Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Coming IT Nightmare of Unpatchable Systems

samzenpus posted about 2 months ago | from the down-in-flames dept.

Security 240

snydeq (1272828) writes "Insecure by design and trusted by default, embedded systems present security concerns that could prove crippling if not addressed by fabricators, vendors, and customers alike, InfoWorld reports. Routers, smart refrigerators, in-pavement traffic-monitoring systems, or crop-monitoring drones — 'the trend toward systems and devices that, once deployed, stubbornly "keep on ticking" regardless of the wishes of those who deploy them is fast becoming an IT security nightmare made real, affecting everything from mom-and-pop shops to power stations. This unpatchable hell is a problem with many fathers, from recalcitrant vendors to customers wary of — or hostile to — change. But with the number and diversity of connected endpoints expected to skyrocket in the next decade, radical measures are fast becoming necessary to ensure that today's "smart" devices and embedded systems don't haunt us for years down the line.'"

cancel ×

240 comments

Sorry! There are no comments related to the filter you selected.

This "nightmare" rigns a bell (2)

Jailbrekr (73837) | about 2 months ago | (#47149113)

They had the same problem prior to the year 2000, so why wasn't this lesson already learned?

Re:This "nightmare" rigns a bell (1)

Anonymous Coward | about 2 months ago | (#47149139)

Different lesson the lesson then was don't know a bug exists for years, know you can fix it but simply don't until the last minute.

the lesson here is "stuff might need updates some day don't be fucking retarded"

Re: This "nightmare" rigns a bell (3, Insightful)

Anonymous Coward | about 2 months ago | (#47149189)

There are two lessons here: one, if you make something non-upgradeable it may have a bug that requires a fix; two, if you make something upgradeable some nefarious actor could exploit that and install something bad.

Repetitive (broken) OS abandonment (4, Interesting)

fyngyrz (762201) | about 2 months ago | (#47149549)

<RANT>

One thing that's causing problems is the habit of Apple and Microsoft to abandon operating systems for new, often incompatible ones, instead of fixing the bugs in them. OSX 10.6.8 is full of problems; the only way to fix them is to move up to OSX 10.7 or further, which in turn can break a lot of things, because the later release isn't just fixed (if, in fact, it is fixed), it's a different animal altogether. Just one example. OS vendors take the view that you can either move forward with them, or die in a fire. Windows, Ubuntu, XP, etc... same deal.

I'm not saying these old OS's should get new features. But bugs? They should be fixed as long as humanly possible. The product was sold as having feature set X, and working. If it doesn't work as advertised, or is unreliable, it shouldn't be abandoned, it should be fixed. Except in the very rare case where it is not possible (I can't even think of one of those, actually.)

The problem is multifaceted. It isn't just that users are left with a choice of being left behind and becoming steadily more vulnerable to exploits; it is also that as the OS vendors keep jumping away from their buggy versions, the OS landscape, as it were, is left lettered with broken junk, and the new stuff is going to also be broken in new ways (plus, often, the old ways too), because:

None of these OS vendors ever intends to work any product into shape such that it becomes stable, reliable, and actually what it was advertised to be when it was sold. Instead, hey, look over here, New! Shiny!

Then we have application vendors that, for no particular good reason, make their apps not just use, but depend upon new OS features. Generally speaking, you don't have to do that. You can tie a feature to an OS, and there are very good reasons to do so (the feature may not even be possible under a previous one), but then there are things that have no sane reason to be tied to an OS, such as the ability to load a new image format (Apple, I'm thinking of Aperture here.) New interface to load images through? Sure, great idea. Abandoning the old interface? Not generally a sensible thing to do. No doubt there are applications out there that use the old interface, and there will be users with (shock!) new cameras.

I find the entire cycle of abandonment to be reprehensible and ethically bankrupt. I think applications should be maintained until they aren't broken under the OS's they were designed to run under, and OS's should be maintained until they work in every way they were supposed to in the first place, and are kept as secure as possible without actually breaking things. But that's just me.

</RANT>

Repetitive (broken) OS abandonment (0)

Anonymous Coward | about 2 months ago | (#47149771)

The issue is that people will not pay for bug fixes, there for to make $$ they need to release new software.. on the otherhand Oracle does make you pay for bug fixes and i dont know anyone who doesnt feel butt hurt about that...

"There are no significant bugs in our released software that any significant number of users want fixed. æ I'm saying we don't do a new version to fix bugs. We don't. Not enough people would buy it. You can take a hundred people using Microsoft Word. Call them up and say "Would you buy a new version because of bugs?" You won't get a single person to say they'd buy a new version because of bugs. We'd never be able to sell a release on that basis" -BG

http://www.cantrip.org/nobugs.html

Re:Repetitive (broken) OS abandonment (0)

Anonymous Coward | about 2 months ago | (#47149789)

They would need to increase price to support continual updates.... An operating system is priced at 0-200 dollars. Fixing bugs isn't cheap, in fact it can be really expensive.

You can't expect something you buy once for $50 to be supported forever can you? In order to do what your suggesting compatible with business realities would be to charge thousands of dollars for every piece of software... which would seriously suck.

Re:Repetitive (broken) OS abandonment (1)

Anonymous Coward | about 2 months ago | (#47149961)

While I appreciate the frustration as a consumer, this is not even unique to software but a property of all economically viable engineered systems including buildings and literal holes in the ground. Nearly always, there comes a point where it is more feasible to demolish the old and replace it with contemporary solutions, rather than to keep maintaining the archaic. To stick with the old is to commit to funding the low-volume, custom work that is required to restore or maintain historic systems for the sake of preservation.

However, consumers do not seem to want to pay for such work. They only want the commodity pricing that goes along with large-scale consumerism, and not the high prices for bespoke goods. In the enterprise computing space, you do see software and hardware being supported for much longer time frames, and also much higher costs associated with this nearly bespoke work.

If the "cycle of abandonment" is reprehensible and ethically bankrupt, I'd argue that it is a larger societal problem linked to our willingness to externalize costs and focus on immediate satisfaction in all areas, rather than on sustainability or lasting value. It is both the producers and consumers who are complicit in this with every myopic transaction that borrows against the future. If it is inevitable that our economy have such churn in it, I think it would be great if more of it could be in software since that does not have to accumulate in land fills the way all our other disposable products wind up...

Re:Repetitive (broken) OS abandonment (4, Informative)

RightwingNutjob (1302813) | about 2 months ago | (#47150405)

It's a two cultures problem in IT. The vast majority of Microsoft's, or Apples, or Oracles, or whoever's customers use their OS on laptops, workstations, or servers, where the consequences of bugs are fairly well approximated by "nuisance". The other culture of computer software customers are folks who use computers handle large amounts of money and control moving machinery (power plants, drones, etc), where the consequences of bugs and unintended features start at "oh shit, we've lost millions of dollars" to "oh shit, the crane dropped its load 200ft" up through "oh God, the power plant has exploded!" People in the second camp have a healthy suspicion of getting the latest and greatest upgrade from companies run by and for people in the first camp. And that dichotomy is why most embedded OS's come with source code that you get to debug yourself if it doesn't quite work for your application (VxWorks, QNX, Windows Embedded, RTLinux, etc).

