We know that our organizations will adopt and use more devices over time. Given the growth of cheap computing, frameworks for managing devices, and the desire for more data, I expect some of those devices will collect data, or even contain databases. Azure SQL Edge use is growing, and we will see more devices that contain it (or another database platform), which means we have a larger attack surface area for that data.
There was a recent report on a vulnerability in edge devices used by AT&T that was detected as part of an attack. The attack used a known vulnerability based on default credentials. The vulnerability was fixed, but the patch required manual work. From various reports, it is unclear whether devices have been patched. It’s also unclear if customer data was accessed. Here is one such report, but there are others, all with similar information.
When developers build something, whether a device or just software, we often set up easy ways for us to access the system to test features and functionality. Certainly when software is deployed to users, there is often a default credential that is supplied. I don’t know if this is good or bad, and if the management of random credentials for each device might result in better or worse security. Strong passwords might lull customers into feeling that they don’t need to change anything.
I do think that the installation of any software ought to require a strong password. Once one is entered, and defaults ought to be permanently removed or changed. Leaving around defaults for maintenance or ease of updates is a sure way to get hacked. If we’ve learned anything in the age of computing it ought to be that anything you deploy in the wild will be taken apart and analyzed by someone. Hard-coded values or default accounts will become known.
The bigger problem might be that patching is still a problem and even more of a problem when it’s not easy. I know that the SQL Server update system is fairly easy, but not dead simple. Many people still don’t apply patches. Heck, even when updates are built into something like Windows, people try to avoid patching their systems.
For those of us that work with databases, we may or may not control the update process. We can, however, ensure that those that do are aware of when patches are available, how far behind the system is, and where to get the patch. That information, and a little pressure, will become increasingly important as we deploy and work with data on more edge devices.