Products > Embedded Computing

Security flaws in Wind River's IPnet embedded TCP/IP stack



--- Quote ---The US Food and Drug Administration is warning hospital IT admins to keep a close eye on their networks following the discovery of security vulnerabilities in a relatively obscure and dated TCP/IP stack – IPnet – used in embedded devices.

The flaws, mostly buffer overflows and memory in various components of IPnet, can be potentially exploited by miscreants to remotely take control of equipment, in this case medical implants and the base stations that manage them.
--- End quote ---

Not exactly a surprise, but potentially a big problem for products with embedded stacks, most having no prospect of getting firmware updates even if owners get to know there is a problem. The article doesn't suggest that the flaws have been exploited (yet) and you would hope that such equipment would be behind a decent firewall, but that isn't sufficient to ensure safety. I guess most embedded kit with TCP/IP stacks use it to provide a Web interface for control purposes and that the main danger would be equipment that connects to an external server for DRM/licencing/billing/update purposes?

Using a commercial, supported product rather one of the free offerings such as LwIP doesn't necessarily help - at some point the stack vendor will drop support or go out of business. If you have access to the source code you at least have the chance to fix the code, although getting the updated firmware installed in all the products you've sold is another matter.

Is it likely that you, as a manufacturer of an embedded product with a TCP/IP stack, could get sued if a customer suffers loss that can be traced to a security flaw in your product? Obviously that is going to depend on where you, and your customers are in the world. OTOH security vulnerabilities don't seem to worry the likes of router manufacturers who rarely bother to offer updates - let the customer buy the latest version (with its own unique set of bugs) if they're worried.

yeah this kinda thing bothers the crap out of me.
theres a zillion dollars put into safety & compliance for the hardware and then they shove on some fart in a jar operating system / firmware and leave you with it.

i just think some things shouldn't have a stack. i dont need to ping my light bulb. my flatmates light bulb on the network here never shuts up.


[0] Message Index

There was an error while thanking
Go to full version