Re:Repetitive (broken) OS abandonment (1)

scottbomb (1290580) | about 2 months ago | (#47150531)

13 mod points but they don't work on this thread for some reason. Anyhow... +1!

Re:This "nightmare" rigns a bell (1)

rijrunner (263757) | about 2 months ago | (#47149695)

We discussed the Y2K problem in my intro to comp science class in Jan 1982..

Re:This "nightmare" rigns a bell (4, Funny)

wonkey_monkey (2592601) | about 2 months ago | (#47150121)

That was actually January 3982. It was easier just to let it roll over the first time round.

Re:This "nightmare" rigns a bell (5, Insightful)

ZouPrime (460611) | about 2 months ago | (#47149165)

The lesson wasn't learned, but the problem was somewhat mitigated. Big software companies adopted regular patch cycles and deployed patch management tools on their customers. It kinda worked because PC are powerful computers well designed to be upgraded and modified.

This is not the case for many embedded systems. They are designed to be installed and then you forget about them. So the "classic" mitigation technique doesn't work. This is a big problem.

Re:This "nightmare" rigns a bell (5, Insightful)

Penguinisto (415985) | about 2 months ago | (#47149349)

They are designed to be installed and then you forget about them. So the "classic" mitigation technique doesn't work. This is a big problem.

Hell, I thought the "classic" mitigation schemata for embedded devices was to not have them networked at all, leaving them to run for years (decades?) on end.
(See also the hordes of NT Telecom PBXes out there which are likely still around, requiring a goofball proprietary connection to a computer running OS/2 (!?) in order to patch it (or more commonly, you did it to add new/licensed features or to fix something gone corrupt).)

Therein lies the whole problem with the paradigm, truth be told - originally, embedded devices didn't communicate with jack shit - you unpacked it, turned it on, maybe configured it, and then you forget that it existed until it broke (at which time the vendor/contractor sent someone out to fix it), or got replaced.

All that said, hell, we already have a testbed for this nightmare - an ocean of smartphones whose carriers and manufacturers ceased to give a crap whether their wares ever got upgraded.

Re:This "nightmare" rigns a bell (1)

gbjbaanb (229885) | about 2 months ago | (#47149421)

its not the size - my motherboard bios can be upgraded and its tiny. The problem is that it costs effort to make them upgradeable, and companies are cheapskates.

Re:This "nightmare" rigns a bell (1)

Anonymous Coward | about 2 months ago | (#47149597)

I think it might be more along the lines of, "We will make it cheap and non-upgradable now, and by the time it needs to be updated we can sell the next big thing." A product with a designed lifetime.

Re:This "nightmare" rigns a bell (4, Insightful)

Archangel Michael (180766) | about 2 months ago | (#47149759)

Companies aren't "cheapskates", customers are.

Here, I'll prove my point,. You can buy something for $15 today, and have it supported until tomorrow(or whenever) or you can pay $300 for the same exact thing, only support will go for a guaranteed 10 years.

Guess what, the company didn't make the choice, you did. The company is just following the choice you've taken.

The problem is solvable. Like Cellphones, it is cheaper and easier in the long run to simply buy a new one every 2 years than it is to buy one that will last you five. And in two years, sufficient advancement means that your old cell phone won't do all the neat cool things that all the new phones want to do, and you're gonna upgrade it anyway, so buy the cheaper one now, and upgrade in two years.

Re:This "nightmare" rigns a bell (2)

plover (150551) | about 2 months ago | (#47150061)

So perhaps they should be sold like that: "You can buy our Amazing zPhone 5 for $100, guaranteed to work until 2018, or our Amazing zPhone 5c for $150, guaranteed to work until 2021. We no longer sell the Ordinary zPhone 4, whose guarantee runs out in 2015, and will in fact quit working by 2016."

Right now when someone buys a cell phone, they have it in their brains that they're making an "investment", that the phone will last for the next 20 years, or even forever. They are used to products that wear out due to usage, abuse, accidents, but for some reason they do not ascribe the same attributes of reliability to software, even though they've almost never encountered perfect software in their lives. For the most part, it's ignorable to them, even when it has bugs.

Re:This "nightmare" rigns a bell (3)

mythosaz (572040) | about 2 months ago | (#47150249)

Right now when someone buys a cell phone, they have it in their brains that they're making an "investment", that the phone will last for the next 20 years, or even forever.

They do? Who are these people?

For a sufficiently true portion of "everyone," "everyone" just gets a new phone every two years on contract anyway.

Re:This "nightmare" rigns a bell (2)

Tom (822) | about 2 months ago | (#47149479)

This is not the case for many embedded systems. They are designed to be installed and then you forget about them. So the "classic" mitigation technique doesn't work. This is a big problem.

Only because software development sucks and nobody takes the time and effort for not-so-much-fun things like code review.

Re:This "nightmare" rigns a bell (1)

ZouPrime (460611) | about 2 months ago | (#47150143)

"Only because software development sucks".

The solution isn't better coding. It's been CLEAR now, for many years, that we can't just wait for the world coders to magically become amazing and consistently produce flawless code. Yes, training is part of the solution, and so are advanced debugging tools and many other things, but just blaming that it is the coder's fault won't change anything. It's not a solution, it's a blame.

It's like saying that car deaths would go down if only drivers were better.

Re:This "nightmare" rigns a bell (1)

NReitzel (77941) | about 2 months ago | (#47149915)

Unpatchable systems are a problem, but if you view them as a black box, they are no different than non-logical systems that break.

I'm rather fervently against systems that cannot be upgraded on the fly, but I understand why manufacturers might not like this.

Consider, if you buy a traffic light controller that can be improved and modified, then where is the motivation for a second round of purchases when "upgrade" becomes necssary. After all, I certainly want the person who sold me a refrigerator to be able to brick it when they want, or on a certain date. I can't understand those Commie Sympathizers who think that a sale means that you actually -own- the product, and can use it as long as you see fit.

Re:This "nightmare" rigns a bell (0)

PvtVoid (1252388) | about 2 months ago | (#47149193)

They had the same problem prior to the year 2000, so why wasn't this lesson already learned?

This. Especially once the predicted apocalypse brought the world to its knees [wikia.com] . You'd think we would learn.

Re:This "nightmare" rigns a bell (1)

Sarten-X (1102295) | about 2 months ago | (#47149253)

I was thinking we had the same problem with work horses that got old, or with pre-OSHA workers who lost limbs in factories.

The solution is the same, but now there's no ethics to be worried about. If your system or device can no longer perform its job (including meeting security requirements), replace it. Oh, sure, there's lots of sentimental value in having something obsolete that you already own rather than paying again for something with a support life, but that's why you were able to afford the thing in the first place. It didn't need the expensive engineering for a century-long lifespan. It was designed for a few years' support, and that's what you paid for.

Re:This "nightmare" rigns a bell (5, Interesting)

NoNonAlphaCharsHere (2201864) | about 2 months ago | (#47149301)

Different nightmare. The Y2K embedded system nightmare was systems that wouldn't know what to do when the clock rolled over. By and large, the doomsayers were completely wrong. The current problem is *Internet enabled* embedded systems, easily hackable, out of warranty, out of support, manufacturer TU, owner/deployer isn't even sure how many they have, or where they're located, etc., etc. Picture making a botnet out of all the traffic light controllers, or the elevator controllers, or smart water meters, or internet toasters.

