Do Embedded Systems Need a Time To Die? 187
chicksdaddy writes: "Dan Geer, the CISO of In-Q-Tel, has proposed giving embedded devices such as industrial control and SCADA systems a scheduled end-of-life in order to manage a future in which hundreds of billions of them will populate every corner of our personal, professional and lived environments. Individually, these devices may not be particularly valuable. But, together, IoT systems are tremendously powerful and capable of causing tremendous social disruption. 'Is all the technologic dependency, and the data that fuels it, making us more resilient or more fragile?' he wondered. Geer noted the appearance of malware like TheMoon, which spreads between vulnerable home routers, as one example of how a population of vulnerable, unpatchable embedded devices might be cobbled into a force of mass disruption. Geer proposes a novel solution: embedded systems that do not have a means of being (securely) managed and updated remotely should be configured with some kind of 'end of life,' past which they will cease to operate. Allowing embedded systems to 'die' will remove a population of remote and insecure devices from the Internet ecosystem and prevent those devices from falling into the hands of cyber criminals or other malicious actors, Geer argued."
Or you could just you know... (Score:3, Insightful)
... change the password to something other than the default.
Re: (Score:3)
or not have a single default password, each device could have a random one set as default (like how each has a unique MAC address for example) that's printed on the back.
Oh, and maybe we could make control software that is designed to automatically update remotely.
Or... radically, we could just not put a network port on them.
Re: (Score:2)
I've always wanted an e-Ink display on consumer routers. Press a button, up comes the password. When the router is completely reset, the default password is randomly re-generated [1], and shown on the display. Of course, this is easily changed, but it would help ensure that router "A" isn't going to have the same default as "B", and that if someone hands the router to another party after it is reset, the previous party won't be privy to the default passcode.
I've wondered what happened to "data diode" tec
Re: (Score:2)
Which assumes there's still someone around releasing updates
What about an EOL date that's calculated from the date of the last update?
No update for 12 months = EOL.
Re: (Score:3)
Which assumes there's still someone around releasing updates
What about an EOL date that's calculated from the date of the last update?
No update for 12 months = EOL.
In an enterprise that sort of management would be fine, but I for one would be pissed to hell if I came home one day and my smart TV refused to turn on because it had gone 12 months with no updates. Like most things, the expectations of performance and security differ in every application, so no single rule will ever solve this.
Re: (Score:2)
but I for one would be pissed to hell if I came home one day and my smart TV refused to turn on because it had gone 12 months with no updates. Like most things, the expectations of performance and security differ in every application, so no single rule will ever solve this.
Maybe the problem is in consumers' expectations of performance vs their (generally false) assumption of security.
Security can be trained, just like anything else. But, better than anything else, if it can be enforced by the device, we don't have to rely on people who couldn't be bothered to look both ways before crossing the street.
At some point there's going to have to be inconvenience if everything in your life is wired to the internet and you want it actually secure.
Re: (Score:2)
Re:Or you could just you know... (Score:4, Informative)
and it's easy to do. every polycom comes with the admin password set to the serial number of the unit. Any programmer that made it out of the first year of college could easily add this feature during firmware initialization.
Re: (Score:3)
Because not everyone can be arsed to buy a commercial product to fill a specific need, choosing one designed for that need, and then removing core software or hardware in order to make it "open". Some people like to buy things without having to re-engineer them when they get home.
Don't get me wrong. I rooted both my cellphones shortly after purchase, and I have a Linksys home router running custom firmware. I mod things for performance reasons or because it's interesting
Re: (Score:2)
Because not everyone can be arsed to buy a commercial product to fill a specific need, choosing one designed for that need, and then removing core software or hardware in order to make it "open". Some people like to buy things without having to re-engineer them when they get home.
Don't get me wrong. I rooted both my cellphones shortly after purchase, and I have a Linksys home router running custom firmware. I mod things for performance reasons or because it's interesting or enlightening. But not everyone can or should do so. In an ideal world*, the routers would have sane security by default.
I'll take off my rose-tinted specs now and go back to yelling at the kids on my lawn.
