Slashdot Mirror
Do Embedded Systems Need a Time To Die?
chicksdaddy writes: "Dan Geer, the CISO of In-Q-Tel, has proposed giving embedded devices such as industrial control and SCADA systems a scheduled end-of-life in order to manage a future in which hundreds of billions of them will populate every corner of our personal, professional and lived environments. Individually, these devices may not be particularly valuable. But, together, IoT systems are tremendously powerful and capable of causing tremendous social disruption. 'Is all the technologic dependency, and the data that fuels it, making us more resilient or more fragile?' he wondered. Geer noted the appearance of malware like TheMoon, which spreads between vulnerable home routers, as one example of how a population of vulnerable, unpatchable embedded devices might be cobbled into a force of mass disruption. Geer proposes a novel solution: embedded systems that do not have a means of being (securely) managed and updated remotely should be configured with some kind of 'end of life,' past which they will cease to operate. Allowing embedded systems to 'die' will remove a population of remote and insecure devices from the Internet ecosystem and prevent those devices from falling into the hands of cyber criminals or other malicious actors, Geer argued."
... change the password to something other than the default.
In-Q-Tel
Best Slashdot Co
You'll have to install custom firmware to prevent things from having to go to the dump on their third birthday?
Seems pretty ridiculous, not to mention that it can still have a hole exploited on the day they launch the device, and not be updated for years (in it's allotted lifespan).
I'm more for the option of make things easier to update, and, the important part... actually release bloody updates! I'm looking at you, almost every embedded device manufacturer out there.
Sent from my PDP-11
Imply the opposite of what is expected, without regard for reality, truth or common sense. Ex:
"'Is all the technologic dependency, and the data that fuels it, making us more resilient or more fragile?"
Look at this amazing thinker. Didn't he just blow your fucking mind?
My thermostat will never be connected to anything and does not need an end of life thank you very much. And I want to see the manager who will approve buying this kind of stuff.
10 ?"Hello World" life was simple then
What could possibly go wrong ? A PLC controlling a plant stopping at some random date is perfectly acceptable, right. I'm sure manufacturers will love this. A guaranteed replacement market is a wet dream for any market.
Here's a better idea. Charge anyone who ships unpatchable and unpatched hardware with sponsoring terrorism, because it's their laziness causing the problem.
Why the hell should I be forced to buy, buy, and rebuy the same god damned hardware over and over to save them from patching their shitty systems that they sell?
I do not fail; I succeed at finding out what does not work.
These are not consumer items. Industrial systems seldom live just one life, and after being decommissioned they usually go up for action to be recommissioned somewhere else. If you artificially disrupt this dynamic you cause enormous economic loss, and for what? To perpetuate a buzzword?
The entire proposal is barking up the wrong tree.
It is however a moderately interesting insight into the echo-chamber of national intelligence. Rather funny to see how Mr. Geer talks about monocultures while laying on their own lore _thick_.
All rites reversed 2010
If a device does not have a way to keep track of time (eg. in built real time clock, with backup battery that will last for the duration of the device's 'lifetime'), then it becomes vulnerable to permanent denial of service when something spoofs a fake future date and time. What happens when a hundred thousand devices go offline because someone spoofed an NTP response?
You may as well force every device to have a kill switch and remotely shut it down when it's too old. At least that'll probably require some kind of public key signature from an authenticated service (in the same way you'd authenticate a remote firmware update).
What I'm trying to say is this is one of those 'management ideas' that sounds great in the philosophical sense, but fails in technical merit.
As someone who has to support legacy systems, there is nothing more I would like to see old embedded systems die (and in some cases, incinerated and the embers crushed into the ground).
But we have to be realistic.
The main effort in systems like SCADA is the commissioning time required. You cannot just rip out a system, plug in a new box and expect everything to work as before.
Secondly who pays for this? The customer will not be happy if we say every 5 years we say you have to close your factory down for 2 weeks while we rip out all your old boxes and replace with new ones.
Finally what is the guarantee that the new box has not introduced a new security hole?
The real solution is the segmentation of the security and application code. Use Trusted boot technologies to verify the running code and ring fence the code with your security management application. Then if a new threat is introduced you only need to update the security app, leaving the hardware and application untouched.
Unfortunately at present industrial application either have no security or are very closely coupled meaning that updates are difficult and costly.
Choose your allies carefully, it is highly unlikely you will be held accountable for the actions of your enemies
There are a lot of cars, insurance telematics devices, security alarms, etc. sitting on mobile phone networks generating signaling and consuming radio resources. They were designed in the early days and largely not reachable. Simply terminating the credentials in the network doesn't help - it actually makes the problem worse because the firmware on the device is often quite aggressive and keeps trying to attach. This is something that has absorbed a lot of my time combating and there are efforts in standards bodies to address. This approach actually a pretty good idea IMO.
