Claroty‘s research arm, Team82, has released new findings that uncover security risks in the Windows CE operating system, which is widely used in industrial and embedded systems such as HMI (Human Machine Interface) panels, vending machines, and vehicle infotainment systems. Given Windows CE’s presence in critical industrial environments, Team82 conducted an in-depth analysis of its architecture and discovered vulnerabilities that could allow attackers to exploit devices running on this legacy OS.
In the first of a four-part series of research blogs that will examine the Windows CE operating system, Team82 researchers provide a deep dive into Windows CE’s role in ICS (industrial control systems) and SCADA (Supervisory Control and Data Acquisition) environments, revealing significant security challenges in HMI panels and embedded applications. Additionally, the team identified multiple attack vectors that could enable unauthorized access or remote code execution on Windows CE-based systems. They also provided a step-by-step breakdown of how attackers could manipulate application behavior using vulnerabilities in native Windows CE development frameworks.
Team82 introduces native application development on the Windows CE operating system. “Having the capability to build and debug applications on this system will become very useful and important later when researching other applications deployed on devices running with Windows CE operating systems.”
“This operating system is commonly found in industrial settings because of its ease of access. It’s most often used in critical factory machinery, and is easily configurable and customizable, making it a great fit for HMI systems deployments,” the researchers noted. “Windows CE is also suitable in many other scenarios. For example, it is commonly under the hood of devices such as vending machines, public kiosks that display easy-to-use interfaces, and also some vehicle infotainment systems.”
They explained that to “develop our application we need to have a functional workspace—Visual Studio 2005 IDE in this case— that allows us to build and deploy it. This utility will be important in order to compile and deploy our application with ease and a minimum amount of issues.”
The researchers said that they implemented a callback function called WinProc(…), which is in charge of handling the different messages that the window might be notified with. The method implements a switch-case construct to handle each specific window message type.
“The main program routine executes a loop on the main thread of the application to receive different operating system messages, such as interacting with the running process of the application and dispatching them forward to the application’s managed window,” the post added. “These messages then propagate and get caught and handled by this window processing function. For example, in case a message is posted to the window indicating the destruction of it, we invoke the PostQuitMessage(0) method to close our application and terminate its process.”
Visual Studio 2005 has a built-in emulator for the PocketPC 2003 device system and is available for application testing before shipping brand new application to production. “If we did everything correctly, we should be able to get our application to build and deploy on that emulator.”
The researchers then select the object containing the asset, “we loaded earlier, using the handle variable hBitmap and fetch its content data into a BITMAP variable also declared earlier. Following these statements, we use the library method BitBlt to pipe our BITMAP variable pixels to our compatible device-context hDcMem.”
“In order to paint text on the application window, we create a solid color brush and define a rectangle to border the prompted text,” Team82 pointed out. “After defining the relevant components hBrush and txtRect, we invoke the library method DrawText with the string ‘Demo.’ Finishing our graphical styling we invoke the method EndPaint. We save our progress. Then we build the application and deploy it on our Pocket PC 2003 emulator to see our results.”
In conclusion, the researchers wrote “Now that we implemented our application, we may as well deploy on another device to be cross-platform. We reiterate our steps once again with a different deployment target device. This time our application target device will be a Windows CE device.”