OpenWRT is so fucking easy to install and configure (easier than some consumer out-of-the-box experiences, even) that there really is no excuse if you expect a secure local network. If not, just plan on replacing your firewall/router every year or so to counter the threat of unpatched bugs. To each their own.
Re: (Score:2)
OpenWRT is so fucking easy to install and configure (easier than some consumer out-of-the-box experiences, even) that there really is no excuse if you expect a secure local network.
No. It's not. To you, or the typical computer tech-savvy /. reader, maybe; but we're not average consumers. My father-in-law is well above average in that he bought a Linksys router rather than depend on the FIOS installed default, and he actually changed the password, but he's not going to reflash it any more than I'm going to rebore my car engine's cylinders with a hand drill. And the various older neighbors who I assist with network stuff, who think the Internet is broken if a web site changes its form
Re: (Score:3)
OpenWRT is so fucking easy to install and configure (easier than some consumer out-of-the-box experiences, even) that there really is no excuse if you expect a secure local network.
No. It's not. To you, or the typical computer tech-savvy /. reader, maybe; but we're not average consumers. My father-in-law is well above average in that he bought a Linksys router rather than depend on the FIOS installed default, and he actually changed the password, but he's not going to reflash it any more than I'm going to rebore my car engine's cylinders with a hand drill. And the various older neighbors who I assist with network stuff, who think the Internet is broken if a web site changes its format, would have no clue whatever.
The REAL question we should all be asking is, If OpenWRT can be so much better, then why is the commercial stuff *not* better?
Step 1, find out what runs on your router (at wikidevi or similar) step 2, download the firmware image (there are even multiple forums with helpful folks to ask if you arent 100% sure) step 3, flash it the same way you would a normal firmware update, step 4 change the default password, and enjoy your new LAN! The only excuse is not knowing... there is no actual technical knowledge required, just basic keyboard/mouse skills, and reading comprehension.
Step 1, presumes that people are aware there are alternative firmwares for their router, which most non-technical people would not realize, if they even know what a firmware is in the first place.
Step 2, presumes that people can navigate a forum, or possibly multiple forums to find the link to a file that they're looking for. Considering how many people must click on those stupid 'download now' ads that end up on half the file managers out there, and end up with some spyware laden crap on their machine wh
Re:Or you could just you know... (Score:5, Insightful)
OpenWRT is so fucking easy to install and configure (easier than some consumer out-of-the-box experiences, even) that there really is no excuse if you expect a secure local network ... there is no actual technical knowledge required, just basic keyboard/mouse skills, and reading comprehension.
I think you're *wildly* overestimating the skill and confidence of the average home network user and the quality of open source project web sites. Let me walk you through the hidden minefield in your instructions. I'll use a Linksys WRT150N for reference.
The real Step 1 is "realize that I'm supposed to install OpenWrt, and understand what that means". Most users have little to no idea of how the router actually works, so the idea of upgrading the firmware is not an obvious one.
But let's say someone tells them to do it. They go to the OpenWrt web site. The second sentence under "What is OpenWrt?" is "Instead of trying to create a single, static firmware, OpenWrt provides a fully writable filesystem with package management.". Many users will be too terrified to proceed beyond this point. But let's say they make it to the Table of Hardware [openwrt.org], and skip past the text about developer snapshots and hardware VLANs and the note from 2009 saying that the page might not be up to date. (That's not realistic -- many users expect to read sequentially.) Instead of a column that says "yes, this router is supported", there's a column named "Status" that gives the first OpenWrt version that supports the router. Next to that there's a column named "Version" that is undefined. I'm assuming it's the router version, but many users could get confused. But the important column is the "Target" column, which lists the specific OpenWrt platform that users should (but probably won't) remember for later. There are two targets for the WRT150N and no indication of which to choose. One of them no longer exists in the current version.
Clicking on the model number in the table gives me an unorganized series of notes [openwrt.org] from various users. One of them, "An account of flashing OpenWrt to a WRT150N", sounds sort of like installation instructions, but is too brief and technical to be of any use. It does have a working download link, but it's to a version that's five years old. The one after that suggests that one target option (the nonexistent one) is better than the other. None of this is in clear newbie-friendly language and it's all after pages of Linux log dumps. If they land on this page, most users will probably click the back button as fast as they can.