Re:This "nightmare" rigns a bell (4, Insightful)

SuricouRaven (1897204) | about 2 months ago | (#47149663)

The doomsayers were right. A great deal of effort went into patching and testing all critical systems before the year ticked over. There was no disaster because systematic action to avert it was taken well in advance.

Re:This "nightmare" rigns a bell (3, Insightful)

wonkey_monkey (2592601) | about 2 months ago | (#47150133)

A deadline has a wonderful way of concentrating the mind. No deadline, less motivation.

Re:This "nightmare" rigns a bell (2)

EmperorArthur (1113223) | about 2 months ago | (#47150431)

A deadline has a wonderful way of concentrating the mind. No deadline, less motivation.

This is the next big one: https://en.wikipedia.org/wiki/... [wikipedia.org]

Honestly I wonder how many devices it will affect. I know anything which isn't patched and relies on security certificates is hosed, but what about the network printer that nobody cares about and is running completely unsecured?

Re:This "nightmare" rigns a bell (0)

Anonymous Coward | about 2 months ago | (#47150497)

Given the state of how people and companies fix things, we won't know until 2037. This is the reaction of most businesses: "Spend $X on fixing it now when you tell me it 'may' be a problem." They would rather spend $X*10000 to fix it later. Just look at the companies paying Microsoft to support XP. It's not like it was a real surprise.

Re:This "nightmare" rigns a bell (2, Insightful)

Anonymous Coward | about 2 months ago | (#47149693)

The doomsayers were wrong because we patched our systems.

Re:This "nightmare" rigns a bell (0)

Anonymous Coward | about 2 months ago | (#47149471)

Y2K was a matter of critical things conking out. However, an unpatchable insecure system will still run exactly the same as a secure system.

The problem here is simple. Security is viewed as having no ROI by many people, so it is a matter of "can't", but "won't". Plus, the security problem is not obvious, and there are effective liability protections in place, as opposed to a device just not working, as in Y2K (which a buyer can potentially be sued for as there is an implied warranty of fitness.)

Nightmare of Slashdot ads sending me to viruses (1)

bluefoxlucid (723572) | about 2 months ago | (#47149135)

Slashdot keeps forwarding me to activeplayer.us, which tries to drive-by-download an installer. It looks like Adobe's FlashPlayer site.

Re:Nightmare of Slashdot ads sending me to viruses (5, Funny)

david.emery (127135) | about 2 months ago | (#47149167)

Well, that would be less of a problem if you didn't surf SlashDot using your refrigerator or crop-monitoring drone...

Re:Nightmare of Slashdot ads sending me to viruses (0)

Anonymous Coward | about 2 months ago | (#47149179)

Somehow I think you already have malware that is serving those ads to you.

Re:Nightmare of Slashdot ads sending me to viruses (3, Funny)

NoNonAlphaCharsHere (2201864) | about 2 months ago | (#47149317)

You know, I'll bet if you fixed your hosts file...

Re:Nightmare of Slashdot ads sending me to viruses (2)

plover (150551) | about 2 months ago | (#47150081)

Don't say that word, lest you summon ... him.

Nothing fixes a hosts file like this (-1)

Anonymous Coward | about 2 months ago | (#47150185)

Recommended as "best of breed" by Malwarebytes' hpHosts (part of the security community http://hosts-file.net/?s=Downl... [hosts-file.net] ):

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?o... [start64.com]

(Details of hosts' benefits enumerated in link)

Summary:

---

A. ) Hosts do more than AdBlock ("souled-out" 2 Google/Crippled by default) + Ghostery (Advertiser owned) - "Fox guards henhouse", or Request Policy -> http://yro.slashdot.org/commen... [slashdot.org]

B. ) Hosts add reliability vs. downed or redirected DNS + secure vs. known malicious domains too -> http://tech.slashdot.org/comme... [slashdot.org] w/ less added "moving parts" complexity + room 4 breakdown,

C. ) Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious domains serving mal-content + block spam/phish & trackers), reliability (vs. downed or Kaminsky redirect vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

Hosts do more w/ less (1 file) @ a faster level (ring 0) vs redundant browser addons (slowing up slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ OS, & 1st net resolver queried w\ 45++ yrs.of optimization).

* Addons are more complex + slowup browsers & in message passing (use a few concurrently - you'll see)

** Addons slowdown SLOWER usermode browsers layering on MORE - bloating memory consumption too + hugely excessive CPU usage (4++gb extra in FireFox https://blog.mozilla.org/nneth... [mozilla.org] )

SO - Instead, I work w/ what you have in kernelmode, via hosts (A tightly integrated PART of the IP stack itself)

APK

P.S.=> "The premise is, quite simple: Take something designed by nature & reprogram it to make it work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"

...apk

Re:Nightmare of Slashdot ads sending me to viruses (1)

scottbomb (1290580) | about 2 months ago | (#47149543)

You might already have a virus. I've never seen any such thing on /.

Re:Nightmare of Slashdot ads sending me to viruses (1)

koreanbabykilla (305807) | about 2 months ago | (#47149909)

Also happening to me, Chrome wont actually let it download that shit tho.

Re:Nightmare of Slashdot ads sending me to viruses (1)

hurfy (735314) | about 2 months ago | (#47150173)

It did it to me Friday. One of the rotating ads is/was malware. I wasn't even doing anything in browser at the time.

Along that line....

What the hell is this place like with ads turned on now? This says they are OFF and I still get 1-2 moving/sliding ads and a damn pop-over, but polls and other features are turned off as collateral damage !?!?

PS auto-audio ads might chase away many of us surfing at work which is probably a bigger audience than you really want to know :O

Driverless cars... (3, Insightful)

russbutton (675993) | about 2 months ago | (#47149163)

Wait until we have driverless cars on the road. But I'm sure they'll all be bullet-proof secure, don'tcha think?

Re:Driverless cars... (0)

Anonymous Coward | about 2 months ago | (#47149425)

I'd say, if you are willing to, you could hack a car even nowadays, with the same severe results. You only need to get physical access once. So the problem is already there.

Re:Driverless cars... (1)

SuricouRaven (1897204) | about 2 months ago | (#47149669)

But think of the potential for abusing car-to-car networking.

"I'm late for work!"
*hackhackhack*
"Now I'm a fire engine! Move aside, everyone! Let the emergency vehicle through."

Re:Driverless cars... (1)

dkf (304284) | about 2 months ago | (#47149837)

But I'm sure they'll all be bullet-proof secure, don'tcha think?

What kind of glass are you using?

Oh, that kind of "bullet-proof". Not the Chicago Musicians' Union kind...

Re:Driverless cars... (1)

UrsaMajor987 (3604759) | about 2 months ago | (#47150231)

I assume that the coding will be done to a higher standard like other life critical systems (avionics, medical devices, etc.). The thing is the software driving a car has to be more complex than typical avionics systems since it has to understand what it is driving into in addition to controlling the car and dealing with various hardware failures. How are they going to insure adequate testing? Is there even a standard for testing? Maybe more complex than the space shuttle software, which as I recall was pretty expensive.

