Slashdot Mirror
Do Embedded Systems Need a Time To Die?
chicksdaddy writes: "Dan Geer, the CISO of In-Q-Tel, has proposed giving embedded devices such as industrial control and SCADA systems a scheduled end-of-life in order to manage a future in which hundreds of billions of them will populate every corner of our personal, professional and lived environments. Individually, these devices may not be particularly valuable. But, together, IoT systems are tremendously powerful and capable of causing tremendous social disruption. 'Is all the technologic dependency, and the data that fuels it, making us more resilient or more fragile?' he wondered. Geer noted the appearance of malware like TheMoon, which spreads between vulnerable home routers, as one example of how a population of vulnerable, unpatchable embedded devices might be cobbled into a force of mass disruption. Geer proposes a novel solution: embedded systems that do not have a means of being (securely) managed and updated remotely should be configured with some kind of 'end of life,' past which they will cease to operate. Allowing embedded systems to 'die' will remove a population of remote and insecure devices from the Internet ecosystem and prevent those devices from falling into the hands of cyber criminals or other malicious actors, Geer argued."
... change the password to something other than the default.
In-Q-Tel
Best Slashdot Co
What the guy is saying is all devices must be connected 24/7 or they will be removed from use. Since removal from use is obviously undesireable in the long run, his message is all devices must be connected all the time (possibly to "trusted" remote points managed by In-Q-Tel's masters - you know who you are).
What is this guy's definition of "remote"? Can I manage my embedded devices from my own servers? Is that not remote enough?
Does it have to be a "cloud" setup hosted somewhere deep in Utah with a bunch of Booz Allen people managing it?
Looking forward to remotely activated microphones in my washing machine and toaster, to improve the user experience.
You'll have to install custom firmware to prevent things from having to go to the dump on their third birthday?
Seems pretty ridiculous, not to mention that it can still have a hole exploited on the day they launch the device, and not be updated for years (in it's allotted lifespan).
I'm more for the option of make things easier to update, and, the important part... actually release bloody updates! I'm looking at you, almost every embedded device manufacturer out there.
Sent from my PDP-11
Imply the opposite of what is expected, without regard for reality, truth or common sense. Ex:
"'Is all the technologic dependency, and the data that fuels it, making us more resilient or more fragile?"
Look at this amazing thinker. Didn't he just blow your fucking mind?
How about just not connect those systems on internet in first place? Seriously this is not hardware issue but people issue. Some idiot some where wants to be lazy and docent take time to properly secure systems..
My thermostat will never be connected to anything and does not need an end of life thank you very much. And I want to see the manager who will approve buying this kind of stuff.
10 ?"Hello World" life was simple then
What could possibly go wrong ? A PLC controlling a plant stopping at some random date is perfectly acceptable, right. I'm sure manufacturers will love this. A guaranteed replacement market is a wet dream for any market.
Here's a better idea. Charge anyone who ships unpatchable and unpatched hardware with sponsoring terrorism, because it's their laziness causing the problem.
Why the hell should I be forced to buy, buy, and rebuy the same god damned hardware over and over to save them from patching their shitty systems that they sell?
I do not fail; I succeed at finding out what does not work.
These are not consumer items. Industrial systems seldom live just one life, and after being decommissioned they usually go up for action to be recommissioned somewhere else. If you artificially disrupt this dynamic you cause enormous economic loss, and for what? To perpetuate a buzzword?
The entire proposal is barking up the wrong tree.
It is however a moderately interesting insight into the echo-chamber of national intelligence. Rather funny to see how Mr. Geer talks about monocultures while laying on their own lore _thick_.
All rites reversed 2010
If a device does not have a way to keep track of time (eg. in built real time clock, with backup battery that will last for the duration of the device's 'lifetime'), then it becomes vulnerable to permanent denial of service when something spoofs a fake future date and time. What happens when a hundred thousand devices go offline because someone spoofed an NTP response?
You may as well force every device to have a kill switch and remotely shut it down when it's too old. At least that'll probably require some kind of public key signature from an authenticated service (in the same way you'd authenticate a remote firmware update).
What I'm trying to say is this is one of those 'management ideas' that sounds great in the philosophical sense, but fails in technical merit.
As someone who has to support legacy systems, there is nothing more I would like to see old embedded systems die (and in some cases, incinerated and the embers crushed into the ground).
But we have to be realistic.
The main effort in systems like SCADA is the commissioning time required. You cannot just rip out a system, plug in a new box and expect everything to work as before.