Alternately, we could do it your way:
Step 1, find out what runs on your router (at wikidevi or similar)
That's somewhat better, but they still have to read through a dense, abbreviation-heavy table of technical specs. [wikidevi.com] (That's after they figure out they need to search for their router's model number and not "Linksys".) At least there's a simple indication that OpenWrt supports the router. But how would they know to go to WikiDevi? I hadn't even heard of it before today. And most importantly, how would they figure out which target to use, or even that targets exist?
step 2, download the firmware image
Now we're in for some fun! There's a download link at the top of the OpenWrt site. Clicking on it gives me a directory listing. [openwrt.org] None of the directory names look like they contain software to download, even to me. On the right side of the OpenWrt main page there's another download link for the latest release. This gives another directory listing. [openwrt.org] (Apparently the correct directory is /attitude_adjustment/12.09.) Now there's a list of subdirectories that look (to me) like p
Re: (Score:3)
Re: (Score:2)
Oh come on, it is most definitely not easy to install, and even less easy to configure. If your grandma can do this then you have a very special grandma rather than an average one.
First thing to do with OpenWRT is spend time searching databases to figure out whether or not OpenWRT will even run on your device. Second step is to notice that your device has a "*" next to it which leads to a footnote indicating that special caveats apply, such as looking up what revision number of the device you have (the nu
Re: (Score:2)
Why weren't you running Openwrt?
I don't know about him, but in my case, I happen to like having 5GHz 802.11ac with beamforming. The last time I checked, every open firmware in existence for the AC68U has broken support for 5GHz 802.11ac and its advanced radio features.
Re:Or you could just you know... (Score:5, Insightful)
And how do you predict when that would be?
Does it help at all when I design my embedded device self destruct on 14 May 2019, if the next Heartbleed type bug affecting it is found tomorrow?
Are my customers going to come back and buy from me again if it is still rock solid with no known bugs on the day I choose for it to expire, and word quickly gets around that everyone's device was preprogrammed to die on that day?
Re: (Score:2)
Does it help at all when I design my embedded device self destruct on 14 May 2019, if the next Heartbleed type bug affecting it is found tomorrow?
Yes. /. only last week
This story was on
http://it.slashdot.org/story/14/05/09/1240238/one-month-later-300000-servers-remain-vulnerable-to-heartbleed [slashdot.org]
At least a self destruct would give us a firm date for when all the affected devices will be off the internet.
Otherwise there will be people using affected hardware/software until the electrolytes leak out of the capacitors.
Re: (Score:2)
I think if a product "dies" before it wears out, the customers will be highly annoyed. Customers generally do not want planned obsolescence forced on them. They don't want the Windows XP model where something that is perfectly functioning is made obsolete in an effort to drive sales. They'd rather buy the car than lease it.
Products can be upgraded over time though, they don't have to be stuck with the same firmware they shipped with forever.
And don't forget the vast number of embedded devices which are n
Re: (Score:2)
ipv6 (which no consumer ISP is supporting, not even comcast who was running trials)
As of December last year, more than 25% of Comcast customers can get native dual stack broadband - see http://www.comcast6.net/ [comcast6.net]
Dan Geer, the CISO of In-Q-Tel, (Score:5, Informative)
In-Q-Tel [iqt.org]
Re: (Score:3)
OK, this makes more sense. Only true morons of that caliber could imagine that ripping and replacing the control system for a power dam, the guts of a multimillion dollar CNC mill, or the access control system for an entire enterprise every few years was a good thing. Know how long it takes to update the embedded firmware on a reader board over RS-485? Fifteen to forty five minutes. Each door. I've worked in enterprises with as many as 21000 reader panels.
Not just "NO", but "NO FUCKING WAY, NO!"
Terrible idea (Score:5, Informative)
You'll have to install custom firmware to prevent things from having to go to the dump on their third birthday?
