When we talk about security vulnerabilities in software it’s worth thinking about computer programmes on a fundamental level. On the simplistic level a computer programme is something which takes in an input, usually from the user in the form of text, processes that input, which changes the state of the machine, and then gives as output or result to the user. A bug is when certain inputs aren’t processed correctly and the wrong output is given. For example, if 1 plus 1 results in 3. A security bug however, can be when a certain input is processed in such a way that compromises the security of information managed by a programme and may even output it. We often see this in practice in web applications.
For example, some web applications have text boxes that let users login to the website. Behind the scenes the website is querying the back end database using the language called SQL to check if the user’s login details are valid. It’s often possible to type certain characters in the login box that let a malicious user inject his or her own code into the SQL query. That can do things like delete the records from the database or reveal other users’ password hashes. This is made possible by the fact that SQL, like other languages, has its own syntax. For example, quotation marks are used to denote strings.
If the user is allowed to type the quotation marks in the form where the input is a string, they can break out of the string and onto the actual code of the query itself. In the context of embedded systems like Internet of Things devices, we often find that the same kind of vulnerabilities exist. Vendors tend to make great hardware, but put very little effort into the software. For example, routers often have an internal web application that the user can access to configure the router and those applications are very often vulnerable to SQL injection, and with some ingenuity, can be exploited remotely.
Devices also often provide Web APIs to allow other devices to communicate with it and send it commands. We often find that these APIs are also vulnerable to the same kind of flaws. We also find particularly with embedded devices is that the operating system that runs on the device, which is typically Linux, is insecurely configured. For example, user programmes run as admin or there’s no password to access the remote admin terminal. When designing any kind of computer programme, you should assume that either your user is a completely idiot or that he is always a malicious hacker trying everything he can to break your application.