Slashdot Mirror
The Coming IT Nightmare of Unpatchable Systems
snydeq (1272828) writes "Insecure by design and trusted by default, embedded systems present security concerns that could prove crippling if not addressed by fabricators, vendors, and customers alike, InfoWorld reports. Routers, smart refrigerators, in-pavement traffic-monitoring systems, or crop-monitoring drones — 'the trend toward systems and devices that, once deployed, stubbornly "keep on ticking" regardless of the wishes of those who deploy them is fast becoming an IT security nightmare made real, affecting everything from mom-and-pop shops to power stations. This unpatchable hell is a problem with many fathers, from recalcitrant vendors to customers wary of — or hostile to — change. But with the number and diversity of connected endpoints expected to skyrocket in the next decade, radical measures are fast becoming necessary to ensure that today's "smart" devices and embedded systems don't haunt us for years down the line.'"
The lesson wasn't learned, but the problem was somewhat mitigated. Big software companies adopted regular patch cycles and deployed patch management tools on their customers. It kinda worked because PC are powerful computers well designed to be upgraded and modified.
This is not the case for many embedded systems. They are designed to be installed and then you forget about them. So the "classic" mitigation technique doesn't work. This is a big problem.
Well, that would be less of a problem if you didn't surf SlashDot using your refrigerator or crop-monitoring drone...
Different nightmare. The Y2K embedded system nightmare was systems that wouldn't know what to do when the clock rolled over. By and large, the doomsayers were completely wrong. The current problem is *Internet enabled* embedded systems, easily hackable, out of warranty, out of support, manufacturer TU, owner/deployer isn't even sure how many they have, or where they're located, etc., etc. Picture making a botnet out of all the traffic light controllers, or the elevator controllers, or smart water meters, or internet toasters.
They are designed to be installed and then you forget about them. So the "classic" mitigation technique doesn't work. This is a big problem.
Hell, I thought the "classic" mitigation schemata for embedded devices was to not have them networked at all, leaving them to run for years (decades?) on end.
(See also the hordes of NT Telecom PBXes out there which are likely still around, requiring a goofball proprietary connection to a computer running OS/2 (!?) in order to patch it (or more commonly, you did it to add new/licensed features or to fix something gone corrupt).)
Therein lies the whole problem with the paradigm, truth be told - originally, embedded devices didn't communicate with jack shit - you unpacked it, turned it on, maybe configured it, and then you forget that it existed until it broke (at which time the vendor/contractor sent someone out to fix it), or got replaced.
All that said, hell, we already have a testbed for this nightmare - an ocean of smartphones whose carriers and manufacturers ceased to give a crap whether their wares ever got upgraded.
Quo usque tandem abutere, Nimbus, patientia nostra?
I don't mind smart appliances - but again, I don't see why they need internet access. The exceptions to this (smart TV's, for example) should be viewed with suspicion specifically because they are likely to be connected to the internet in some way, but my smart refrigerator probably shouldn't be - and ATM's, slot machines, SCADA systems, etc. almost certainly should never be.
Just because you haven't encountered a specific example for yourself doesn't mean they don't exist in the real world.
The TV? Netflix, of course.
The BluRay player? New keys for new disks, and to unlock "extra special downloadable content" (whatever that may be.)
The thermostat? You're coming home from summer vacation and want to turn on the A/C a few hours before you arrive.
The laundry machines? You're upstairs, out of earshot of the dryer, and want to know when the load is done so you can hang up your clothes to prevent wrinkles.
The smart refrigerator? Maybe you're having a problem, and need the technician to connect to it to remotely diagnose it and give you an estimate without making an expensive house call.
The freeze alarms? You're out of town during the winter, and want to be alerted if your house temperature drops to the point where it's threatening to freeze your water pipes, so you can call a neighbor for help or a repairman to fix the furnace.
The door camera, locks, and security alarms? You're still out of town and want to let the repairman in, so you look at the ID he holds up to the camera and remotely unlock the door for him.
The window shades? They're located high up in the skylights where you installed a motorized system to operate them, so it was a small additional expense to add a remote control. And as today may be very sunny, you want to close them while at work to keep the house cooler.
The dishwasher? It might need to know the scheduled price of electricity in order to avoid running during peak rates, and save you money.
These are not made up examples - they happen every day. If someone already has the connectivity, and pays for the equipment to have the capabilities, there's no reason they shouldn't also enjoy the convenience.
Note that this is true whether or not you personally think it's a good idea to connect your washing machine to the internet: the reality is Sally Soccermom and Charlie Cuttingedge already have houses full of this tech. You can buy all this stuff at Best Buy and Home Depot and Verizon today.
Of all of these systems, most are designed and built with a remote update mechanism. Some that aren't (door locks, freeze alarms) are generally run through a home automation controller that is itself updatable; so even if you can't remotely patch your freeze alarm, you can at least patch the controller that interfaces with the network. Also of note, most are aware of the typical home firewall configuration, and are designed to "phone home" to check for updates. They generally don't sit on the raw internet and listen for incoming connections, so the attacker generally has to get inside the firewall to abuse them (which is not that big of a problem for many models of firewalls, that's for sure.)
John