Slashdot Mirror

← Back to Stories (view on slashdot.org)

Do Embedded Systems Need a Time To Die?

Posted by Soulskill on from the upgrade-or-perish dept.

chicksdaddy writes: "Dan Geer, the CISO of In-Q-Tel, has proposed giving embedded devices such as industrial control and SCADA systems a scheduled end-of-life in order to manage a future in which hundreds of billions of them will populate every corner of our personal, professional and lived environments. Individually, these devices may not be particularly valuable. But, together, IoT systems are tremendously powerful and capable of causing tremendous social disruption. 'Is all the technologic dependency, and the data that fuels it, making us more resilient or more fragile?' he wondered. Geer noted the appearance of malware like TheMoon, which spreads between vulnerable home routers, as one example of how a population of vulnerable, unpatchable embedded devices might be cobbled into a force of mass disruption. Geer proposes a novel solution: embedded systems that do not have a means of being (securely) managed and updated remotely should be configured with some kind of 'end of life,' past which they will cease to operate. Allowing embedded systems to 'die' will remove a population of remote and insecure devices from the Internet ecosystem and prevent those devices from falling into the hands of cyber criminals or other malicious actors, Geer argued."

32 of 187 comments (clear)

  1. Or you could just you know... by Narcocide · · Score: 3, Insightful

    ... change the password to something other than the default.

    1. Re:Or you could just you know... by gbjbaanb · · Score: 2

      or not have a single default password, each device could have a random one set as default (like how each has a unique MAC address for example) that's printed on the back.

      Oh, and maybe we could make control software that is designed to automatically update remotely.

      Or... radically, we could just not put a network port on them.

    2. Re:Or you could just you know... by GTRacer · · Score: 2

      Why weren't you running Openwrt?

      Because not everyone can be arsed to buy a commercial product to fill a specific need, choosing one designed for that need, and then removing core software or hardware in order to make it "open". Some people like to buy things without having to re-engineer them when they get home.

      Don't get me wrong. I rooted both my cellphones shortly after purchase, and I have a Linksys home router running custom firmware. I mod things for performance reasons or because it's interesting or enlightening. But not everyone can or should do so. In an ideal world*, the routers would have sane security by default.

      I'll take off my rose-tinted specs now and go back to yelling at the kids on my lawn.

      --
      Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
    3. Re:Or you could just you know... by jeffmeden · · Score: 2

      Which assumes there's still someone around releasing updates

      What about an EOL date that's calculated from the date of the last update?

      No update for 12 months = EOL.

      In an enterprise that sort of management would be fine, but I for one would be pissed to hell if I came home one day and my smart TV refused to turn on because it had gone 12 months with no updates. Like most things, the expectations of performance and security differ in every application, so no single rule will ever solve this.

    4. Re:Or you could just you know... by Lumpy · · Score: 3, Informative

      and it's easy to do. every polycom comes with the admin password set to the serial number of the unit. Any programmer that made it out of the first year of college could easily add this feature during firmware initialization.

      --
      Do not look at laser with remaining good eye.
    5. Re:Or you could just you know... by hairyfeet · · Score: 2

      I have thrown away 4 or 5 routers in the past 2 years (and gotten a nice service call fee for doing so) thanks to guys like you saying that shit only for OpenWRT to totally brick the router...thanks, keep up the good work!

      --
      ACs don't waste your time replying, your posts are never seen by me.
    6. Re:Or you could just you know... by Linsaran · · Score: 2

      OpenWRT is so fucking easy to install and configure (easier than some consumer out-of-the-box experiences, even) that there really is no excuse if you expect a secure local network.

      No. It's not. To you, or the typical computer tech-savvy /. reader, maybe; but we're not average consumers. My father-in-law is well above average in that he bought a Linksys router rather than depend on the FIOS installed default, and he actually changed the password, but he's not going to reflash it any more than I'm going to rebore my car engine's cylinders with a hand drill. And the various older neighbors who I assist with network stuff, who think the Internet is broken if a web site changes its format, would have no clue whatever.