Seems pretty ridiculous, not to mention that it can still have a hole exploited on the day they launch the device, and not be updated for years (in it's allotted lifespan).
I'm more for the option of make things easier to update, and, the important part... actually release bloody updates! I'm looking at you, almost every embedded device manufacturer out there.
Re: (Score:2)
Re: (Score:2)
Try a Nexus, droid vendors tend to only update current far sale hardware and that changes every 6-12 months.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
I thought so too and selected Nexus 5, but since purchase on January, it has got only one system update and that happened on the first day I used the phone. It seems that Google cares about bugs on already sold devices as much as anybody else in the industry.
Android itself has not seen an update since then. The Nexus 5 initially shipped with 4.4.0 and got both 4.4.1 and 4.4.2 as soon as they were publicly announced. When Android 4.4.3 comes out (apparently soon) you're basically guaranteed to be the first device for which it's available.
Compare this to all the other phone vendors, who at least in the case of the large ones you know have had access to 4.4.3 for some time, where most devices still aren't on 4.4.2. Where devices are still being *launched* brand
Re: (Score:3)
Eggsactly.
Re: (Score:2)
> This is why I will never buy an Android phone again. The lack of guaranteed updates is a huge problem.
Is Apple really any better though?
Try getting iOS updates to the original iPad. Mine is stuck on iOS5. :-(
I'm using iOS6 on iPhone 5 but I don't see any other vendor doing a better job of support. Apple isn't interested in fixing bugs in iOS6.
Re: (Score:2)
Never a good solution.
Techs who have been around before the year 2000 tend to have this policy. Upgrade only after it has been proven. This is a lesson they have learned because especially during the late 90's. Patches and Upgrades, didn't go in smoothly and often caused more problems then they fixed.
Today patching and upgrades tend to go in far more smoothly, however we still want to be sure that it is proven to work before we are the first to jump in.
Now this means our systems are also more vulnerable f
Re: (Score:2)
Windows NT 3.51 Service Pack 3. 'Nuff said.
Re: (Score:2)
> Techs who have been around before the year 2000 tend to have this policy.
Exactly: Don't fix what isn't broken.
Re: (Score:2)
Like androids in Bladerunner...
I've seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhauser gate. All those moments will be lost in time, like tears in rain. Time to die.
Re: (Score:2)
Agreed. Forced obsolescence is NOT the answer.
How to sound deep (Score:3)
Imply the opposite of what is expected, without regard for reality, truth or common sense. Ex:
"'Is all the technologic dependency, and the data that fuels it, making us more resilient or more fragile?"
Look at this amazing thinker. Didn't he just blow your fucking mind?
Re: (Score:3)
Re: (Score:2)
If he were a Slashdot poster, his every post would be modded up through the roof.
my thermostat (Score:4, Insightful)
Planned obsolescence (Score:5, Interesting)
Re: (Score:3)
I think *that* is the main point of this idea, security is just a way of selling it.
Re: (Score:2)
Re: (Score:2)
A lot. You can't do that with a PLC as that would be clinically insane and might have serious safety/economic ramifications. No engineer worth his salt would touch such a device. You might configure it to simply fail to startup after a powerdown on a certain date, but not have it stop while the system is running.
Re: (Score:2)
You might configure it to simply fail to startup after a powerdown on a certain date, but not have it stop while the system is running.
Interesting thought which breaks down when you consider that many such devices are power down only when they reach end of life and need replacing. Anyway the commercial impact is still ludicrous. Go stand in front of management and tell them we are losing $1000000 per day because the power outage triggered an and of life time bomb in the control system and the vendor needs 6 weeks to ship a new one.
The entire premisepremise is retarded, protesting things should artificially due because a vendor refuses to p
Re: (Score:2)
I would agree, though I have had a number of long running plants I have sat in front of that were offline for weeks because they were "broken", and investigation showed that the operator had simply forgotten how to look for and clear a startup error....
