Office gear like printers and phones may not look like computers, but they are vulnerable to hackers
- Embedded computers are microprocessors inside electronic devices that are not typically thought to be computers.
- The embedded device market is on the rise and expected to be worth more than $214 billion by next year.
- A cybersecurity firm that specializes in embedded devices says many of these devices have vulnerabilities. They demoed some of these attacks for CNBC.
Your office phone, the printer, the building control system — these may not sound like computers, but they can all be hacked, according to cybersecurity pros.
"This is probably the most important cybersecurity threat that we have today because these computers control every single aspect of our critical infrastructure that we depend on every single day," said Ang Cui, the CEO of Red Balloon, a New York City based cybersecurity company that specializes in keeping devices safe.
These devices contain what are known as embedded computers — microprocessors that use software to execute simple commands.
"An embedded computer is pretty much everything that is not a laptop, server, or a desktop," Cui said.
Embedded computers are found in smart home devices, medical gear, cars, financial exchanges, power plants and more.
Companies have been compromised by embedded computers. Target's 2013 data breach occurred after malware was installed on its point of sale system, which incorporates embedded devices. Since the breach, Target says it has taken actions including developing of point-of-sale management tools and decommissioning vendor access to the server impacted in the breach.
"[The breach] certainly cost Target a great deal of money and a great deal of headache," Cui said. "They're by no means the only company that had to recover from some event like this."
The embedded device market is not slowing down. It is projected to be worth more than $214 billion by 2020, according to Radiant Insights, a market research company.
The number of devices is also on the rise.
"By most people's estimates, we're going to have about 20 to 25 billion embedded devices in about 15 years," Cui said. "That is obviously more than one embedded device per person on this planet."
Security as marketing advantage
The rise in embedded devices is creating a market advantage for some companies. HP is the largest manufacturer of printers, which contain embedded devices. The company advertises that it makes the world's most secure printers.
HP did not make that claim lightly, according to Shivaun Albright, HP's chief technologist of print security.
"Historically, printers are one of most common…devices," she said. "We want to reduce security risks as much as possible."
Still, Albright admits vulnerabilities can happen. "I don't think any company could claim they don't have bugs."
It's something the Red Balloon team knows well. The company tests devices by seeing if they can break in. Cui says 100 percent of the devices they can test can be compromised in some way.
Earlier this year, Red Balloon discovered a critical vulnerability in millions of devices made by Cisco. The team announced the finding in May after telling Cisco.
"Most of the vendors that we work with are very open to certainly getting vulnerability disclosures and they are fairly open to fixing these problems quickly," Cui said.
Cisco published a critical advisory after becoming aware of the vulnerability.
"Cisco is committed to transparency. When security issues arise, we handle them openly and as a matter of top priority, so our customers understand the issue and how to address it," a Cisco spokesperson said in part in a statement emailed to CNBC. "[Cisco] is not aware of any malicious use of the vulnerability that is described in this advisory. Cisco will release fixes for this vulnerability."
Red Balloon demonstrated for CNBC hacking into an office phone, a computer monitor and a building controller to access fans that control air flow. Cui says attackers could pull off similar attacks from anywhere in the world.
The team forced the fan to change directions, which could potentially force dangerous air into clean rooms. They then were able to make the fan go up in smoke by changing the direction the fan was blowing multiple times quickly. The quick changes caused the fan to overheat.
Red Balloon simulated altering a factory monitoring system by hacking into the monitor. An operator looking at the system would think something went wrong
"There are at least three different computers inside the monitor itself that we can hack," Cui said.
Most office phones have computers in them, particularly IP (Internet Protocol) phone, which send voice calls over data networks.
"If you see a telephone sitting on your desk, chances are there is a fairly powerful processor in there running a full operating system. And that phone is basically a general-purpose computer shoved into a plastic case that makes it look like a phone," Cui said.
Red Balloon demonstrated hacking into a Cisco phone so that they could listen in on everything being said.
"We can confirm that workarounds and a software patch were made available in November 2014 to address this vulnerability. Successful exploitation requires physical access to the device serial port, or the combination of remote authentication privileges and non-default device settings," a Cisco spokesperson said in part when asked about the vulnerability.
Cui says the vulnerabilities exist in other brands of phones, monitors and office controllers and the ones he showed us are just examples.
"We've found a vulnerability inside every single IP phone that we've ever opened," Cui said. "Each time we look at an IP phone we find some way to hack it."
CNBC reached out to other industry leaders to find out what they are doing to keep their devices secure.
In addition to printers, HP makes computer monitors and other devices.
"HP at the heart, we design with security in mind," said Andy Rhodes HP's general manager and global head of the commercial PC business. "We also use what's called bug bounties. We actually pay ethical hackers to try and get into our systems to see how secure they are."
Chinese telecommunication company Huawei did not respond to our request for comment.
The best advice for companies worried about embedded device security is to contact device manufacturers.
"Go complain to the people that make these things that are insecure. And if enough of us do it and raise this concern over and over again, we will influence the makers of these things to make a more secure product," Cui said.
Consumers play a role too, since some embedded devices are made for home use.
"The best thing that the average person can do is to raise your concern about security with every product that you buy. Instead of … finding the cheapest, smart home automation doo-dad that works, you should ask the question of is this fairly secure," Cui said.