But if it can be hack broken, it can be hack fixed (0)

Anonymous Coward | about 2 months ago | (#47149187)

At least, for many cases....

Re:But if it can be hack broken, it can be hack fi (3, Insightful)

plover (150551) | about 2 months ago | (#47149375)

Probably not unless the user wants it fixed, and most don't. People have plenty of experiences with patches breaking new things, or taking away old functionality they had come to depend on. When someone tells me "this patch will solve all your problems", they usually aren't advertising the list of new problems they're creating for me. Anyone who plays iPhone app games knows that the patches sometimes come with game-stopping bugs; other patches have been known to suddenly add annoying advertising.

Usually, I'm at a point of equilibrium where I am at least coping with the bugs in the devices surrounding me. If I know that the "mute button" on my GoogleTV box doesn't work unless I press it twice, I simply learn to press it twice; while I know it's a stupid workaround, it's one I can live with. What I might not be able to live with are the bugs that come with the next round of patches.

Now, we make that experience hurdle even harder to scale: as a end user, I think security patches are worse than regular patches. The end user doesn't see a physical benefit from the patches, but knows he might suffer. What does he care if his thermostat or washing machine is sending spam around the world, as long as his house is warm and his clothes are clean? But if he installs the patches, he risks having a cold house or dirty clothes, or even advertisements streaming across his refrigerator's screen. It's just not worth the risk to patch them.

And if you want to see a really risk-averse, don't-patch-me crowd, talk to the SCADA industrial control people. If you suggest you need to update the software running the sewage ejection pump, the city engineer is going to hand you an invoice for $20,000 and say "that covers my cost of testing your patch."

The poster is showing his prejudice. (4, Interesting)

mmell (832646) | about 2 months ago | (#47149205)

"Insecure by design". Faa.

"Poorly designed", or "incorrectly designed" - perhaps. I'm fairly sure that even the ATM designers who went with an embedded MicroSoft operating system felt that they had mediated security risks adequately to deploy their systems. Incidentally, I had a chance to peek inside a local casino's slot machines - all of them, regardless of external appearance were based on an identical piece of hardware. Watching them boot showed me a MicroSoft OS underlying those slots. Not a problem, as I'm fairly certain that none of the slot machines on the floor have any conceivable way of ever connecting directly to any network except for the dark wire casinos use for exactly this purpose.

My takeaway point is that the summary is (IMHO) slightly biased. The original article appears to be well written. Just to ask - how many embedded systems should be permitted to ever connect to the internet? ATM's, for example, should demonstrably be either confined to a darknet or (as I've seen in some places) required to use dialup access. It's not perfect, but it adds a significant obstacle for crackers to overcome. The casino I mentioned earlier seems to get this point.

I don't mind smart appliances - but again, I don't see why they need internet access. The exceptions to this (smart TV's, for example) should be viewed with suspicion specifically because they are likely to be connected to the internet in some way, but my smart refrigerator probably shouldn't be - and ATM's, slot machines, SCADA systems, etc. almost certainly should never be.

Damnit - gotta answer myself. (1)

mmell (832646) | about 2 months ago | (#47149343)

Page two of the article used the "Insecure by Design" meme. I guess the fault's with the article, not the poster.

And - yes, these kind of incidents are mistakes. I stand by my previous assertion that nobody set out to create insecure embedded systems. Poor design, incorrect design, or just plain inept management oversight has led to these kinds of mistake. Much as I'd like to blame MicroSoft for all of it, I can't. Sorry - love to, can't. I'm still certain that all of the entities involved believed they had correctly and adequately mediated the risks . . . that, or they had some PHB breathing down their necks to do as they were told. Happens all the time - ask Scott Adams.

Re:The poster is showing his prejudice. (1)

Aqualung812 (959532) | about 2 months ago | (#47149443)

Internet access isn't needed, though. You can do some searching and find ATM hacks using the mag card reader.
I would assume that with enough playing around, there may be a key combination that could cause an exploit on the slots, but the cameras all over the casino do a good job mitigating that threat.

Re:The poster is showing his prejudice. (3, Informative)

mythosaz (572040) | about 2 months ago | (#47150361)

Slots? Impossible :)

http://www.wired.com/images_bl... [wired.com]

The "hack" was to get the operator of the video poker machine to enable the "double or nothing" bonus, which had a unique bug.

Most newer video poker and slot machines allow (or can allow) you to play at various coin values. Each credit can be $0.01, $0.05, $0.25, $1, $5, etc.

This particular machine would allow you to wager at $0.01, reach the Double or Nothing screen, use a combination of keys to get to the credit value change screen, and return to the Double or Nothing wager with your bet still pending.

In short, you would put in a $100 bill. You would wager 100 of your 10,000 credits at $0.01/credit ($1) until you won, and when reaching the Double or Nothing screen, you would navigate out to the change credit screen. You'd change your credit value to $5 per credit (dropping you down to ~20 credits in the bank), return to the DoN screen with your bet IN CREDITS, NOT DOLLARS still pending and then you'd stand a chance to win 400 credits (twice your original CREDIT win) on your DoN bet. you could win $400 on $1, on what should have been a simple 2-1 (doubled) 4-1 payout.

The spread likely wasn't $0.01/$5.00, probably was $0.25/$2.00 at the most, but by picking and choosing good payouts to DoN on, they were essentially playing machines with a winning paytable. [Since DoN's didn't pay double or zero, they paid 16x or zero.]

Re:The poster is showing his prejudice. (1)

Pentium100 (1240090) | about 2 months ago | (#47149527)

For some reason companies try to put computers and networks into everything. Take cars for example, not only they are full of computers running very complex software (most of which is not really needed), now there is even internet connection for cars. Why? My 1982 car does not have internet connection and I really don't see a reason why it should.

I started preferring simpler devices, usually ones that I can repair myself if they break. Sure, computers are an exception and I have an older smartphone (Nokia E90 - it has a proper keyboard, I hate touchscreens), but my other phone is a Nokia 1100 - a simple feature phone - because I only use it for calls and SMS. I also can understand how my car works without having to disassemble hundreds of megabytes of software and the electrical diagram takes up a single A3 page and most electrical problems usually are a result of a poor connection.

And no, I don't see a reason to connect my car, refrigerator or light bulb to the internet. I can use an IPTV set top box or connect a PC to a TV, but there is not reason for me to connect the TV itself to the internet.

Re:The poster is showing his prejudice. (5, Informative)

plover (150551) | about 2 months ago | (#47149673)

I don't mind smart appliances - but again, I don't see why they need internet access. The exceptions to this (smart TV's, for example) should be viewed with suspicion specifically because they are likely to be connected to the internet in some way, but my smart refrigerator probably shouldn't be - and ATM's, slot machines, SCADA systems, etc. almost certainly should never be.

Just because you haven't encountered a specific example for yourself doesn't mean they don't exist in the real world.


  • The TV? Netflix, of course.

  • The BluRay player? New keys for new disks, and to unlock "extra special downloadable content" (whatever that may be.)

  • The thermostat? You're coming home from summer vacation and want to turn on the A/C a few hours before you arrive.