Secondly who pays for this? The customer will not be happy if we say every 5 years we say you have to close your factory down for 2 weeks while we rip out all your old boxes and replace with new ones.
Finally what is the guarantee that the new box has not introduced a new security hole?
The real solution is the segmentation of the security and application code. Use Trusted boot technologies to verify the running code and ring fence the code with your security management application. Then if a new threat is introduced you only need to update the security app, leaving the hardware and application untouched.
Unfortunately at present industrial application either have no security or are very closely coupled meaning that updates are difficult and costly.
Choose your allies carefully, it is highly unlikely you will be held accountable for the actions of your enemies
A guaranteed replacement market is a wet dream for any market.
Seems like vedor lock in and constantly running support deals are a better deal. If the crappy pos requipment dies the next one purchased might be from your competitor who actually developed their product instead of sat on the castpiles. If the pos product instead only fails slighty you'll get endless support revenue. Bleed the sucker so dry he can't afford to replace the pos equipment.
There are a lot of cars, insurance telematics devices, security alarms, etc. sitting on mobile phone networks generating signaling and consuming radio resources. They were designed in the early days and largely not reachable. Simply terminating the credentials in the network doesn't help - it actually makes the problem worse because the firmware on the device is often quite aggressive and keeps trying to attach. This is something that has absorbed a lot of my time combating and there are efforts in standards bodies to address. This approach actually a pretty good idea IMO.
This guy has an incredible blinkered view of "embedded devices". Most embedded devises are not connected to the Interned. Should my wristwatch, washing machine, car ignition controller, garage door opener, swimming pool pump, dumb TV, bank vault, disk drive, mouse, keyboard, etc all die prematurely because somebody else makes a router that can be prejudiced. There are literally billions of embedded devices in the world,. of which probably less than one a thousand is connected to the internet. Yet this seems to be suggesting that we should kill a thousand devices because one /might/ be prejudiced.
Consciousness is an illusion caused by an excess of self consciousness.
I've... seen things you people wouldn't believe... Iranian cerntrifuges on fire off the shoulder of Orion. I watched c-beams glitter in the dark near the Ford River Rouge Assembly Plant. All those... moments... will be lost in time, like tears... in... rain.
Time... to die...
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
Unlike everyone else it seems, I think this might actually be a Good Thing if:
1) it's clearly announced up front so no-one has gripes about things going out of order, preferrably with a big huge honking counter visible on the front panel
2) it's implemented in a sensible way instead of introducing new remotely exploitable killswitch (think inkjet printers already having a waste inkpad for cleaning and keeping track of how many times it's been used)
3) most importantly manufacturers are obliged to take care of their products in form of security updates and so forth for the lifespan, preferrably regulated by laws and/or by the threats of lawsuits if they fail to deliver
Hey, my Sega Dreamcast include Windows CE (no the operative, but libraries for compatibility) and should NOT DIE!.
1. From a security standpoint, in a highly controlled environment, remote update capability is also a security risk, no matter how supposedly "secure" that capability is. The ability to configure the hardware so that hands on thr device are required to apply updates is important. Physical security is easier to verify than logical security - it's much easier to inspect seals, padlocks, and security tags than it is to inspect the device firmware.,
2. Flash memory is relatively cheap, especially in the small sizes needed for firmware. The hardware required to read formware from a removable memory card is relatively inexpensive compared to the total retail price of most embedded hardware, even consumer-grade embedded hardware. Thus, firmware replacement through replacement of a compactflash/sd/microsd card is a viable option that can be easily designed in to these systems. The ability to remotely update that firmware could then either be omitted, or able to be disabled through jumpers, switches, etc.
3. Manufactuers need to recognize that hardware will last longer than it's designed, and will remain in service with someone for far longer than originally intended, and plan accordingly. Releasing the firmware and documentation under suitable free software / open source licenses from day one would be ideal, but if this isn't compatable with their business model, some form of code/documentation escrow process that gurantees eventual release of the code at "end of life" would be a viable alternative which would not significantly weaken their buisness model.
Better still, you should have a choice: a $30 unpatchable router with a 3 year lifespan, or a $50 patchable router.
Also, if your router is found to be harboring terrorists, it should be arrested and detained indefinitely at Gitmo.
Ted Kaczynski Manifesto "Industrial Society and Its Future," is possibly correct, Technology is getting to own civilization, or rather the powers that be will inevitably use it against civilization reducing people to the status of cattle
http://www.foxnews.com/opinion...