It is ridiculous in any case, and I don't think it is a good idea. The trouble is, in a long running plant, they will never apply any "security fix" because that means shutting down the system anyway. Possibly even re-commissioning and testing the damn thin
Re: (Score:2)
Hell, $1M per day is nothing, when the major auto companies are selling a certain line of cars as fast as they can make them downtime is in the multiple millions per hour range, and with a steel plant a cold shutdown can result in hundreds of millions in damage.
Re: (Score:2)
A manufacturer who implements this will see his customer base abandon him in droves and will be reduced to only doing work for the consumer market. I have worked on access control systems that have been in place for well over 20 years, I would never install one that we knew would fail after 3.
Re: (Score:2)
What could possibly go wrong ? A PLC controlling a plant stopping at some random date is perfectly acceptable, right. I'm sure manufacturers will love this. A guaranteed replacement market is a wet dream for any market.
Obsolescence is already planned for every single product, no matter what, period. If done properly (imho) then a guarateed fail-by date would cause the realization that the true cost of ownership per year for a system would include the cost of scrapping it when it's too old to work right. Today, what happens is a system is bought because it fit in the budget this year, and it's held on to for as long as possible, long after security and failure risk have climbed way way up past an acceptable point, becaus
Here's a better idea (Score:5, Interesting)
Here's a better idea. Charge anyone who ships unpatchable and unpatched hardware with sponsoring terrorism, because it's their laziness causing the problem.
Why the hell should I be forced to buy, buy, and rebuy the same god damned hardware over and over to save them from patching their shitty systems that they sell?
Re: (Score:2)
Maybe if you didn't demand a $20 wireless router you could expect better firmware quality and regular updates. Otherwise you have to accept that it will probably only last months before either the hardware fails or someone discovers a way to exploit it.
I'm all for requiring vendors to patch, just don't expect equipment to be cheap any more.
Re: (Score:2)
You have the answer. Forced liability on software companies.
Company hacked because of a Windows flaw? Microsoft owes you the $22 trillion it cost for cleaning up the hack... Yes, use the over inflated numbers they claim.
Re: (Score:2)
You just gave every lawyer a giant woody, even the ladies.
Re: (Score:2)
Or to put it another way, why the hell should I, as a manufacturer, be forced to pay, pay, and pay again for people to make updates for a cheap piece of hardware that barely covered its own cost in the first place?
If you want eternal support, you should buy from a vendor that offers eternal support at a suitably expensive price. If there isn't such a vendor, you should re-engineer your solution to include only components that have such support, or build those parts yourself.
Re: (Score:2)
To be devil's advocate (I don't necessarily agree with the author's proposition, though I can see how he got there), your business model of making cheap crap doesn't deserve protection; either adapt and make more expensive, maintainable stuff or die.
Re: (Score:2)
Who said anything about "protection?"
If I, as a manufacturer, want to make cheap parts with a limited support life, and you, a a consumer, want to buy them precisely because they are within your budget and fit your stated needs, then what exactly is the problem that we require protection from?
If you can't manage your own risk analysis to determine that you need (and therefore should pay for) eternal updates, that's not my problem.
Re: (Score:2)
you should buy from a vendor that offers eternal support at a suitably expensive price.
We will. Enjoy your descent into the hell of the consumer market because commercial and industrial customers will abandon you immediately.
Re: (Score:2)
Or to put it another way, why the hell should I, as a manufacturer, be forced to pay, pay, and pay again for people to make updates for a cheap piece of hardware that barely covered its own cost in the first place?
If you want eternal support, you should buy from a vendor that offers eternal support at a suitably expensive price. If there isn't such a vendor, you should re-engineer your solution to include only components that have such support, or build those parts yourself.
You are presuming that humans are any good at all at assessing the risk of something as nuanced as purchasing something with no (meaningful) support. Does it work when I install it? No, ok take it back and get a new one. Yes, ok great leave it there until it stops working. Wait, there are two versions I can buy, they both do the exact same thing, but this one is twice as much because it comes with a 3 year service warranty? Fuck that I won't need it 3 years from now anyway, that is someone elses proble
Re: (Score:2)
I'm actually fully aware that humans are terrible at assessing risk. It's obvious whenever someone complains about the price of milspec parts, which are expected to function perfectly for a very long time.