  • The laundry machines? You're upstairs, out of earshot of the dryer, and want to know when the load is done so you can hang up your clothes to prevent wrinkles.

  • The smart refrigerator? Maybe you're having a problem, and need the technician to connect to it to remotely diagnose it and give you an estimate without making an expensive house call.

  • The freeze alarms? You're out of town during the winter, and want to be alerted if your house temperature drops to the point where it's threatening to freeze your water pipes, so you can call a neighbor for help or a repairman to fix the furnace.

  • The door camera, locks, and security alarms? You're still out of town and want to let the repairman in, so you look at the ID he holds up to the camera and remotely unlock the door for him.

  • The window shades? They're located high up in the skylights where you installed a motorized system to operate them, so it was a small additional expense to add a remote control. And as today may be very sunny, you want to close them while at work to keep the house cooler.

  • The dishwasher? It might need to know the scheduled price of electricity in order to avoid running during peak rates, and save you money.

These are not made up examples - they happen every day. If someone already has the connectivity, and pays for the equipment to have the capabilities, there's no reason they shouldn't also enjoy the convenience.

Note that this is true whether or not you personally think it's a good idea to connect your washing machine to the internet: the reality is Sally Soccermom and Charlie Cuttingedge already have houses full of this tech. You can buy all this stuff at Best Buy and Home Depot and Verizon today.

Of all of these systems, most are designed and built with a remote update mechanism. Some that aren't (door locks, freeze alarms) are generally run through a home automation controller that is itself updatable; so even if you can't remotely patch your freeze alarm, you can at least patch the controller that interfaces with the network. Also of note, most are aware of the typical home firewall configuration, and are designed to "phone home" to check for updates. They generally don't sit on the raw internet and listen for incoming connections, so the attacker generally has to get inside the firewall to abuse them (which is not that big of a problem for many models of firewalls, that's for sure.)

Re:The poster is showing his prejudice. (3, Interesting)

AdamHaun (43173) | about 2 months ago | (#47149983)

A lot of those examples are solved problems, and at worst are minor inconveniences. Many IoT proposals can easily be replaced with three existing categories of solution: "other people", "paying attention", and "non-networked computing". To address your specific examples:

Thermostat: Schedule the turn-on in advance. Alternate, come home, move your luggage inside, turn on the AC, and go out to dinner.
Laundry machines: Check a clock every so often.
Broken fridge: Show failure status on an LCD. Or have a USB port that you can plug a laptop or a smart phone into.
Freezing weather: Ask a neighbor or a friend to check on your house once every day or two. You may already be doing this if you have pets.
Door opening: See above re: neighbor or friend, or hide a key somewhere.
Out-of-reach window shades: Close them before you leave for work.
Dishwasher: Assuming that scheduling is really that much of a money-save, start it manually before you go to bed. Or use a time delay. Or load the data into the washer via USB.

The more serious problems are much more rare, and that must be weighed against the constant vulnerability from having internet-connected appliances and the upkeep required to secure them.

Perhaps a better option would be to get away from the idea that networking should imply both internet access and full remote control. Is there any reason an embedded device can't limit communications to its own subnet? Stick an upgradable, patchable PC on the network to act as a master, and have it talk to the outside world. Meanwhile, the appliance should be designed at the hardware level so that remote access only gets you status information and the ability to trigger a few well-defined fail-safe modes. Using a stove as an example, you would be able to tell if the burners are on, or force them off, but you wouldn't be able to turn them on or change the heat setting.

Re:The poster is showing his prejudice. (2, Informative)

radish (98371) | about 2 months ago | (#47150087)

Door opening: See above re: neighbor or friend, or hide a key somewhere.

A truly special reply suggesting mitigating a theoretical, limited, network security vulnerability by quite literally leaving the physical keys to the castle out in public. Please hand in your risk assessment credentials at the door.

Re:The poster is showing his prejudice. (2)

plover (150551) | about 2 months ago | (#47150429)

You completely missed the point. Nobody cares if you don't want your stuff connected to the internet, or if you have clumsy workarounds to offer them.

This stuff already exists and it is already connected to the internet. It is an existing problem that will only get worse as more stuff is added.

It doesn't matter if you personally think hooking things to the network isn't safe. They're not products under your control. Samsung and JVC and Sony and LG and Panasonic and Honeywell and everybody and his brother are already making metric butt-tons of money filling homes with this equipment. They're not going to stop making money just because you think it's a bad idea. Many people want them, and you won't persuade them otherwise.

Worse, just because you don't put them in your house doesn't mean they're not your problem: perhaps you cheesed off some gold farmer when you were playing World of Minecraft, and he hires a botnet to DDoS you out of the game. The bot herder fires up his DDoS cannon, which conscripts the help of unsecured thermostats around the world, and they all hammer you until your ISP drops your connection.

You may not be contributing to the problem, but you're not in a position to contribute to the solution, either. All we can do is deal with the fallout.

Re:The poster is showing his prejudice. (1)

Anonymous Coward | about 2 months ago | (#47150163)

Remote monitoring is one thing. However, I remember when houses were broken into, left and right, due to garage door openers. A friend of mine got broken into three times until she put a keyswitch in a hidden place that depowered the opener, and a conventional manual garage door lock. Rolling codes help mitigate this slightly.

As for electronic locks on the doors? That is just asking for trouble. A mechanical lock like an Abloy PROTEC2 will do quite well. If I'm worried about someone 3D printing my key, I'll go with an EVVA MKS, that uses eight magnets, or add the CLIQ functionality to the Abloy cylinder which gives electronic locking, but not connected to anything whatsoever, except the key.

Re:The poster is showing his prejudice. (1)

Archangel Michael (180766) | about 2 months ago | (#47149895)

Not a problem, as I'm fairly certain that none of the slot machines on the floor have any conceivable way of ever connecting directly to any network except for the dark wire casinos use for exactly this purpose.

I'm sure they connect to a network. The question is, is the network attached or otherwise accessible from outside, or by other means (social engineered hack). Unless the network is 100% completely separated from the outside (and even then..) it is at risk.

WMS has slots with online links (1)

Joe_Dragon (2206452) | about 2 months ago | (#47150277)

player life has a web site and is tied to games in lot's of casinos

I'd tend to take the opposite view on this. (0)

Anonymous Coward | about 2 months ago | (#47149207)

If it is not patchable, then it is also impossible for someone to modify it ("hack it") to their liking.
Many devices are not designed to last a decade. When it dies you put another.
And often security on devices that we think secure are very weak, making us do foolish things such as trusting them with storing valuables. In such cases we would have been better off digging them down in the garden, or carry them with us.

A big fat safe is a big honey pot for those who are after valuables, and if it is not as secure as we think, we would have done better with NO security, and instead stored the valuables i plain sight.

Re:I'd tend to take the opposite view on this. (1)

Richy_T (111409) | about 2 months ago | (#47149595)

It's Bladerunner all over again.

I have just one question. (0)

Anonymous Coward | about 2 months ago | (#47149209)

Would you mind telling me why there's Rice-A-Roni in my coffee?