      The REAL question we should all be asking is, If OpenWRT can be so much better, then why is the commercial stuff *not* better?

      Step 1, find out what runs on your router (at wikidevi or similar) step 2, download the firmware image (there are even multiple forums with helpful folks to ask if you arent 100% sure) step 3, flash it the same way you would a normal firmware update, step 4 change the default password, and enjoy your new LAN! The only excuse is not knowing... there is no actual technical knowledge required, just basic keyboard/mouse skills, and reading comprehension.

      Step 1, presumes that people are aware there are alternative firmwares for their router, which most non-technical people would not realize, if they even know what a firmware is in the first place.

      Step 2, presumes that people can navigate a forum, or possibly multiple forums to find the link to a file that they're looking for. Considering how many people must click on those stupid 'download now' ads that end up on half the file managers out there, and end up with some spyware laden crap on their machine when they were looking for a driver or some nonsense, I don't trust non-technically inclined people to figure that out either.

      Step 3, presumes they know how to do a normal firmware update, again non-technical people might not even know what firmware is.

      Step 4, most non-technical people have less issue with whether something is secure, and more issue with whether something works. The reason so many people use dumb ass passwords like 'password1' is because they're easy for them to remember. They either don't realize that password1 is a bad password, or they don't care as long as it's easy for them to remember.

      TL;DR people want stuff that works, and doesn't require they reinvent the wheel to make it work. In their mind a commercial router should work out of the box, without needing to do open heart surgery on it.

      --
      In a bit of shameless internet panhandling, I accept Litecoin Donations at Lbd2oH9QsthD1GfuUXPyka12YxvWJYnBVf
    7. Re:Or you could just you know... by jrumney · · Score: 4, Insightful

      The issue is when there are exploitable bugs found and the device cannot/won't be updated.

      And how do you predict when that would be?

      Does it help at all when I design my embedded device self destruct on 14 May 2019, if the next Heartbleed type bug affecting it is found tomorrow?

      Are my customers going to come back and buy from me again if it is still rock solid with no known bugs on the day I choose for it to expire, and word quickly gets around that everyone's device was preprogrammed to die on that day?

    8. Re:Or you could just you know... by AdamHaun · · Score: 4, Insightful

      OpenWRT is so fucking easy to install and configure (easier than some consumer out-of-the-box experiences, even) that there really is no excuse if you expect a secure local network ... there is no actual technical knowledge required, just basic keyboard/mouse skills, and reading comprehension.

      I think you're *wildly* overestimating the skill and confidence of the average home network user and the quality of open source project web sites. Let me walk you through the hidden minefield in your instructions. I'll use a Linksys WRT150N for reference.

      The real Step 1 is "realize that I'm supposed to install OpenWrt, and understand what that means". Most users have little to no idea of how the router actually works, so the idea of upgrading the firmware is not an obvious one.

      But let's say someone tells them to do it. They go to the OpenWrt web site. The second sentence under "What is OpenWrt?" is "Instead of trying to create a single, static firmware, OpenWrt provides a fully writable filesystem with package management.". Many users will be too terrified to proceed beyond this point. But let's say they make it to the Table of Hardware, and skip past the text about developer snapshots and hardware VLANs and the note from 2009 saying that the page might not be up to date. (That's not realistic -- many users expect to read sequentially.) Instead of a column that says "yes, this router is supported", there's a column named "Status" that gives the first OpenWrt version that supports the router. Next to that there's a column named "Version" that is undefined. I'm assuming it's the router version, but many users could get confused. But the important column is the "Target" column, which lists the specific OpenWrt platform that users should (but probably won't) remember for later. There are two targets for the WRT150N and no indication of which to choose. One of them no longer exists in the current version.

