12-24-2019, 03:07 PM
(12-24-2019, 11:51 AM)danbrotherston Wrote:(12-24-2019, 10:36 AM)ijmorlan Wrote: Whether that matters depends on the system design. In a typical embedded system, most vectors for malware don’t exist. The network connection can be directly to a master controller; there can be no USB ports or accessible removable media storage devices; and so on.
Of course, if somebody designs the system on the assumption it will be on a completely private network and then just puts it on the Internet, all bets are off.
I bet you 50 bucks there is a usb port on our payment terminals, that is no more inaccessible than an easily picked lock away.
Touché. I’m implicitly assuming good physical security, which is probably a pretty bad assumption.
It depends a lot on the threat model. Desktop computer systems now really need to be secure against arbitrary JavaScript running in a website; servers (and some desktops) need to be secure against arbitrary network packets arriving on the network interface. Otherwise they will become part of a botnet. By contrast, putting malware on a ticket vending machine by picking a lock and plugging in a USB device is a lot of work. Unless of course it is part of a fraud scheme to subvert the payment system. But in that case maybe they can just get the person with the key to install the malware.