During AusCERT 2013 conference HD Moore, the Metasploit author, claimed embedded systems vendors are acting careless. He thinks they are the ones to be responsible for computer networks safety.
HD Moore stated that while systems administrators are doing their best to protect systems, they can not deal with threats contained in routers, modems, handsets, etc. because vendors of embedded systems in general just don't care.
“You can probably own five percent of the total Internet without even blinking,” Moore said.
He also showed the results of a large-scale scan of the IPv4 address space, looking at TCP and UDP services, and turning up “endemic” vulnerabilities.
Moore said that he was outraged by the fact that the vendors of unprotected embedded systems provide them to users, and knowing about vulnerabilities do not fix them.
He noted that there are 75 million vulnerable SNMP systems worldwide, and about 6% of all Cisco devices visible on the Web offered SNMP read access.
According to the researcher, one of problematic aspects is the length of the supply chain in the embedded/consumer system market. Thus, the embedded software may ship from one vendor, be turned into a module by a second vendor, integrated into a finished system by a third, and branded by a fourth. Problem here lies in the fact that none of them is even trying to protect end users.
“We’re going to have some really nasty incident … then there’ll be a knee-jerk reaction” before things are fixed, said Moore.