      Clicking on the model number in the table gives me an unorganized series of notes from various users. One of them, "An account of flashing OpenWrt to a WRT150N", sounds sort of like installation instructions, but is too brief and technical to be of any use. It does have a working download link, but it's to a version that's five years old. The one after that suggests that one target option (the nonexistent one) is better than the other. None of this is in clear newbie-friendly language and it's all after pages of Linux log dumps. If they land on this page, most users will probably click the back button as fast as they can.

      Alternately, we could do it your way:

      Step 1, find out what runs on your router (at wikidevi or similar)

      That's somewhat better, but they still have to read through a dense, abbreviation-heavy table of technical specs. (That's after they figure out they need to search for their router's model number and not "Linksys".) At least there's a simple indication that OpenWrt supports the router. But how would they know to go to WikiDevi? I hadn't even heard of it before today. And most importantly, how would they figure out which target to use, or even that targets exist?

      step 2, download the firmware image

      Now we're in for some fun! There's a download link at the top of the OpenWrt site. Clicking on it gives me a directory listing. None of the directory names look like they contain software to download, even to me. On the right side of the OpenWrt main page there's another download link for the latest release. This gives another directory listing. (Apparently the correct directory is /attitude_adjustment/12.09.) Now there's a list of subdirectories that look (to me) like p

      --
      Visit the
  2. Dan Geer, the CISO of In-Q-Tel, by wiredog · · Score: 5, Informative

    In-Q-Tel

    The IQT Mission

    We identify, adapt, and deliver innovative technology solutions to support the missions of the Central Intelligence Agency and broader U.S. Intelligence Community.

    --

    Best Slashdot Co
    1. Re:Dan Geer, the CISO of In-Q-Tel, by cusco · · Score: 2

      OK, this makes more sense. Only true morons of that caliber could imagine that ripping and replacing the control system for a power dam, the guts of a multimillion dollar CNC mill, or the access control system for an entire enterprise every few years was a good thing. Know how long it takes to update the embedded firmware on a reader board over RS-485? Fifteen to forty five minutes. Each door. I've worked in enterprises with as many as 21000 reader panels.

      Not just "NO", but "NO FUCKING WAY, NO!"

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  3. Terrible idea by mirix · · Score: 4, Informative

    You'll have to install custom firmware to prevent things from having to go to the dump on their third birthday?

    Seems pretty ridiculous, not to mention that it can still have a hole exploited on the day they launch the device, and not be updated for years (in it's allotted lifespan).

    I'm more for the option of make things easier to update, and, the important part... actually release bloody updates! I'm looking at you, almost every embedded device manufacturer out there.

    --
    Sent from my PDP-11
    1. Re:Terrible idea by dbIII · · Score: 2

      I have a hen which has decent hardware, but the software is stuck in the past.

      Eggsactly.

    2. Re:Terrible idea by wolrahnaes · · Score: 2

      I thought so too and selected Nexus 5, but since purchase on January, it has got only one system update and that happened on the first day I used the phone. It seems that Google cares about bugs on already sold devices as much as anybody else in the industry.

      Android itself has not seen an update since then. The Nexus 5 initially shipped with 4.4.0 and got both 4.4.1 and 4.4.2 as soon as they were publicly announced. When Android 4.4.3 comes out (apparently soon) you're basically guaranteed to be the first device for which it's available.

      Compare this to all the other phone vendors, who at least in the case of the large ones you know have had access to 4.4.3 for some time, where most devices still aren't on 4.4.2. Where devices are still being *launched* brand new and out of date the moment they're available.

      --
      I used to get high on life, but I developed a tolerance. Now I need something stronger.
  4. How to sound deep by kruach+aum · · Score: 2

    Imply the opposite of what is expected, without regard for reality, truth or common sense. Ex:

    "'Is all the technologic dependency, and the data that fuels it, making us more resilient or more fragile?"

    Look at this amazing thinker. Didn't he just blow your fucking mind?

