當(dāng)嵌入式應(yīng)用結(jié)合無(wú)線連接功能時(shí)，將會(huì)帶來(lái)什么機(jī)會(huì)呢？答案是成為駭客的天堂！這是Cylance公司CEO Stuart McClure在最近德國(guó)紐倫堡“嵌入式系統(tǒng)展”(Embedded World)的專題演講上所強(qiáng)調(diào)的，他認(rèn)為在邁向連網(wǎng)嵌入式設(shè)備的必然趨勢(shì)時(shí)，駭客透過(guò)網(wǎng)絡(luò)進(jìn)行攻擊的風(fēng)險(xiǎn)也越來(lái)越高。 Stuart McClure曾經(jīng)是防毒軟件公司McAfee的CTO，目前是安全服務(wù)公司Cylance的CEO。這家位于加州的新創(chuàng)公司最近剛從Khosla Ventures與Fairhaven Capital公司獲得了1,500萬(wàn)美元的投資。 McClure強(qiáng)調(diào)，許多企業(yè)并未認(rèn)真看待安全設(shè)計(jì)的重要性。他以一款糖尿病患者用的胰島素泵為例表示，駭客能夠改變所測(cè)得的供應(yīng)劑量并加以改變，從而對(duì)使用者帶來(lái)潛在傷害。 根據(jù)McClure估計(jì)，全球大約有100億個(gè)嵌入式設(shè)備，但大部份的設(shè)計(jì)都未考慮到安全性。雖然早期的嵌入式系統(tǒng)大多是孤立、單獨(dú)的項(xiàng)目，但隨著越來(lái)越多的設(shè)備實(shí)現(xiàn)各種無(wú)線和有線連接，其間所建立的互通性也意味著：一旦安全被破壞，便可能存取到更多敏感的信息。 “當(dāng)今嵌入式系統(tǒng)的安全性不受天候影響，同時(shí)也具有彈性度、可用性以及抗干擾等優(yōu)勢(shì)。但這樣還不夠。而即使采用了加密技術(shù)，也往往很輕易地被繞過(guò)，” McClure說(shuō)，“目前，我們只是在進(jìn)行修補(bǔ)，所做一切都只能說(shuō)是一種癥狀的處理。這些癥狀較簡(jiǎn)單，所以我們能夠解決──但這并不夠明智，就算拼命努力也徒勞無(wú)功?！? McClure例舉了一些有關(guān)駭客攻擊的驚人案例，如入侵自動(dòng)提款機(jī)、醫(yī)用輸液泵，以及波蘭羅茲(Lodz) 的電車(chē)服務(wù)。2008年，一名14歲少年注意到電車(chē)司機(jī)用紅外線遙控器切換電車(chē)軌。McClure表示，這名少年破解了電視遙控器的程序代碼，將它改裝成電車(chē)軌控制器，而控制使得電車(chē)出軌。手機(jī)是最不安全的設(shè)備之一，但也是我們準(zhǔn)備在上面使用信用卡付費(fèi)的設(shè)備。 McClure也 提到了智能電視。Cylance公司積極地尋找三星最新智能電視(Smart TV)被駭客入侵的可能性，該公司發(fā)現(xiàn)采用Wi-Fi和藍(lán)牙這些明顯的連接方式都進(jìn)行了妥善的防護(hù)。然而，為了因應(yīng)傳統(tǒng)控制器的需求，最新一代的智能電視 仍采用傳統(tǒng)未經(jīng)驗(yàn)證的紅外線傳感器。如此一來(lái)，McClure說(shuō)，駭客很可能取得完整的系統(tǒng)資源，特別是智能電視是透過(guò)網(wǎng)際網(wǎng)絡(luò)連接的裝置，其中包括了email流量與信用卡卡號(hào)等資料，使得用戶暴露在資料外泄的風(fēng)險(xiǎn)中。 McClure認(rèn)為，要實(shí)現(xiàn)安全的嵌入式系統(tǒng)，并不會(huì)太困難也不至于太過(guò)昂貴。McClure指出，大約90%的駭客入侵都采用傳統(tǒng)的系統(tǒng)輸入方式；8%透過(guò)嵌入式處理與軟件的出現(xiàn)的問(wèn)題；令人驚訝的是還有2%則攻擊系統(tǒng)輸出。 然而，McClure強(qiáng)調(diào)，對(duì)于嵌入式系統(tǒng)的安全性必須采取更全面的解決方案，同時(shí)著重于預(yù)防而非治療。 本文授權(quán)編譯自EE Times，版權(quán)所有，謝絕轉(zhuǎn)載 編譯：Susan Hong 參考英文原文：Embedded systems next for hack attacks，by Peter Clarke

相關(guān)閱讀：
• 把握云服務(wù)衍生的市場(chǎng)新機(jī)遇
• 2013年度網(wǎng)絡(luò)威脅的六大趨勢(shì)
• 智能手機(jī)：駭客出沒(méi)，請(qǐng)注意！V75esmc

{pagination} Embedded systems next for hack attacks Peter Clarke NUREMBURG, Germany – Put embedded applications and wireless connectivity together and what have you got? A hacker's paradise is the answer according to Stuart McClure, who provided a keynote speech on the opening day of the Embedded World conference here. McClure, a former CTO of antivirus software company McAfee, now leads the security services startup Cylance Inc. (Irvine, Calif.), which has just announced $15 million in funding from Khosla Ventures and Fairhaven Capital. McClure made the point that many companies are casual about secure design and then reluctant to close loop holes. He spoke of an insulin pump that Cylance was able to hack and alter the measured dosage delivered, with the obvious potential for harm to a user. "It's a feature," the vendor said when shown. There are about 10 billion embedded devices worldwide McClure estimated, and many have been designed without much thought to security, he added. While in the early days of embedded systems this tended to be isolated, stand-alone items, increasingly devices are being created with multiple wireless and wired connections and that interconnectivity means that once security is breached there is the possibility to access more sensitive information. "Security in embedded today is weatherproofing, resilience, availability and tamper-proofing. It's not enough. Even with encryption, which can often be easily bypassed," McClure said. "Right now we are just patching. Symptom management is what we are doing. We treat the symptoms because it's easy – but it's a fool's game. You are always chasing your tail." McClure went on to recount some horror stories of hacks on automatic teller machines, on medical infusion pumps, on the tram service in Lodz, Poland, where in 2008 a 14-year old boy noticed the tram drivers were using an IR remote control to switch points ahead of the tram. "He probably brute-forced the codes on his TV remote but he derailed four trams," said McClure. Mobile phones are some of the most insecure devices and yet they are also devices where we are prepared to use credit card number details. One of McClure's last examples is the smart TV. Cylance was eager to find if there was a way to hack the latest Samsung Smart TVs but generally found that the obvious connections such as Wi-Fi and Bluetooth were well protected. It was then discovered that to cope with legacy remote controls these latest smart TVs still have a legacy unauthenticated infrared sensor. McClure said that he plans to demonstrate that once in it is possible to gain access to the full system resources; to pose as a user and because smart TVs are a full internet terminal that could include access to email traffic and credit card numbers. McClure denied that it is too difficult or expensive to secure embedded systems against hacks. As well as promoting his latest book "Hacking exposed" McClure gave a quick guide to where effort can be best deployed to close the security loop holes. Some 90 percent of the hacks are made using the conventional inputs of the system. About 8 percent are through faults in the embedded processing and software and a surprising 2 percent are done by attacking the system output. However, McClure's message was that it is necessary to take an holistic approach to the security of embedded systems and to focus on prevention rather than cure. What was not included in McClure's keynote is how the costs and benefits stack up against the pros and cons of such an approach.