Politics is Treachery, Religion is Brainwashing
Very stupid rent seeking idea - especially when it involves all those little things in dusty corners relied upon to "just work" and whatever cold spares are around in case they break.
It's equivalent to demanding that people replace thirty year old transistor radios in their kitchens and workshops.
This is based on a ridiculous premise that newer=more secure.
Who is going to pay for all of this?
What happens when someone forgets to replace some critical controller (gee, I thought your group was in charge of replacing it...)?
Also, what's In-Q-Tel's real motive? Mandating a secret back-door so that the CIA can have access to what they want? Or, are they quietly investing in Siemens, Rockwell Automation, Hitachi, and the like?
Stagnant wages for the bottom 90% of workers for 30+ years. Average CEO pay now 350+ times the average worker pay. Planned obsolescense becoming mainstream acceptable? Priceless.
Why?
Not used it, but CE seems to be a perfectly adequate embedded OS, with some degree of actual support from the developer.
Actually design these things to be RELIABLE: use languages such as Erlang; and do correctness proofs of central modules. Business applications are just hacked up, by coding them. That is not viable for real time systems. We are headed for a world in which 5% of the countless things around us are always broken or misbehaving. It will suck. Cowboy coding is going to make garbage of our tech future.
This will solve nothing. The first thing you'll do after you've pwnd one of these systems is to disable the automatic shutdown
Power off before disconnecting connecting connector. Seen on a cash register
I am disappoint.
I've recently started to put a time tracking system in all my embedded firmwares that lock out the system after X amount of time ( usually in years ), the only way to clear the lock out is to send the part back to my company so we can inspect it. It's no longer suitable to use mean life expectancy of parts as the bench mark for the life of a product, this has made it almost impossible to calculate a real end of life date, instead it's much more practical to do what I've started and to require the products to get serviced by the engineer every X amount of time.
Maybe we should realize that not everything needs to be computerized and networked and the like. Not everything needs to be "smart".
...a government actor the ability to compromise each subsequent new generation of hardware on a schedule.
Sorry, In-Q-Tel, but you really don't realize that post Snowden any information provided to the public by the Intelligence Establishment is now automatically untrustworthy, akin to Watergate? Oh, and you are part of the Intelligence Establishment, however removed you want to claim to be.
Okay, so my new device (a LeakyTech router, say) has a five-year expiry clock on it. A vulnerability is discovered a year after I buy it. It spends 80% of its lifetime completely exposed. I'm now out of pocket for the cost of a new device every five years, and I'm only protected for 20% of the time. Nice.
Or, my new device (from Securitron, this time) is actually quite secure. It takes ten years for the bad guys to find an unpatched or unpatchable hole. Five years of reliable, trustworthy use I could have had get thrown away. I've pointlessly reduced the safe, working lifetime of my electronic device by 50%, doubling my hardware cost and incurring extra downtime for no improvement in my security. Nice.
Better yet, I've gone through a couple of cycles of forced obsolescence. This time around, I've moved from the Securitron product to the LeakyTech one, and now introduced a hole in my security that wasn't there before. Either the LeakyTech device has another rapidly-discovered vulnerability - maybe it was introduced when they tried to patch their first one-year defect- or I didn't configure the new hardware properly when I was making my enforced switchover. Nice.
~Idarubicin
More DRM killswitches.
Never answer an anonymous letter. - Yogi Berra
How can the NSA plant backdoors into networked industrial controls without some sort of method to force industry to purchase new controllers on a regular basis?
So you're telling me I'm going to have to replace my perfectly good refrigerator just because the (unnecessary) gee-whiz module that lets me check its temperature on my iPhone hit its expiration date? This is a win for manufacturers and a huge loss for everyone else
Here's what I propose: make the manufacturer legally (and financially) responsible for any security incidents over the lifetime of the product. I'm sure, through the magic of the marketplace, that the vendors will suddenly discover some way to make their embedded systems either upgradable.
Or to put it another way, why the hell should I, as a manufacturer, be forced to pay, pay, and pay again for people to make updates for a cheap piece of hardware that barely covered its own cost in the first place?
Then you don't belong in the business. Find another business to get into.
Why is it that businesses get favorable treatment and is protected when their business is outdated but when one of us peons have "outdated" skills we're screwed?
Retraining? Can't get a job without experience in THAT field or skill.
So, what's good for us peons is good for businesses.
Can't survive or make enough money with your current business model? Well, fuck you - move to another business.