    1. Re:How to sound deep by roninmagus · · Score: 2

      There's also what I refer to as the "lone voice in the wilderness" effect. Whereby, whatever the issue, if someone simply states that they have an "inexpressible doubt" in something then they will seem to be the smartest person in the room. This is used quite often in political debates. It's also quite effective for opening up "I told you so" options later, when they never really told anyone anything.

  5. my thermostat by spectrokid · · Score: 3, Insightful

    My thermostat will never be connected to anything and does not need an end of life thank you very much. And I want to see the manager who will approve buying this kind of stuff.

    --

    10 ?"Hello World" life was simple then

  6. Planned obsolescence by Melkman · · Score: 4, Interesting

    What could possibly go wrong ? A PLC controlling a plant stopping at some random date is perfectly acceptable, right. I'm sure manufacturers will love this. A guaranteed replacement market is a wet dream for any market.

    1. Re:Planned obsolescence by Vlad_the_Inhaler · · Score: 2

      I think *that* is the main point of this idea, security is just a way of selling it.

      --
      Mielipiteet omiani - Opinions personal, facts suspect.
  7. Here's a better idea by msobkow · · Score: 5, Interesting

    Here's a better idea. Charge anyone who ships unpatchable and unpatched hardware with sponsoring terrorism, because it's their laziness causing the problem.

    Why the hell should I be forced to buy, buy, and rebuy the same god damned hardware over and over to save them from patching their shitty systems that they sell?

    --
    I do not fail; I succeed at finding out what does not work.
  8. Absolutely not by Ceriel+Nosforit · · Score: 4, Insightful

    These are not consumer items. Industrial systems seldom live just one life, and after being decommissioned they usually go up for action to be recommissioned somewhere else. If you artificially disrupt this dynamic you cause enormous economic loss, and for what? To perpetuate a buzzword?

    The entire proposal is barking up the wrong tree.

    It is however a moderately interesting insight into the echo-chamber of national intelligence. Rather funny to see how Mr. Geer talks about monocultures while laying on their own lore _thick_.

    --
    All rites reversed 2010
  9. What about devices with no RTC? by pipedwho · · Score: 4, Insightful

    If a device does not have a way to keep track of time (eg. in built real time clock, with backup battery that will last for the duration of the device's 'lifetime'), then it becomes vulnerable to permanent denial of service when something spoofs a fake future date and time. What happens when a hundred thousand devices go offline because someone spoofed an NTP response?

    You may as well force every device to have a kill switch and remotely shut it down when it's too old. At least that'll probably require some kind of public key signature from an authenticated service (in the same way you'd authenticate a remote firmware update).

    What I'm trying to say is this is one of those 'management ideas' that sounds great in the philosophical sense, but fails in technical merit.

    1. Re:What about devices with no RTC? by RDW · · Score: 3, Insightful

      Simple enough. Skip the clock entirely, and let the battery itself be the "clock". The battery dies, and the device no longer operates. It's not particularly difficult to design a system with an embedded, non-rechargable battery that lasts for a specified lifespan. There may be some variability in that time, but you can get close enough this way to kill off neglected devices by a certian point.

      Take out 'non-rechargeable' and this is pretty much Apple's business model.

  10. Sympathy, but no go by gnalre · · Score: 5, Insightful

    As someone who has to support legacy systems, there is nothing more I would like to see old embedded systems die (and in some cases, incinerated and the embers crushed into the ground).

    But we have to be realistic.

    The main effort in systems like SCADA is the commissioning time required. You cannot just rip out a system, plug in a new box and expect everything to work as before.

    Secondly who pays for this? The customer will not be happy if we say every 5 years we say you have to close your factory down for 2 weeks while we rip out all your old boxes and replace with new ones.

    Finally what is the guarantee that the new box has not introduced a new security hole?

    The real solution is the segmentation of the security and application code. Use Trusted boot technologies to verify the running code and ring fence the code with your security management application. Then if a new threat is introduced you only need to update the security app, leaving the hardware and application untouched.