Re:I have just one question. (1)

NoNonAlphaCharsHere (2201864) | about 2 months ago | (#47149499)

Those are maggots, not Rice-A-Roni.

wait (2, Interesting)

Charliemopps (1157495) | about 2 months ago | (#47149215)

"Unpatchable" does not mean "Unsecured" in fact, I'd say it adds to security in many senses. A system that can't be patched, can also not be altered to do the attackers bidding. At the very least, any privileges the attacker may have access to can not be elevated to create some even worse situation. Worst case scenario you just disconnect power to the device in question. Submit it for warranty repair. If you're using a closed source software product out of warranty/support it's your own stupid fault.

Re:wait (1)

plover (150551) | about 2 months ago | (#47149793)

A system that can't be patched, can also not be altered to do the attackers bidding.

That's not completely true. Even if a device loads its code from ROM on every reboot, with no capability of flashing new software, an attacker can still patch the running instance of code to do his evil bidding. Many machines will run for months or years without rebooting, allowing the attacker to benefit from them over and over.

The attackers who are hacking into your thermostat or washing machine have little interest in making your house hot, or your clothes dirty. They want to make money. They do that by adding zombies to their bot farms, which can participate in DDoS attacks; they can broadcast spam to hundreds of victims; they can host malware; they can spy on your banking PC; they can serve as a cutout relay for other attacks, etc. In most cases, the attacker wants your thermostat and washing machine to keep working without interruption to you so you don't even know they're infected.

If the machine is rebooted, the malware is gone, but so what? The attacker already made his profits.

But that's great (0)

Anonymous Coward | about 2 months ago | (#47150379)

At least my fridge will be running perfect forever, as it is in the hackers interest to ensure it works.
If I have the choice between a pimply russian kid, or some bumbling idiot from the appliance store, I'll go with the russian kid.
I'll just make sure to install all smarthouse stuff on a separate, wide open network, and all my sensitive information on a hardened network.
And using routers that contain no firmware to hold configuration, but require jumpers for anything.

Re:wait (1)

znrt (2424692) | about 2 months ago | (#47149795)

this makes no sense. nothing is unpatchable. where you read "unpatchable" you should read: "we will not patch it because it isn't profitable, so please upgrade to our new shiny shit which we obviously won't patch either".

of course folks with malicious intent can find a way to patch it, and will. there is nothing adding to security here, quite the contrary. it's just a big clusterfuck. industry is only interested in perceived security. then of course people get what they pay for.

time to take opensource software and hardware seriously, already? not yet? ooooooook ...

Re:wait (2)

plover (150551) | about 2 months ago | (#47150227)

There are plenty of embedded systems that are "unpatchable": those that have their programs burned into ROM instead of Flash or EEPROM. The physical hardware required to modify the ROM chips simply doesn't exist in the equipment the manufacturer shipped; or the chips themselves may not even be modifiable once burned.

However, "unpatchable" does not mean they are "unhackable", as the CPU of a von Neuman architecture chip can still be subverted to execute code dynamically loaded into a RAM buffer (and the code in the ROM can still be used by the attacker using techniques like ROP.) The chances are the manufacturer didn't leave the attacker much extra RAM to play with, but if all he's looking to do is have it execute a DDoS attack (sending ACKs to his victim in a tight loop) it's probably enough to wreak havoc. Or he might be looking for a simple IP proxy just capable enough to forward his network traffic.

Yes, a reboot will refresh the RAM and remove the malware, but that generally won't matter to the attacker. If he hacked it once, he can hack it again; or he might have a thousand more smart toasters in his robot army, all of which are sending the same DDoS attack.

Any vulnerabilities they were shipped with, they still have today; and you simply can't fix them without replacing some hardware.

Getting it right the first time isn't an option? (0)

Anonymous Coward | about 2 months ago | (#47149229)

Software has made people complacent with regard to code quality. You can always patch, can't you? Well, you can't. Get it right!

Fine (1, Funny)

Anonymous Coward | about 2 months ago | (#47149231)

Explain to me where I'm supposed to get my GEOS updated for my Commodore 64? And I sent in my warranty registration card, but I never heard back from them.

Re:Fine (0)

Anonymous Coward | about 2 months ago | (#47149445)

ask Maurice?

Here's an idea... (0)

Anonymous Coward | about 2 months ago | (#47149289)

How about NOT PUTTING A COMPUTER IN EVERYTHING AND MAKING IT CONNECT TO THE INTERNET!

The basic problem is a bunch of tehno-brats who think that everything is better when connected to the internet. No, it just isn't. My thermostat is just a device on my wall which regulates my furnace - it has no business being internet-enabled. My car is a machine for driving down the road - maybe electronic servos for controlling some things make sense, but they have no business being internet-enabled.

Honestly, lets try to learn from history here. Facilities that worry about security start with air-gapping their networks so that one simply cannot get into the system from the outside. There is a very, very good reason to keep things inaccessible. Really, there is...

Security (2)

fyngyrz (762201) | about 2 months ago | (#47149651)

My thermostat is just a device on my wall which regulates my furnace - it has no business being internet-enabled.

What if that could save you money? (it can.) What if it adds convenience and security? (it can.) What if it informs you about your usage such that you can improve your comfort level? (it can.) What if it gives you remote information, such as "the heater has failed, the pipes will freeze, you need to come deal with this" (it can.) What then? Still no business being Internet enabled?

It's not a failure of needlessly Internetting the device; it's a failure of vision on your part (and perhaps a failure on the manufacturer's part to make a secure device... that can be fixed, and pressure should be applied so the fix happens.) Sure, you can get along with your old thermostat. You could get along with a coal stove instead of a gas or electric range, too. But most of the time, not such a good idea.

Facilities that worry about security start with air-gapping their networks so that one simply cannot get into the system from the outside. There is a very, very good reason to keep things inaccessible. Really, there is...

The problem isn't accessibility. That's just a stopgap, though certainly a highly effective one. The real problem is security. Worthy of raving about, for sure. But with the idea of making it actually secure -- not of dumping capability out the window because of too little effort expended.

Re:Security (1)

TheP4st (1164315) | about 2 months ago | (#47150367)

My thermostat is just a device on my wall which regulates my furnace - it has no business being internet-enabled.

What if that could save you money? (it can.) What if it adds convenience and security? (it can.) What if it informs you about your usage such that you can improve your comfort level? (it can.) What if it gives you remote information, such as "the heater has failed, the pipes will freeze, you need to come deal with this" (it can.) What then? Still no business being Internet enabled?

Does it really have to be internet connected to save you money? By sacrificing a little bit of convenience you could gain a lot of security on your device and at the same time avoid that some asshat script kiddie in another state or country cause your cost saving device actually make you spend more money just for the fun of it. Or worse, turns off your furnace and disable your warning system and make it generate "All is OK reports" while you are soaking away in the sun with an umbrella drink in hand blissfully unaware that your pipes just burst due to the freezing temperatures back home. Why would it need an internet connection to provide me with usage statistics that can be used to save money? It really isn't that hard to run a cable from your device to your PC to download the data for analysis. Slightly less convenient yes, and most likely an inconvenience that will be a turn-off for many potential customers.
And an internet connection is most definitely not necessary for a system to give me remote information such as "the heater has failed, the pipes will freeze, you need to come deal with this". Home alarm systems have proved messages such as "The alarm have been triggered due to a potential home intrusion...." for at least 3 decades using regular phone lines and emergency numbers set by the owner, commonly to neighbors and family.

