IBM i Security Demystified Blog, Episode 1
I. Introduction “Nobody Can Hack an AS/400.” “Never in my 40 years in the business has anyone hacked an AS/400!” “AS/400’s don’t have hacking problems like Windows computers.” “AS/400’s are bullet-proof. They don’t have zero-days like other computers.” If you know anyone who works with an IBM i (formerly known as "AS/400", also branded as "eServer iSeries"), you may have heard some of these statements, typically spoken with the emphasis of someone who wants it to be true; someone willing to speak loudly enough to overcome their sense of dread: that they may be wrong. … and you may be surprised at just who is using IBM i in 2020. We (Security Researchers Matthew Carpenter and Roni Michaels ) decided to dig into these beasts of old to answer a few question: Is the IBM i "old" and inherently vulnerable? Or Is it a hardened ecosystem whose design and age shield it from hackers? Are it's notable uptime percentages an indicator of a