My point is that it's just not reasonable to dump the cost of eternal support onto the manufacturers, out of some perverse sense of entitlement granting you free fixes forever. There are vendors out there that offer the very-long-term support packages, but they charge for it. The $25 you paid for a router
Re: (Score:2)
You aren't. When you get bored with supporting old kit, simply open source the code, and let the community support it! That is what the BSD licence is for!
Not opensourcing EOL code is what Gitmo is for!
Re: (Score:2)
So of the (relatively) few people who bought my product, fewer are embedded programmers, and fewer still would be interested in making community updates, and even fewer of those would be likely to release the updates to others - and there's no guarantee as to the quality of those updates. From a security perspective, your EOL device is now far more open to targeted attacks, and you're just plain out of luck unless you install "Abednego Breakinski's Uberpatch 57 (w/ awesomesauce mod)". Sounds like a great im
Re: (Score:2)
Better still, you should have a choice: a $30 unpatchable router with a 3 year lifespan, or a $50 patchable router.
$30 is not worth it if it is vulnerable out of the shelf when you bought it. Also, how long do you think each product would be in a store before it is sold? So no to unpatchable because the patchable is still a safer choice.
Re: (Score:2)
How nice of you to make that decision for everyone else. Believe it or not, it is actually possible that sometimes the more expensive, more secure option doesn't offer enough benefits to outweigh the increased costs in certain use cases.
I'm sure that my cheapo router at home doesn't meet your lofty standards of safety. I understand the potential security risks that this router poses reasonably well. I could have spent $50 extra to buy a "better" router, then spent an evening or so figuring out how to hac
Re: (Score:3)
but why shouldn't I get to make that decision
Because your "reasoned" decision apparently doesn't take into account the threat you now represent to everybody else.
Re: (Score:2)
but why shouldn't I get to make that decision?
Because your decision accounts only your own point of view and reason. My decision accounts others' safety and not from self.
Re: (Score:2)
..how about not selling a known faulty product in the first place...
Absolutely not (Score:5, Insightful)
These are not consumer items. Industrial systems seldom live just one life, and after being decommissioned they usually go up for action to be recommissioned somewhere else. If you artificially disrupt this dynamic you cause enormous economic loss, and for what? To perpetuate a buzzword?
The entire proposal is barking up the wrong tree.
It is however a moderately interesting insight into the echo-chamber of national intelligence. Rather funny to see how Mr. Geer talks about monocultures while laying on their own lore _thick_.
Re: (Score:2)
Any troll elaborate enough is indistinguishable from a valuable contribution. ;)
His philosophy is geared for rhetoric alone, like the ancient Greek, and not for enlightened self-interest.
What about devices with no RTC? (Score:5, Insightful)
If a device does not have a way to keep track of time (eg. in built real time clock, with backup battery that will last for the duration of the device's 'lifetime'), then it becomes vulnerable to permanent denial of service when something spoofs a fake future date and time. What happens when a hundred thousand devices go offline because someone spoofed an NTP response?
You may as well force every device to have a kill switch and remotely shut it down when it's too old. At least that'll probably require some kind of public key signature from an authenticated service (in the same way you'd authenticate a remote firmware update).
What I'm trying to say is this is one of those 'management ideas' that sounds great in the philosophical sense, but fails in technical merit.
Re: (Score:2)
Simple enough. Skip the clock entirely, and let the battery itself be the "clock". The battery dies, and the device no longer operates. It's not particularly difficult to design a system with an embedded, non-rechargable battery that lasts for a specified lifespan. There may be some variability in that time, but you can get close enough this way to kill off neglected devices by a certian point.
Re:What about devices with no RTC? (Score:4, Insightful)
Simple enough. Skip the clock entirely, and let the battery itself be the "clock". The battery dies, and the device no longer operates. It's not particularly difficult to design a system with an embedded, non-rechargable battery that lasts for a specified lifespan. There may be some variability in that time, but you can get close enough this way to kill off neglected devices by a certian point.
Take out 'non-rechargeable' and this is pretty much Apple's business model.