Re:Security (1)

mythosaz (572040) | about 2 months ago | (#47150391)

You haven't ruled out the possibility that I'm a Luddite, curmudgeon or better yet, both.

Re:Here's an idea... (1)

Bengie (1121981) | about 2 months ago | (#47150295)

You may not want to connect your thermostat to the Internet, but you may want it connected to your home network, which so happens to have Internet access. The heating and cooling system in my old home for 10 years ago kept a multi-year log of each and every time the heating or cooling kicked on, what temp it was, what the humidity was, and all kinds of other stuff. Accessing it over a serial port was annoying. It would have been a lot more convenient if it had a web server that ran over wifi or Ethernet.

Watch People Lose Their Shit (0)

Anonymous Coward | about 2 months ago | (#47149303)

Read to through third page and realize that the proposed solution is to build in an official end-of-life to the device such that when you buy it, you'll know to the day when it will expire (or at least disable its network functionality). I predict a large number of posters totally losing their shit over that.

But what you need to do is read the guy's actual presentation where he makes a very convincing argument that all the alternatives aren't sufficient.

https://securityledger.com/201... [securityledger.com]

Re:Watch People Lose Their Shit (1)

Anonymous Coward | about 2 months ago | (#47149459)

So you get a couple of years to use a product that is riddled with security holes which aren't going to be patched, and then you need to buy another buggy product for another round of exploits that you can't defend against because there still aren't going to be any updates. Just because a product gets an official end-of-life date doesn't mean it magically becomes secure until that date.

The software industry needs to made liable for software flaws. Way too many businesses write shoddy software for applications with a massive security footprint, always chasing first-to-market. There isn't just no incentive to get it right, there is a huge incentive to get it wrong by riding roughshod over code quality in order to save time. The situation won't improve until releasing products with exploitable software creates a dire financial risk for the manufacturer.

Re:Watch People Lose Their Shit (0)

Anonymous Coward | about 2 months ago | (#47149827)

AHah! Someone who didn't read the linked presentation and loses his shit thinking there is a better way - a way that was addressed in the presentation and shown to be insufficient.

Re:Watch People Lose Their Shit (0)

Anonymous Coward | about 2 months ago | (#47150025)

Dude, tl;dr. Also, why would I read something written by a person who doesn't know what Moore's Law says?

A systemic problem (3, Insightful)

rijrunner (263757) | about 2 months ago | (#47149337)

There are two bleeding edges. One is the leading edge of cutting technology.

There other is the trailing edge where systems age out because they take a lot of effort to update.

One way the trailing edge can not be updated because the overall system is designed to where there are critical parts that can not be monkeyed with in a low risk scenario. (This does happen).

The other option on the trailing edge is where the systems are not worth the effort. Most of the Internet of Everything appliances really have zero income after the first few months and yet are expected to have a longer lifetime than many major IT infrastructure requirements.

What happens when the behavior changes (1)

Marrow (195242) | about 2 months ago | (#47149351)

Your fridge sends out a little packet that says: "Hey, I am past my warranty! Time to up the ad volume to MAX". Or: "Please press OK to agree to the new privacy terms and conditions or your device wont work anymore".
There are many serious problems that are here NOW and must be addressed.

Re:What happens when the behavior changes (1)

SuricouRaven (1897204) | about 2 months ago | (#47149705)

More likely:
"Hey, manufacturer! Spike in consumption of chocolate icecream simutainous with mustard detected. Suggest switching advertising focus to baby clothes and formula milk."

Does not matter (1)

cyberspittle (519754) | about 2 months ago | (#47149353)

I am more worried about people not patching what can be patched.

Easy. (2)

roc97007 (608802) | about 2 months ago | (#47149359)

Make them patchable over the internet by default.

Oh, wait...

Who cares? It all sucks anyway (2)

gelfling (6534) | about 2 months ago | (#47149369)

The overall level of system quality is so piss poor anyway what does it matter than your toaster is going to try to kill Sarah Connor? Anyone read the news recently? Car makers recalled about eleventy zillion cars recently and half the problems were on board computer based. Are you going to lose any sleep that your refrigerator will get hacked and join Skynet? Because the real problem is going to be that when your Refrigerator blows an 80 cent part on a 2 dollar circuit board it's going to cost $1100 to 'repair'.

Not connected (0)

dargaud (518470) | about 2 months ago | (#47149395)

I design embedded systems. None of my systems are connected to a public internet, so why should it matter if they aren't ever updated ?!? Sure the command/control PCs that connect to them WILL be regularly updated, but those won't. And always remember: "'Always apply the latest updates' and 'If it ain't broke, don't fix it' are the two rules of system administration..."

Re:Not connected (0)

Anonymous Coward | about 2 months ago | (#47150167)

I design embedded systems. None of my systems are connected to a public internet, so why should it matter if they aren't ever updated ?!? Sure the command/control PCs that connect to them WILL be regularly updated, but those won't. And always remember: "'Always apply the latest updates' and 'If it ain't broke, don't fix it' are the two rules of system administration..."

"If it ain't broke, don't fix it" doesn't apply anymore. Do you really know what is broken and what is not broken? Have you verified the integrity of the entire system? Modern malware will almost always ensure that normal operations run smoothly. Check with the recently unemployed CIO of Target if you don't believe me.

What this really amounts to is "If, from what I can see by looking at the pretty screen ain't broke, don't fix it." Good luck with that.

Oh, and "Always apply the latest updates, after you've verified they won't break anything by running a complete QA test suite." FTFY

Trusted by default - right phrase, wrong context (1)

ka9dgx (72702) | about 2 months ago | (#47149465)

The problem IS that things are trusted by default... but not in the way the author thought. If you trust every program you run by default, you are doomed. An operating system should NEVER trust anything by default... Linux, Windows, OSX all violate this principle. So do embedded devices base on some variant of them.

Never trust by default, and you stop having to worry about side-effects, and start deciding what the limits are ahead of time.

"Coming IT Nightmare?!?" (1)

Anonymous Coward | about 2 months ago | (#47149487)

That nightmare is a reality for most Sys/Security Admins. Very common are control systems that you simply cannot touch, or end up out of compliance with the vendor and unsupported. Companies with multi million dollar control systems don't want to hear about "patches" and "vulnerabilities", they just need them to work for business productivities sake. But of course the vendor needs remote access, so the device needs internet access.

There is no coming nightmare, its been a part of life for decades, insecure systems with business needs and no concern for security implications. The business accepts the risk despite protests and it gets setup or you get fired.

Embedded System Designer's Opinon (4, Informative)

Murdoch5 (1563847) | about 2 months ago | (#47149539)

Well as an Embedded System Designer I have to speak up here, systems are usually not insecure because of lazy development, systems are insecure because clients, managers and stakeholders don't provide proper funding, deadlines or requirements. The number of times I've had to go to a manager or project manager and ask them to clarify a customers request is almost sad. The amount of times I've had to go to the same group and ask for twice or three times the amount of time to develop a solution is almost sad and the amount of times I've had to ask for much more funding to do a proper job is sad. For some unknown reason embedded designers aren't treated like normal software developers and the truth is we aren't. We don't rely on some insecure patched to hell OS to keep us safe and we don't trust laughable memory managers and kernels to keep us crash free and running smooth. We do the real work in the development world and generally it's the GUI designer who takes the credit.

