Our hardware can also be a useful attack vector for an attacker. In this video, you’ll learn how firmware, end-of-life announcements, and legacy platforms can potentially put our data at risk.
If you look at your local network at home and in your office, you’ll notice there are a lot of devices connected to the network. Many of these devices are hardware devices that don’t generally give us access to the operating system that’s running inside. This might be a device used to control the air conditioning system. You might use this device to clock in or clock out of work. But in any case, it’s a device that has an operating system running inside of it, but we don’t generally have access to that operating system.
Since these devices are connected to the network, they are therefore a potential security risk. So we need to make sure that we’re always up to date with the firmware or software that might run inside of these hardware devices. If you look around at home, this could mean that your stove, your refrigerator, your garage door, the front doors to your house, and all of these embedded Internet of Things devices, or IoT devices, all could potentially be a security issue for your home and your office.
Before IoT, our security concerns were basically focused on operating systems that we had control of, our Windows laptop, or a tablet computer, or perhaps our mobile phone. But with the advent of IoT and these hundreds of different devices that you can connect to your network, we now have security concerns with every one of these devices. We often refer to this operating system that’s running inside of this hardware as firmware. This is the operating system that makes everything work inside of this device.
And very often, we have no idea what this operating system even is. This means that the only people who can really update or manage the system is the manufacturer themselves. They’re the ones that created this device. They’re the ones that developed the software running in this operating system. And they’re the only ones that can really tell us how to upgrade the firmware in all of these hardware devices.
Unfortunately, manufacturers of hardware don’t necessarily have the same focus on IT security that others of us might have. For example, we ran into exactly this problem with Trane Comfortlink II thermostats. These are thermostats that are automated, and you can control them from something like a mobile phone or a tablet.
Trane was notified of security vulnerabilities of these Comfortlink thermostats in April of 2014. The manufacturer did not release a patch for these thermostats until April of 2015. And another patch was released in January of 2016. In the world of Windows, and Mac OS, and Linux, we generally turn around these patches in a month or less. In this case, the manufacturer took at least a year to provide the very first patch for these security problems and, in some cases, almost another year to release the other one.
This obviously created security concerns for people that were using these Trane Comfortlink II thermostats because during this entire period, the vulnerability was known, but a patch was not available. Sometimes, the manufacturer of these devices will inform you when a device is no longer able to be updated. The first notice of this might be with an EOL notice, or an End Of Life. This is a notice that the manufacturer is giving to everyone to let them know that in the future, they will stop selling this particular product.
It’s important to keep these dates in mind because you can still get security patches and updates, even though this product is not actively being sold. This may be the first notice that it might be time to replace this device. Although there is a time frame where there is still support available, eventually that time frame will go away. Once the device has already hit its end of life and the manufacturer has decided to no longer support the device, we now are at the End Of Service Life, or EOSL.
The manufacturer themselves have stated they are not going to provide any additional security patches for this device, although they may provide you with a very high-end support option where you can pay a great deal of money to have them continue support for that device. That financial outlay is not something that most customers have the ability to do. So, often, they will replace this device with something newer. Obviously, EOL is an important step that might give you some Warning that the support for this device is going away.
But the real important date is the EOSL. If you have equipment in your office or at home that has hit the end of service life, you may want to consider replacing that device as soon as possible so that you always have the latest security patches installed. If you work for an organization that has a large infrastructure, you’ve got data centers that are located around the world at many different remote sites, then you probably have equipment in one of these locations that have been installed for years and years.
This is a legacy device, and it’s one that might be running an older operating system. Maybe the application is very old and has not been updated in quite some time. Or maybe the middleware that this application uses is very outdated. In each of these cases, the software that’s running on these systems may be at their end of life or even their end of service life. And if that’s the case, we may want to compare the risk of continuing to use this device or this application versus the security concerns or risks associated with keeping it on our network.
The real challenge might be if this particular device or software has a very critical part of the overall goals of your organization. This means that it’s not as easy as simply turning off the device or replacing it with another device that we can get elsewhere. This means we may need to keep this device running for a certain amount of time, but we might also want to create some type of mitigation that would prevent someone from taking advantage of any known security vulnerabilities.
This means we may want to create additional firewall rules that would limit the people able to directly connect to this device, or you might add additional IPS signatures, especially signatures that are built for some of these older operating systems. So although this may not be something you can easily phase out of your network, you may be able to put together a path to replace this device, while, at the same time, providing the security needed for these legacy platforms.