Microsoft's decision to end support for Windows XP in April was met with a collective gulp by the IT community. For good reason: Approximately 30 percent of all desktop systems continue to run XP despite Microsoft's decision to stop offering security updates. Furthermore, a critical security flaw in Internet Explorer 8 disclosed recently by HP's TippingPoint Division opens the door to remote attacks on XP systems that use IE8.
But Windows XP is just the tip of an ever-widening iceberg: software and hardware that is unpatchable and unsupportable -- by policy or design. In fact, the trend toward systems and devices that, once deployed, stubbornly "keep on ticking" regardless of the wishes of those who deploy them is fast becoming an IT security nightmare made real, affecting everything from mom-and-pop shops to power stations.
This unpatchable hell is a problem with many fathers, from recalcitrant vendors to customers wary of -- or hostile to -- change. But with the number and diversity of connected endpoints expected to skyrocket in the next decade, radical measures are fast becoming necessary to ensure that today's "smart" devices and embedded systems don't haunt us for years down the line.
Trouble close to home
The problem of unsupported or undersupported devices hits close to home for millions of broadband users in the United States and Europe. Broadband routers humming away peacefully in attics and home offices have become the latest targets of sophisticated cyber criminal groups.
A string of incidents in recent months have underscored the vulnerability of this population of loosely managed and configured devices. In March, the security consultancy Team Cymru warned that hackers had compromised some 300,000 small- and home-office broadband routers made by firms D-Link, Micronet, Tenda, and TP-Link, among others.
That attack followed a similar incident in which compromised home routers were used in attacks on online banking customers in Poland and the appearance, in February, of a virus dubbed "The Moon," which spreads between Linksys E-Series home routers, exploiting an authentication bypass vulnerability in the systems.
Worse, these attacks relied on the same set of problems common to embedded systems: poor (or "commodity") engineering, insecure default settings, the use of hard-coded (permanent) "backdoor" accounts, and a lack of sophistication on the part of device owners, Team Cymru reported.
"As embedded systems begin to proliferate in both corporate and consumer networks, greater attention needs to be given to what vulnerabilities these devices introduce," Team Cymru concluded in its report. "Security for these devices is typically a secondary concern to cost and usability, and has traditionally been overlooked by both manufacturers and consumers."
Next section: A green light for attacks