This sounds more like an idea for hardware companies that want to ensure people keep buying their new stuff. It's like chipped printer cartridges.
First off.. how about just making things updateable?
Second, how about not connecting things to the internet that don' t have a reason to be?
The last thing we need is yet more perfectly functional electronics sitting in the bottom of landfills.
How about we make the manufacturer either maintain support for the device or release full specs (including source and a sane build environment) to their customers and any signing keys they might need to update the things themselves.
My plan is more fair abnd might keep things out of the landfill rather than filling it faster.
Tire manufacturers in the US resist tires having expiration dates. Why would they mind, since that might increase demand for replacements? Distributors and retailers might mind since it means their inventory loses market value quicker than it would otherwise. Supposedly the manufacturers fear that having an expiration date will imply to consumers that their tires should last until that date. The lifetime might be set at 6 years, which is longer than most tires' tread lasts.
To some degree I'd expect this sort of thinking to apply here.
And the vast majority of Win CE devices aren't even hooked up to a network so good luck exploiting them.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
I think I've read this plot in a book. http://www.goodreads.com/book/...
I8-D
--
.nosig
Dan Geer, the CISO of In-Q-Tel is a nutjob or a scumbag trying to just figure out how to bring about a forced revenue stream. Unless he proposes that companies that do this MUST buy back the self deactivated equipment at 50% of retail price, he is simply trying to figure out how to force customers into spending more money by artificial controlled failure.
Do not look at laser with remaining good eye.
No. It doesn't.
Our shop, up until a few years ago, included some n/c milling machines with very old PC-based controllers. They worked. It was sometimes challenging to find replacement hardware when a power supply or IDE hard drive failed, but once you replaced the failed part, the DOS-based controller software did what it was supposed to do, and did it reliably and repeatedly.
If the electronics had decided it was time to die, we would have had to replace the machine it controlled, as nobody made electronics and sensors for these old machines.
Wake up! Time to die.
--Red Dwarf, "The Last Day"
Build it, and they will come^Hplain.
It's Jan 19, 2038.
Nothing wrong with IoT as such. There are somewhat easy ways to prevent sensors from spying on you while still being field-upgradeable.
So the answer to security is to load devices with a way to terminate their use, and see who exploits it first? Wow.
In the recent past, embedded devices were manufactured with data and controlled specific external technologies, but had to be update manually (taken offline, rom or prom chip removed, and either reprogrammed or replaced, then put back online). There was no means of tampering or changing settings remotely. There were physical controls that could be used to change parameters, but a person had to push a button on the physical device. They could be monitored remotely (remote reporting), but not controlled remotely.
Planned obsolescence my ass ...what this guy is proposing is enforced obsolescence. Or to put it another way ...
He's proposing that we throw away the idea of purchasing electronic devices and instead pay the same amount of money for the privilege of renting it's capabilities for a period of time set by the manufacturer.
I don't know about the rest of you but when I buy something I expect it to work until I want to replace it ...not for some arbitrary fixed period decided by the manufacturer.
I thought individual games had Windows CE on them, not the console. A Dreamcast game made with Sega's SDK would run Katana OS, and a game made with Microsoft's SDK would run Windows CE.
I sit here in the Cassandra suite, watching the tech community finally waking up to the reality of the world. You are starting to panic because you know none of the operating system choices you have are viable for truly secure systems. Soon you will learn about Multi-Level Secure systems, Capabilities, and other features of the secure computing..
About 10 years from now, you'll get the hints the universe has dropped on you, and start implementing these systems.
About 10 years after that, some real old timers (or young punks who've read history) will point out that this stuff was actually figured out in the late 1960s, and early 1970s.
Microsoft sounded the death knell for Windows XP years ago. When the 'kill date' arrived, how many hundreds of millions of PC's are still running Windows XP? And let's face it, upgrading a general purpose computer from Windows XP to a later OS (or replacing the computer altogether) is far easier than updating or replacing embedded systems.
All this proposal would do is ensure that entire swaths of embedded platforms stop working together, rendering infrastructure unusable.
Last time somebody tried to implement scheduled end-of-life on man-made devices, people died!
http://www.grcrun11.gr - MUDA tribute
Didn't we see this scenario in Blade Runner? Will we need specialists tasked with taking out rogue hardware that has gone past its incept date? Where will the madness end?!
/// Not a super-genius . . . yet. ///
But but but... Internet of Things! Cloud! Smart grid!
I think I know you, Buzz LightKill! You'll never be rich or famous with an attitude like that.