This guy has an incredible blinkered view of "embedded devices". Most embedded devises are not connected to the Interned. Should my wristwatch, washing machine, car ignition controller, garage door opener, swimming pool pump, dumb TV, bank vault, disk drive, mouse, keyboard, etc all die prematurely because somebody else makes a router that can be prejudiced. There are literally billions of embedded devices in the world,. of which probably less than one a thousand is connected to the internet. Yet this seems to be suggesting that we should kill a thousand devices because one /might/ be prejudiced.
Consciousness is an illusion caused by an excess of self consciousness.
I've... seen things you people wouldn't believe... Iranian cerntrifuges on fire off the shoulder of Orion. I watched c-beams glitter in the dark near the Ford River Rouge Assembly Plant. All those... moments... will be lost in time, like tears... in... rain.
Time... to die...
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
1. From a security standpoint, in a highly controlled environment, remote update capability is also a security risk, no matter how supposedly "secure" that capability is. The ability to configure the hardware so that hands on thr device are required to apply updates is important. Physical security is easier to verify than logical security - it's much easier to inspect seals, padlocks, and security tags than it is to inspect the device firmware.,
2. Flash memory is relatively cheap, especially in the small sizes needed for firmware. The hardware required to read formware from a removable memory card is relatively inexpensive compared to the total retail price of most embedded hardware, even consumer-grade embedded hardware. Thus, firmware replacement through replacement of a compactflash/sd/microsd card is a viable option that can be easily designed in to these systems. The ability to remotely update that firmware could then either be omitted, or able to be disabled through jumpers, switches, etc.
3. Manufactuers need to recognize that hardware will last longer than it's designed, and will remain in service with someone for far longer than originally intended, and plan accordingly. Releasing the firmware and documentation under suitable free software / open source licenses from day one would be ideal, but if this isn't compatable with their business model, some form of code/documentation escrow process that gurantees eventual release of the code at "end of life" would be a viable alternative which would not significantly weaken their buisness model.
Ted Kaczynski Manifesto "Industrial Society and Its Future," is possibly correct, Technology is getting to own civilization, or rather the powers that be will inevitably use it against civilization reducing people to the status of cattle
http://www.foxnews.com/opinion...
Politics is Treachery, Religion is Brainwashing
Very stupid rent seeking idea - especially when it involves all those little things in dusty corners relied upon to "just work" and whatever cold spares are around in case they break.
It's equivalent to demanding that people replace thirty year old transistor radios in their kitchens and workshops.
This is based on a ridiculous premise that newer=more secure.
Who is going to pay for all of this?
What happens when someone forgets to replace some critical controller (gee, I thought your group was in charge of replacing it...)?
Also, what's In-Q-Tel's real motive? Mandating a secret back-door so that the CIA can have access to what they want? Or, are they quietly investing in Siemens, Rockwell Automation, Hitachi, and the like?
Why?
Not used it, but CE seems to be a perfectly adequate embedded OS, with some degree of actual support from the developer.
This will solve nothing. The first thing you'll do after you've pwnd one of these systems is to disable the automatic shutdown
Power off before disconnecting connecting connector. Seen on a cash register
I've recently started to put a time tracking system in all my embedded firmwares that lock out the system after X amount of time ( usually in years ), the only way to clear the lock out is to send the part back to my company so we can inspect it. It's no longer suitable to use mean life expectancy of parts as the bench mark for the life of a product, this has made it almost impossible to calculate a real end of life date, instead it's much more practical to do what I've started and to require the products to get serviced by the engineer every X amount of time.
Maybe we should realize that not everything needs to be computerized and networked and the like. Not everything needs to be "smart".
Okay, so my new device (a LeakyTech router, say) has a five-year expiry clock on it. A vulnerability is discovered a year after I buy it. It spends 80% of its lifetime completely exposed. I'm now out of pocket for the cost of a new device every five years, and I'm only protected for 20% of the time. Nice.
Or, my new device (from Securitron, this time) is actually quite secure. It takes ten years for the bad guys to find an unpatched or unpatchable hole. Five years of reliable, trustworthy use I could have had get thrown away. I've pointlessly reduced the safe, working lifetime of my electronic device by 50%, doubling my hardware cost and incurring extra downtime for no improvement in my security. Nice.
Better yet, I've gone through a couple of cycles of forced obsolescence. This time around, I've moved from the Securitron product to the LeakyTech one, and now introduced a hole in my security that wasn't there before. Either the LeakyTech device has another rapidly-discovered vulnerability - maybe it was introduced when they tried to patch their first one-year defect- or I didn't configure the new hardware properly when I was making my enforced switchover. Nice.
