devices using this OS for several years. Mainstream support for Windows XP Embedded ended on January 12, 2016, with Windows Embedded for Point of Service support ending on April 12, 2016. While there are no statistics that indicate how widespread the use of Windows XP in business is, security enthusiasts have stumbled upon numerous instances where this legacy OS is still being used, such as a self-service terminal in a pharmacy, a checkout desk at a grocery store and an interactive billboard.  

With so many active embedded systems with outdated OS's being used every day, organizations are widening the gap for cyber criminals to breach private information, leaving their business and customers vulnerable.

Why do companies ‘forget' to update embedded devices?

It would be an exaggeration to say that organizations do not pay any attention to the security of their embedded systems. For example, ATM and Point of Sale (POS) systems deal with private credit cards and therefore need to be PCI DSS-compliant which requires strict security measures to be applied.

However, embedded systems include many different types of devices beyond ATM and POS systems. From our experience, when a system isn't linked to a direct monetary or compliance risk, it tends to be overlooked.  In simple terms, interactive kiosks, ticket machines for virtual queueing, hotel registration desks and digital signage are likely to have little or even no up-to-date security protection.

Another reason many organizations do not update the security on embedded devices is due to the challenges associated with upgrading them. Older embedded systems often use low-end hardware and have limited capacity that allows them to smoothly perform only the dedicated function for which they are intended. However, if a company installs a modern OS, the device is less likely to work as it should because the OS is too advanced for the device. For instance, an experiment showed that it would take a computer built in the XP-era, with Windows 10 installed, 41 seconds to open a folder. It is also worth mentioning that some embedded devices cannot be upgraded to the newest OS available, so they should be wiped clean and have Windows 10 installed.

Alternatively, custom or tailor-made software also keeps companies tied to legacy OS. Oftentimes vendors will not release new versions of their off-the-shelf products for unsupported systems, which is a driver for user migration. Software developed for a specific company is often only compatible with a certain outdated system which is especially true for migration from Windows XP.

For these reasons, companies can be guilty of either overlooking these embedded devices or choose not to update their security systems until they are confident they will work as they should.

How to manage and protect a legacy OS

It goes without saying that running outdated systems is an obvious security risk. Without regular updates, devices are vulnerable to modern threats or, if left unpatched, existing threats that hackers continue to use. For example, Kaspersky experts uncovered exploits of the 2010 zero-day vulnerability in Microsoft Windows despite a patch being released in the same year. Six years later, this vulnerability was still the most widely used by threat actors accounting for 25% of all users who encountered exploits that year. If forgotten about, embedded systems can serve as a main point of entry for targeted attacks.

Due to compatibility issues, installing a recent version of an OS on an embedded device is time consuming and more expensive than doing the same to an endpoint; however, leaving embedded systems without the proper security protections in place is not an option.

We recommend taking the following steps to safely secure embedded devices:

1. Make an inventory of embedded devices across your IT infrastructure to ensure that you have an up-to-date list and are aware of all devices on the network.
2. Determine which devices are outdated or coming to the end of the OS version's vendor support.
3. Find the most resource-effective strategy to update all devices. For some, the best decision might not be to upgrade the OS, but to change the device when it comes to its scheduled replacement. In these cases, it is essential to use a security solution that is specially designed to protect the embedded devices.

##

About the Author

Rob Cataldo, Vice President, Enterprise Sales, Kaspersky North America

 

As vice president, enterprise sales, Kaspersky North America, Rob is responsible for leading the enterprise sales teams across the region and overseeing all B2B sales activities for organizations with 1,000 or more employees.

Rob has nearly two decades of sales experience and a proven track record of securing enterprise customer wins during his four-year tenure at Kaspersky. Prior to his current role at Kaspersky, he also held enterprise sales roles at Bromium, Gryphon Networks and Sophos.