We generally don't work in the world of garbage collected and managed languages, we don't work in the world where everything is already setup and ready to be called through some piss poor abstracted class implementation of system.IO and we don't get safety nets under us to catch what falls through in some kind of completely illogical and messed up exception error system ( C# ). To say embedded systems are insecure is really another way to say one of several things:

1. You didn't allocate enough time, money or proper requirements.
2. You didn't hire someone who is qualified to the job, such as putting a desktop developer onto an embedded project.
3. You didn't consider security when you dreamed up you're fragmented and broken project idea.

This is of course mitigated by a great developer who will go back to the table of executives and tell them they need what they need and won't start until it's delivered. You can't treat an embedded project like a normal software project, when you do you'll end up with systems that make Microsoft proud ( aka 0 security and patch opportunities to fly to the moon ), you need to treat an embedded project like an embedded project and give the embedded developer what he / she needs. Doing other wise will always end up you shit creek and generally the manager or stakeholder is left with the paddle looking like a fool.

Re:Embedded System Designer's Opinon (0)

Anonymous Coward | about 2 months ago | (#47149905)

> To say embedded systems are insecure is really another way to say one of several things:

No, it is far more complicated than you realize. Or put differently, to truly secure a device requires essentially infinite resources. Part of the problem is that as the developer you get one shot to do it right, maybe a handful if there is a lot of money involved for updates (and that presumes that the updates are even installed) but attackers get years and years to figure out how to exploit it.

Consider this example:
"Trust Analysis, i.e. determining that a system will not execute some class of computations, typically assumes that all computation is captured by an instruction trace. We show that powerful computation on x86 processors is possible without executing any CPU instructions. We demonstrate a Turing-complete execution environment driven solely by the IA32 architecture’s interrupt handling and memory translation tables, in which the processor is trapped in a series of page faults and double faults, without ever successfully dispatching any instructions. The "hard-wired" logic of handling these faults is used to perform arithmetic and logic primitives, as well as memory reads and writes. This mechanism can also perform branches and loops if the memory is set up and mapped just right. We discuss the lessons of this execution model for future trustworthy architectures."

https://www.usenix.org/conference/woot13/workshop-program/presentation/bangert

"with many fathers"? (1)

sideslash (1865434) | about 2 months ago | (#47149591)

[...]affecting everything from mom-and-pop shops to power stations. This unpatchable hell is a problem with many fathers, from recalcitrant vendors to customers wary of[...]

This is a weighty issue. I will take it before the elders of my own company -- surely those wise fathers will know what to do. In the meantime, send forth the maidens to wail and weep in the streets, that all the people may know how grievous is this news.

Why I like open source (0)

Anonymous Coward | about 2 months ago | (#47149843)

I can run OpenWRT on may home wireless routers. These are very close to embedded and run on tight hardware requirements. Years after the vendor has abandoned updating the device I still get timely updates.

Perhaps a law that states once the vendor officially ends support they have to disclose the source to the public we would have a chance?

No "Unpatchable Systems" (2)

NotInHere (3654617) | about 2 months ago | (#47149939)

We don't have unpatchable systems. What we have are vendors not wanting to maintain support for too long as they want to force people to buying always the newest to generate revenue.
There is this overall trend in IT industry that hardware gets softer and softer. With every generation, more features are implemented in software, and therefore are, in theory, patchable. But the possibilities of the soft hardware don't meet the commercial interest of the companies.

We have multiple benefits when using computer machines for doing human's work. But we also need to realize this doesn't come for free. Either we live with vulnerable systems, or we update them, simple as that. When purchasing new hardware it should always be a question to ask whether the software can be updated, and how the hw will be maintained. Compliances usually have a bad performance in this. Use well known parts, and be as mainstream as possible.

Computers don't have a long history of serving humans yet. I hope these update issues are a problem of the first generations.

Don't mess with my drone (0)

Anonymous Coward | about 2 months ago | (#47150101)

Mess with my drone and I'll get my other drone and mess with you!

GoFlex (0)

Anonymous Coward | about 2 months ago | (#47150225)

A good example and something to avoid

Why? (1)

Sir Holo (531007) | about 2 months ago | (#47150247)

Why would I ever want my refrigerator to have internet access?

The marketers, sure, they want me to think that I need that. But, really, what conceivable value or advantage would the ($30-extra purchase price) confer to me?

None? Well, I must be a sucker.

Or, wait, I have to actually exert more effort to maintain the internet security of my refrigerator, which wasn't and should have never been internet-connected in the first place? If you find yourself in this latter situation, you are dumber than a sucker, mark, or rube. You are the problem.

Toaster security (1)

mikew03 (186778) | about 2 months ago | (#47150261)

I think we have to face the fact that we're moving beyond an era where we can secure systems and instead need to move towards mitigating the damage.

Let's think about our unupgradeable internet enabled toaster that counts our calories and orders fresh bread when it detects we've used up what we have. If that toaster gets hacked there are a few possible results:

1) It might set your house on fire. This should be mitigated by all toasters having appropriate physical sensors that are not software controlled to prevent a fire. A simple thermal fuse would cost only a cent or two. A manufacturer who builds a toaster that can be set on fire over the internet under any circumstances should face significant liability.

2) Your toaster might be turned into a spam machine or bitcoin miner or something similar. If this renders your toaster non-functional then you will throw it out because its broken and its no longer a problem.

3) Your toaster might be more carefully owned and remain functional. This is obviously the worst case. But the way to handle this is with improved perimiter defenses Routers should be enhanced to monitor for suspicious activity. You could get a virus alert or similar that notifies you your toaster is behaving oddly.

The level of protection needed depends on the device. Something with a camera or microphone needs more thoughtful security than a toaster. (Until our toasters include facial recognition to tune the desired level of toastiness).

Another related thought. One big issue we have is embedded systems are often networked together. Traffic lights for instance. My first choice would be that such devices not be on the internet, but if they must I think we could create some isolation or sandboxing. Imaging if each embedded traffic light had a mini-router chip that had some sort of unalterable channel code. Make sure that a traffic light can only talk to other traffic lights or control hardware with the same channel code. Beyond that, I think you are going to again have to rely on perimiter defenses built into routers to detect and interdict command/control from hackers and detect abuse of the traffic lights. Networked but safety critical systems such as traffic lights should have a fallback unnetworked mode (old fashioned timing in the case of traffic lights).

The point is there isn't any one size fits all solution but if we focus on risk reduction, periphery detection and, where critical, ways to disable networked behavior we can protect our infrastructure significantly better than it is now.

Re:Toaster security (1)

Brett Buck (811747) | about 2 months ago | (#47150533)

My idea - don't hook a toaster to the internet. If you want to set it to toast before you wake up, I can get you $5 60-year-old clock radio that will switch the power on when the alarm goes off.

    Same with every other trivial example in this thread. Critical embedded system = don't hook to internet.

      Brett

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>