~Idarubicin
More DRM killswitches.
Never answer an anonymous letter. - Yogi Berra
Better still, you should have a choice: a $30 unpatchable router with a 3 year lifespan, or a $50 patchable router.
$30 is not worth it if it is vulnerable out of the shelf when you bought it. Also, how long do you think each product would be in a store before it is sold? So no to unpatchable because the patchable is still a safer choice.
This sounds more like an idea for hardware companies that want to ensure people keep buying their new stuff. It's like chipped printer cartridges.
First off.. how about just making things updateable?
Second, how about not connecting things to the internet that don' t have a reason to be?
The last thing we need is yet more perfectly functional electronics sitting in the bottom of landfills.
How about we make the manufacturer either maintain support for the device or release full specs (including source and a sane build environment) to their customers and any signing keys they might need to update the things themselves.
My plan is more fair abnd might keep things out of the landfill rather than filling it faster.
Tire manufacturers in the US resist tires having expiration dates. Why would they mind, since that might increase demand for replacements? Distributors and retailers might mind since it means their inventory loses market value quicker than it would otherwise. Supposedly the manufacturers fear that having an expiration date will imply to consumers that their tires should last until that date. The lifetime might be set at 6 years, which is longer than most tires' tread lasts.
To some degree I'd expect this sort of thinking to apply here.
How nice of you to make that decision for everyone else. Believe it or not, it is actually possible that sometimes the more expensive, more secure option doesn't offer enough benefits to outweigh the increased costs in certain use cases.
I'm sure that my cheapo router at home doesn't meet your lofty standards of safety. I understand the potential security risks that this router poses reasonably well. I could have spent $50 extra to buy a "better" router, then spent an evening or so figuring out how to hack it so I could put your approved firmware on it. But I don't, because it's a freaking home router, and I've made a reasoned decision that the security benefits don't outweigh the extra time, money, and hassle. Maybe I'm wrong about that (though I seriously doubt it), but why shouldn't I get to make that decision?
And the vast majority of Win CE devices aren't even hooked up to a network so good luck exploiting them.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
but why shouldn't I get to make that decision
Because your "reasoned" decision apparently doesn't take into account the threat you now represent to everybody else.
I think I've read this plot in a book. http://www.goodreads.com/book/...
I8-D
--
.nosig
Dan Geer, the CISO of In-Q-Tel is a nutjob or a scumbag trying to just figure out how to bring about a forced revenue stream. Unless he proposes that companies that do this MUST buy back the self deactivated equipment at 50% of retail price, he is simply trying to figure out how to force customers into spending more money by artificial controlled failure.
Do not look at laser with remaining good eye.
Our shop, up until a few years ago, included some n/c milling machines with very old PC-based controllers. They worked. It was sometimes challenging to find replacement hardware when a power supply or IDE hard drive failed, but once you replaced the failed part, the DOS-based controller software did what it was supposed to do, and did it reliably and repeatedly.
If the electronics had decided it was time to die, we would have had to replace the machine it controlled, as nobody made electronics and sensors for these old machines.
--Red Dwarf, "The Last Day"
Build it, and they will come^Hplain.
... and don't forget the water-boarding! It will actually help in this case ...
..how about not selling a known faulty product in the first place...
world was created 5 seconds before this post as it is.
Planned obsolescence my ass ...what this guy is proposing is enforced obsolescence. Or to put it another way ...
He's proposing that we throw away the idea of purchasing electronic devices and instead pay the same amount of money for the privilege of renting it's capabilities for a period of time set by the manufacturer.
I don't know about the rest of you but when I buy something I expect it to work until I want to replace it ...not for some arbitrary fixed period decided by the manufacturer.
but why shouldn't I get to make that decision?
Because your decision accounts only your own point of view and reason. My decision accounts others' safety and not from self.
I thought individual games had Windows CE on them, not the console. A Dreamcast game made with Sega's SDK would run Katana OS, and a game made with Microsoft's SDK would run Windows CE.
I sit here in the Cassandra suite, watching the tech community finally waking up to the reality of the world. You are starting to panic because you know none of the operating system choices you have are viable for truly secure systems. Soon you will learn about Multi-Level Secure systems, Capabilities, and other features of the secure computing..
About 10 years from now, you'll get the hints the universe has dropped on you, and start implementing these systems.
About 10 years after that, some real old timers (or young punks who've read history) will point out that this stuff was actually figured out in the late 1960s, and early 1970s.
Last time somebody tried to implement scheduled end-of-life on man-made devices, people died!
http://www.grcrun11.gr - MUDA tribute
Didn't we see this scenario in Blade Runner? Will we need specialists tasked with taking out rogue hardware that has gone past its incept date? Where will the madness end?!
/// Not a super-genius . . . yet. ///