Flaws discovered in the Windows CE operating system that’s commonly found in industrial and medical settings pose cybersecurity risks to factories and hospitals, as well as other devices, including vending machines, public kiosks, and vehicle infotainment systems.
In the first of a four-part blog series posted on Feb. 26, Claroty’s Team82 described how it developed an application that promises to give the researchers more insight into the various flaws, which Claroty said it will report on in more detail as the series progresses.
The Claroty researchers explained that Windows CE is used widely in industrial settings because of its ease of access. It’s most often used in critical factory machinery, and is easily configurable and customizable, making it a great fit for human machine interface (HMI) system.
“Windows CE has long been end-of-life from Microsoft and no longer receives regular support,” said Thomas Richards, principal consultant, network and red team practice director, Black Duck. “Vulnerabilities discovered in the OS will go unpatched and will pose a continued risk to organizations that still rely on it for business operations.”
Richards said the industrial systems that rely on Windows CE were put in decades ago and it can take significant steps to properly secure or upgrade them to prevent an attack. If possible, Richards said these critical systems should be air-gapped from other networks to prevent an attacker from gaining access to them. In the event of a failure, it could cause physical harm or damage depending on the type of machine that’s using Windows CE.
“The long-term goal should be to upgrade these systems with modern OSes that receive regular updates and are not prone to known vulnerabilities,” said Richards.
Agnidipta Sarkar, vice president and CISO Advisory at ColorTokens, added that it’s been known to the OT/ICS cybersecurity community for a long time that the Windows CE systems are vulnerable.
“Most of these systems are either not replaceable or are cost-prohibitive to do so,” said Sarkar. “That’s why they are usually air-gapped from any internet-facing systems.”