    Unfortunately at present industrial application either have no security or are very closely coupled meaning that updates are difficult and costly.

    --
    Choose your allies carefully, it is highly unlikely you will be held accountable for the actions of your enemies
  11. This is actually already a big problem by StephenBryant396 · · Score: 4, Interesting

    There are a lot of cars, insurance telematics devices, security alarms, etc. sitting on mobile phone networks generating signaling and consuming radio resources. They were designed in the early days and largely not reachable. Simply terminating the credentials in the network doesn't help - it actually makes the problem worse because the firmware on the device is often quite aggressive and keeps trying to attach. This is something that has absorbed a lot of my time combating and there are efforts in standards bodies to address. This approach actually a pretty good idea IMO.

  12. Blinkered by AlecC · · Score: 4, Informative

    This guy has an incredible blinkered view of "embedded devices". Most embedded devises are not connected to the Interned. Should my wristwatch, washing machine, car ignition controller, garage door opener, swimming pool pump, dumb TV, bank vault, disk drive, mouse, keyboard, etc all die prematurely because somebody else makes a router that can be prejudiced. There are literally billions of embedded devices in the world,. of which probably less than one a thousand is connected to the internet. Yet this seems to be suggesting that we should kill a thousand devices because one /might/ be prejudiced.

    --
    Consciousness is an illusion caused by an excess of self consciousness.
  13. Rediculous premise by mschaffer · · Score: 3, Insightful

    This is based on a ridiculous premise that newer=more secure.

    Who is going to pay for all of this?
    What happens when someone forgets to replace some critical controller (gee, I thought your group was in charge of replacing it...)?

    Also, what's In-Q-Tel's real motive? Mandating a secret back-door so that the CIA can have access to what they want? Or, are they quietly investing in Siemens, Rockwell Automation, Hitachi, and the like?

  14. Another Solution by McDrewbie · · Score: 2

    Maybe we should realize that not everything needs to be computerized and networked and the like. Not everything needs to be "smart".

  15. Time-based end of life not very helpful by Idarubicin · · Score: 3, Insightful

    Okay, so my new device (a LeakyTech router, say) has a five-year expiry clock on it. A vulnerability is discovered a year after I buy it. It spends 80% of its lifetime completely exposed. I'm now out of pocket for the cost of a new device every five years, and I'm only protected for 20% of the time. Nice.

    Or, my new device (from Securitron, this time) is actually quite secure. It takes ten years for the bad guys to find an unpatched or unpatchable hole. Five years of reliable, trustworthy use I could have had get thrown away. I've pointlessly reduced the safe, working lifetime of my electronic device by 50%, doubling my hardware cost and incurring extra downtime for no improvement in my security. Nice.

    Better yet, I've gone through a couple of cycles of forced obsolescence. This time around, I've moved from the Securitron product to the LeakyTech one, and now introduced a hole in my security that wasn't there before. Either the LeakyTech device has another rapidly-discovered vulnerability - maybe it was introduced when they tried to patch their first one-year defect- or I didn't configure the new hardware properly when I was making my enforced switchover. Nice.

    --
    ~Idarubicin
  16. Oh great. by funwithBSD · · Score: 3, Insightful

    More DRM killswitches.

    --
    Never answer an anonymous letter. - Yogi Berra
  17. What a waste by morgauxo · · Score: 2

    This sounds more like an idea for hardware companies that want to ensure people keep buying their new stuff. It's like chipped printer cartridges.

    First off.. how about just making things updateable?

    Second, how about not connecting things to the internet that don' t have a reason to be?

    The last thing we need is yet more perfectly functional electronics sitting in the bottom of landfills.

  18. Re:Better still by Imagix · · Score: 2

    but why shouldn't I get to make that decision

    Because your "reasoned" decision apparently doesn't take into account the threat you now represent to everybody else.