Posted by Martin Zinaich on July 30, 2017.
When scanners attack, it just makes you WannaCry. So we had WannaCry, DoublePulsar, Petya – the whole EternalBlue exploit release. EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer. The good news is the SMBv1 flaw only exists in… Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; Windows Server 2016; Windows 2003 and Windows XP. If that was not enough, it also exists in another operating system not often mentioned – Windows POS. POS in this case stands for “Point of Service” and not what first came to mind.
If you had to pick an embedded operating system, I can hardly think of a more problematic pick than one based on Windows. I talked about a coming IoT disaster in the article Woefully Unprepared, but Full Steam Ahead! That was back in 2015. The signs are all around that we are not getting the full picture – Smart Cars, Smart Manufacturing, Smart Medical Records and Smart Cities to name a few. All cobbled together with whatever “stuff” is available and that includes a lot of stuff designed and built under the “just barely good enough” paradigm.
Recently I was tracking down WannaCry attack traffic coming loud and strong from an IP address that I soon associated to an HP Scanner. Yes, a scanner… but a scanner that utilizes Windows POS. I now have to worry about large format scanners. Tomorrow it will be light bulbs, door locks and the candy machine.
In a more recent article titled, How vendors empower weak security I looked at how security is still a missing component from design and review. To add to those examples I now have another. If you look at the specifications for this larger format scanner, under Security Features you will find:
That first highlighted section shows what is available for Antivirus on this embedded device. The matrix states,
“Closed systems with very low risk of being infected by a virus, so no antivirus is required”
Apparently, the closed system did not realize this because it had the WannaCry virus and was trying to infect everything it could find.