Re: (Score:2)
If a device does not have a way to keep track of time (eg. in built real time clock, with backup battery that will last for the duration of the device's 'lifetime'), then it becomes vulnerable to permanent denial of service when something spoofs a fake future date and time. What happens when a hundred thousand devices go offline because someone spoofed an NTP response?
You may as well force every device to have a kill switch and remotely shut it down when it's too old. At least that'll probably require some kind of public key signature from an authenticated service (in the same way you'd authenticate a remote firmware update).
What I'm trying to say is this is one of those 'management ideas' that sounds great in the philosophical sense, but fails in technical merit.
That's easy, let it count the hours it runs (as most devices already do) irrespective of time. After 3 years (or whatever) of operation, it stops or creates an annoying ass alarm buzz or something.
And more to the point, you have probably hit on the real "solution" to the security issue, a remote kill switch. If a vulnerability gets in the wild, simply kill all the affected devices until they can be reflashed with a fixed version (and a new timer). That's what you want to have happen anyway, right? 10 mi
Sympathy, but no go (Score:5, Insightful)
As someone who has to support legacy systems, there is nothing more I would like to see old embedded systems die (and in some cases, incinerated and the embers crushed into the ground).
But we have to be realistic.
The main effort in systems like SCADA is the commissioning time required. You cannot just rip out a system, plug in a new box and expect everything to work as before.
Secondly who pays for this? The customer will not be happy if we say every 5 years we say you have to close your factory down for 2 weeks while we rip out all your old boxes and replace with new ones.
Finally what is the guarantee that the new box has not introduced a new security hole?
The real solution is the segmentation of the security and application code. Use Trusted boot technologies to verify the running code and ring fence the code with your security management application. Then if a new threat is introduced you only need to update the security app, leaving the hardware and application untouched.
Unfortunately at present industrial application either have no security or are very closely coupled meaning that updates are difficult and costly.
Re: (Score:2)
This is actually already a big problem (Score:4, Interesting)
Re: (Score:2)
Are you the dude that got HP to put 'time out' chips in their print cartridges?
Blinkered (Score:4, Informative)
This guy has an incredible blinkered view of "embedded devices". Most embedded devises are not connected to the Interned. Should my wristwatch, washing machine, car ignition controller, garage door opener, swimming pool pump, dumb TV, bank vault, disk drive, mouse, keyboard, etc all die prematurely because somebody else makes a router that can be prejudiced. There are literally billions of embedded devices in the world,. of which probably less than one a thousand is connected to the internet. Yet this seems to be suggesting that we should kill a thousand devices because one /might/ be prejudiced.
Re: (Score:2)
This guy has an incredible blinkered view of "embedded devices". Most embedded devises are not connected to the Interned.
Did you mean: Most people who design such devices are interned.
roybatty.exe (Score:2, Offtopic)
I've... seen things you people wouldn't believe... Iranian cerntrifuges on fire off the shoulder of Orion. I watched c-beams glitter in the dark near the Ford River Rouge Assembly Plant. All those... moments... will be lost in time, like tears... in... rain.
Time... to die...
Re: (Score:2)
Thank you, you made my morning.
Real problem but wrong solution (Score:2)
1. From a security standpoint, in a highly controlled environment, remote update capability is also a security risk, no matter how supposedly "secure" that capability is. The ability to configure the hardware so that hands on thr device are required to apply updates is important. Physical security is easier to verify than logical security - it's much easier to inspect seals, padlocks, and security tags than it is to inspect the device firmware.,
2. Flash memory is relatively cheap, especially in the small si
Re: (Score:2)
Exactly.
These things need to be built robust and secure in the first place or no amount of "remote management" is going to fix the problem.
Why is it so impossible that a product could be created and released, and still perfectly functional after 10 years with no need of a single software upgrade? Because we have no quality control of any value in the software industry. If a car (or worse airplane) suddenly died because it was 5 years old, the manufacturer would be out of business in a week.
Very stupid rent seeking idea (Score:2)
It's equivalent to demanding that people replace thirty year old transistor radios in their kitchens and workshops.
Rediculous premise (Score:4, Insightful)
This is based on a ridiculous premise that newer=more secure.
