A new report from NCC Group Inc., a Manchester-based IT consultancy, has raised serious concerns about thin client security.
The penetration testers at NCC reviewed systems from Wyse Technology Inc., Hewlett-Packard Co. and VXL Instruments Ltd., and said they found weaknesses that could easily be exploited by an attacker. The claim contradicts one of the main planks of thin client computing, that thin clients are inherently more secure than an estate of full-featured PCs.
Thin clients are terminals with no hard disk and limited local processing. All applications and data sit on a central server that processes activities. The devices have a slimmed down operating system embedded in firmware, which can be proprietary, Linux or a version of Windows XP. Most thin clients also communicate with management systems, which, among other configuration and update functions, enhance the server operating system by adding mechanisms like load balancing or local storage options.
"As our research shows, these devices suffer from just as many 'out of the box' security issues as desktop software packages. Possibly more worrying is that the biggest risk posed by some of the vulnerabilities we have discovered is that of a 'mass denial-of-service' attack on an entire estate of thin client systems. This would have a devastating effect on many operations, such as network operations centres, call centres and other similar environments," according to the report.
Part of the problem, said the researchers, is that most support teams do not have the relevant skills to handle Linux-based systems and do not appreciate that the built-in firmware in thin clients also needs to be kept up-to-date and patched. "How many deployments consider patching policy once the estate has been rolled out?" asked the analysts.
The testers assessed the devices using packet-analysis software and common port-scanning utilities to identify open ports, fingerprint services and protocols in order to see how devices communicate with management services during a profiling exercise. They then created attack code to attempt to exploit vulnerabilities or insecure protocols, the same way an attacker would when targeting a network containing thin client devices.
The testers discovered a number of serious thin client security risks. For instance, management protocols did not use encryption or authentication between the thin clients and the management software. Such a configuration meant that protocols were in clear text and thus susceptible to man-in-the-middle attacks and layer-2 network attacks. The only exception was the HP Compaq T5700 series, which supported the use of a keyfile and encryption between the client device and the Altiris Inc. management software. The protection, however, was not the default out-of-the-box setting.
Even though the HP T-series had some security options, the researchers found it was possible to spoof the Altiris management software and transmit executables to client devices.
In the case of the VXL system, the report explained how an attacker could detect the password required to access the Web management interface of the client device, and unleash an Address resolution protocol (ARP) spoof to a large number of devices and perform a "ping flood" or DDoS attack against the whole infrastructure.
The Wyse Device Manager was also found to have weaknesses. Since it can probe subnets for Wyse devices, utilizing a packet sniffer, it is possible for an attacker to analyze these probes in order to fingerprint and identify Wyse thin client devices on the network. An attacker could also connect to the Web service and falsify registration requests with fake MAC and IP addresses as no form of validation is performed within WDM of the data sent to the server. "This allows an attacker to flood the WDM with bogus devices and cause general annoyance to administrators attempting to maintain the thin client device estate," according to the report.
The researchers also demonstrated how the thin client software is vulnerable to buffer overflows, which could be exploited by a hacker.
And while the lack of a hard disk is a clear advantage when it comes to disposing of hardware, the report says redundant devices may still hide some secrets. The researchers bought devices on Ebay that still contained VPN client and connection credentials that would allow anyone to reconnect to the former owner's network.
"This is a good example of people adopting a new technology because there is a strong business case for doing so, but giving scant regard for any security issues that may ensue," said Paul Vlissidis, technical director of NCC Group.
"The irony in this case is that companies are trying to get rid of their desktop estate of PCs because they pose a risk. It's a bit like that game 'Splat the Rat' -- they may get rid of one risk, but it just introduces a range of others."
He said the thin client security results had been reported to the vendors, and added that since completing the research, NCC had examined two other leading makes of thin client, and found similar weaknesses.
The systems tested were:
|Manufacturer||Model||OS Platform||Management Software|
|HP Compaq||T5700||Windows XPe||Altiris (v6.9 sp2)|
|Wyse||V90L||Windows XPe||Wyse Device Manager (v4.7.1)|
|Wyse||S10||Wyse Thin-OS||Wyse Device Manager (v4.7.1)|
|VXL||Itona V17||Linux||XLmanage (v2.6)|