Like my friend Mark Curphey made into a cartoon several months ago, you're probably using Linux in some appliances that you thought were firmware-based. I know I've seen enough of them over the past couple of years.
Some unusual places I've seen Linux:
- SoHo router/firewalls
- SoHo network drives
- iSCSI drive trays and controllers
- SAN replication appliances
- PDAs
- DVRs
And the list goes on and on. There are a couple reasons why this is so prevalent. The first is that it's easier to reuse than it is to create from new, so developers and their managers like open source. Being a dotcom refugee myself, I can say that this is one of the reasons that startups have always been associated with Linux.
So what does this have to do with security? Well, a couple of things I want to highlight:
#1 If it's Linux, it's modifiable. Look at all the many things you can do now with the Linksys WRT54G or NSLU2. The key to modifiability is that if you can modify it, you can do unnatural acts with it. This is both a boon to the defender and the attacker, and you need to keep in mind that instead of an appliance, you're buying a server. I'm waiting for somebody to come up with a homebrew version of SILICA based on one of these appliances.
#2 is that you inherit some risks from Linux that you would normally not consider. IE, if the appliance is managed via ssh, you have inherited OpenSSL bugs. Where normally you would be fairly safe because of the obscurity of the device, you now are playing with a piece of mainstream software.
I guess as with anything, caveat emptor, but it doesn't hurt to ask beforehand what the appliance is running under the hood.