Who is going to pay for all of this?
What happens when someone forgets to replace some critical controller (gee, I thought your group was in charge of replacing it...)?
Also, what's In-Q-Tel's real motive? Mandating a secret back-door so that the CIA can have access to what they want? Or, are they quietly investing in Siemens, Rockwell Automation, Hitachi, and the like?
Yes (Score:2)
Another Solution (Score:3)
Time-based end of life not very helpful (Score:4, Insightful)
Okay, so my new device (a LeakyTech router, say) has a five-year expiry clock on it. A vulnerability is discovered a year after I buy it. It spends 80% of its lifetime completely exposed. I'm now out of pocket for the cost of a new device every five years, and I'm only protected for 20% of the time. Nice.
Or, my new device (from Securitron, this time) is actually quite secure. It takes ten years for the bad guys to find an unpatched or unpatchable hole. Five years of reliable, trustworthy use I could have had get thrown away. I've pointlessly reduced the safe, working lifetime of my electronic device by 50%, doubling my hardware cost and incurring extra downtime for no improvement in my security. Nice.
Better yet, I've gone through a couple of cycles of forced obsolescence. This time around, I've moved from the Securitron product to the LeakyTech one, and now introduced a hole in my security that wasn't there before. Either the LeakyTech device has another rapidly-discovered vulnerability - maybe it was introduced when they tried to patch their first one-year defect- or I didn't configure the new hardware properly when I was making my enforced switchover. Nice.
Oh great. (Score:4, Insightful)
More DRM killswitches.
What a waste (Score:3)
This sounds more like an idea for hardware companies that want to ensure people keep buying their new stuff. It's like chipped printer cartridges.
First off.. how about just making things updateable?
Second, how about not connecting things to the internet that don' t have a reason to be?
The last thing we need is yet more perfectly functional electronics sitting in the bottom of landfills.
Lets flip it around (Score:2)
How about we make the manufacturer either maintain support for the device or release full specs (including source and a sane build environment) to their customers and any signing keys they might need to update the things themselves.
My plan is more fair abnd might keep things out of the landfill rather than filling it faster.
Preview of resistance... (Score:2)
Tire manufacturers in the US resist tires having expiration dates. Why would they mind, since that might increase demand for replacements? Distributors and retailers might mind since it means their inventory loses market value quicker than it would otherwise. Supposedly the manufacturers fear that having an expiration date will imply to consumers that their tires should last until that date. The lifetime might be set at 6 years, which is longer than most tires' tread lasts.
To some degree I'd expect this sor
Brave New World (Score:2)
I think I've read this plot in a book. http://www.goodreads.com/book/... [goodreads.com]
This is going to happen in 2038 anyway (Score:2)
--
.nosig
Greed is as Greed does. (Score:2)
Dan Geer, the CISO of In-Q-Tel is a nutjob or a scumbag trying to just figure out how to bring about a forced revenue stream. Unless he proposes that companies that do this MUST buy back the self deactivated equipment at 50% of retail price, he is simply trying to figure out how to force customers into spending more money by artificial controlled failure.
No. No. and No. (Score:2)
If the electronics had decided it was time to die, we would have had to replace the machine it controlled, as nobody made electronics and senso
Silicon Heaven! (Score:2)
subscription hardware (Score:2)
Progress IS being made (Score:2)
I sit here in the Cassandra suite, watching the tech community finally waking up to the reality of the world. You are starting to panic because you know none of the operating system choices you have are viable for truly secure systems. Soon you will learn about Multi-Level Secure systems, Capabilities, and other features of the secure computing..
About 10 years from now, you'll get the hints the universe has dropped on you, and start implementing these systems.
About 10 years after that, some real old timers
Re: (Score:2)
Perhaps you should read the right to read: http://www.gnu.org/philosophy/... [gnu.org]
This idea has been around a long long time, and there are even people trying to protect you from that particular distopian future.
Re: (Score:2)
And the vast majority of Win CE devices aren't even hooked up to a network so good luck exploiting them.
...is on the disc (Score:2)