The battleground that hackers and cybersecurity specialists fight over extends far beyond personal computers, as the Stuxnet virus showed us (to pick one prominent example). And though personal computers are frequently faulted for having terrible security, the embedded computers in infrastructure systems are frequently far older and more neglected. But now that’s changing as well: new software developed with the backing of the Department of Defense and Department of Homeland Security will help secure millions of new HP printers, and soon could help protect the countless embedded computers found in everything from critical infrastructure to the human body.
As the Stuxnet cyber attack on Iran’s nuclear program underscored, targets for hackers are everywhere. Examples include office printers; telephones seen on desks in the White House and aboard Air Force One; the machines controlling power plants; the routers that form the Internet’s backbone; the electronics handling car engines, door locks, and brakes; medical devices such as pacemakers and drug pumps; and even the International Space Station. Many of these embedded devices can now link with other computers, so not only are they targets themselves, but they could serve as back doors into otherwise secure computers and networks.
“Just like computers, other computing devices like routers, TVs, printers and so on can have vulnerabilities, be attacked, and have malware installed on them,” says computer security researcher Charlie Miller at Uber, a former hacker for the National Security Agency, well known for publicly revealing vulnerabilities in Apple products such as the iPhone and MacBook Air. “However, unlike your desktop computer, there isn’t much you can do about it. For example, you can’t just install anti-virus on your router. For these devices, we rely heavily on manufacturers protecting these devices for us. That is why it is so great to see HP stepping up and including this defense into their products.”
Today HP announced that three new HP LaserJet Enterprise printers coming out this fall will come equipped with software that can detect, report and defend against attacks targeting the devices. The company also stated it will deliver a firmware update enabling these capabilities on all Future Smart-enabled HP LaserJet Enterprise printers already operating in the field.
“This level of defensive technology has never existed on a commercial scale before,” says Ang Cui, chief scientist and CEO of Red Balloon Security, the company that developed this new software. Moreover, the new software on these printers, which Miller calls “cutting-edge research,” can not only be installed on printers, but on any embedded device, such as routers, cars, planes, telephones, point of sales devices such as cash registers, industrial control devices, medical equipment and more, Cui says.
Until now, protecting the profusion of embedded devices that exist has proven intractable. The software that Red Balloon developed can work on many embedded devices regardless of what operating systems they us. It does so by running directly on the central processing units of these devices, continuously scanning random chunks of code from the devices’ firmware images — their operating systems and associated programs — to look for modifications that might suggest an intrusion has happened.
A major problem that embedded devices still face is how vulnerabilities that one device has often are found in every other device of that kind, Cui said — it would be as if getting a key for one lock helped you open all other locks of that make and model. Modern personal computers solve this problem by randomizing their firmware images, and Cui says Red Balloon is developing a way to implement this strategy on embedded devices as well.