[bluedonuts]

Around 10 years ago i worked in a company that had lots of software and physical VOIP phones. One of the models of phone had a pretty nice colour screen on it. I forget the brand .. it might have been polycom.

At that time I was very much into nmap'ing everything and noticed that these devices had all sorts of interesting ports open including telnet and ftp. FTP was read only for anonymous but it was trivial to download and crack the passwd file and discover that the admin password was something like 1234. My colleagues and I only got as far as showing images on the screen to surprise people but my imagination was running wild with the surveillance possibilities (let alone doom!).

This was one of my first glimpses as how bad security on commercial embedded devices can be.

[beebeepka]

Interesting. Do you think these phones were made that way by design? I am having a real hard time believing people with capability to produce these products are unable to secure them in any meaningful way.

Maybe I'm just too cinycal

[brk]

IME, it is sort of by design. I have worked for a number of companies developing forms of embedded products. It often felt like nobody really felt like the product was 'complete' until we were 8 or so major releases into things. So you wind up with things like SSH, FTP, etc. either directly enabled, or easily enabled via a not-very-well-hidden method to allow the dev or support teams to get into devices that were not behaving properly in the field so that they could diagnose/fix issues.

It's only been about the last 4 years or so that companies have started to realize the risks in operating this way, and I feel that a lot of that has been brought on by the end-user/buyer organization starting to require cyber security audits and asking more questions about cyber security during the buying cycle.

[janto]

Indeed. The biggest immediate risk to a newly developed product is that it won't even have any users, much less a sufficiently interested attacker. So why add initial obstacles for yourself, right? So yeah, if effort to increase security is not valued by the buyer it ain't gonna happen.