Slashdot Mirror
Ask Slashdot: How Do You Handle Hardware That Never Gets Software Updates? (hpe.com)
New submitter pgralla writes from a report via HPE: Many devices, designed for both long-term and short-term use, were shortsighted when it came to flexibility. How do you handle the hardware that never gets software updates, such as embedded systems and task-dedicated equipment? The article that pgralla shared provides the example of medical devices running Windows 7. "Many of the current generation, when they were first released, used Windows 7, and the devices still work well enough that they remain in service today," reports HPE. "But Microsoft ended mainstream support for Windows 7 back in January 2015, so the operating system gets updated only with an occasional security patch as part of Microsoft's extended support. In January 2020, that extended support will end as well." Many IoT devices are in a similar boat as they're powered by embedded Linux and are not designed to be updated after they enter service."
Of course, these outdated devices create all sorts of security concerns. "Hackers and their access to knowledge and computing power only go up as the years pass, which means that long-lived, fixed-firmware devices become ever more insecure over time," says Michael Barr, founder of the Barr Group, which provides engineering and consulting services for the embedded systems industry. The WannaCry ransomware hack in 2017 affected not just PCs but also medical devices, and ended up costing businesses $4 billion.
Of course, these outdated devices create all sorts of security concerns. "Hackers and their access to knowledge and computing power only go up as the years pass, which means that long-lived, fixed-firmware devices become ever more insecure over time," says Michael Barr, founder of the Barr Group, which provides engineering and consulting services for the embedded systems industry. The WannaCry ransomware hack in 2017 affected not just PCs but also medical devices, and ended up costing businesses $4 billion.
I have a number of Rohde and Schwarz FSEB and FSEA spectrum analyzers. These cost at least $80,000 new (I bought them used for a few thousand at most). They come with an old version of windows. I similarly have other electronic test equipment with old Windows or even old Linux which the manufacturer doesn't update any longer. For the Linux-based ones I could hack in a new Linux and make it use the old ABI, forget about Windows.
But what really clued me in was that the Rohde and Schwarz equipment had a battery soldered on the CPU board, and it was an hour-and-a-half service to get to it. A lot of stuff had to be removed.
Similarly, my Tektronix 500-series oscilloscopes had two 40-pin DIP Dallas Semiconductor battery-backed memory and clock chips. The batteries in these die and they aren't socketed. When the batteries die, the 'scopes lose their calibration. The company won't give you the program to recalibrate them.
The manufacturers just want you to buy new ones.
So, obviously I back SDR-based test equipment that's Open Source. Who needs a company that wants to screw you?
Bruce Perens.
Most dedicated systems like this does not belong on the internet, period. So unless there is some flaw or feature need, don't update and it will still work exactly as it did yesterday. And the day before, and the day before that.
A basic principle of security is least privilege. If a piece of outdated equipment needs to send udp packets on port 411 to a monitoring station, you set the firewall to allow it to send udp on port 411 to that particular station, and nothing else. If it doesn't need to take to web servers, you don't let it talk to web servers. You allow it to do only exactly what it needs to do.
Not sure what your equipment needs to do? You could check the manual, and otherwise open up Wireshark and set the filter to the IP of the equipment. Have a look at what it is sending and receiving. Then set the firewall to allow only exactly what is needed.
This is also an area where vlans come in very handy. Vlans act like completely separate networks, but they are configured within your switch, so a single 48-port switch can handle a dozen different, totally separate vlans.
Perhaps different parts of your network should be mostly separate, but you need to allow a little bit of specific communication between two vlans. That's when you plug a router or firewall into both vlans and set it to route only specifically allowed traffic between them. This doesn't even require two network ports - the same port can be in multiple vlans and the router can control traffic between vlans issuing a single cat6 cable. This is called "router on a stick".
If some of this went over your head, here's the simple version'
Call someone who has a CCNA Security certification or better (CCNP Security or CCIE Security). Tell them you're thinking about segregating different vlans and using an internal firewall to strictly control internal traffic. They'll get you set up.
https://upload.wikimedia.org/w...
https://upload.wikimedia.org/w...
The data says very much otherwise, and there's only legacy software forcing people into Windows nowadays. The only thing garbage here is your attempt.
I use Slackware, along BSD, financially support projects that I use, and have followed the Linux community since Linus was still in college. It always amazes me how clueless the FOSS community is regarding issues such as this.
Just use Linux...
That's your fault for using M$..
etc.
For regulated systems, especially in pharma manufacturing, you are told what to use, how to use it, when to upgrade it, how to upgrade it, etc. Basically, once the system is certified by the FDA - you don't touch it - PERIOD. You purchase enough compute/control systems when you install it to last you through your production, which could be - 10, 15, 20+ years.
There is no, well, just upgrade to x - it's not allowed.
Before some equally clueless libertarian pinhead starts spouting off about 'over regulation' - stop and think for just one second what this system does. It controls the valves, temperatures, mixing, fermenting, refining, etc. of a chemical that people are to ingest. Where the difference between good and bad is measured in ppm, ppb, or even ppt depending on what's being made. Some endocrine chemicals are measured in 1/10ths or 1/100th of a ug!
Do you really want to apply patches to a system such as this? Doesn't matter that they are 'network', or 'mouse driver', or 'display' - the risk is WAY TOO GREAT to jack around with them.
Keep in mind that 'upgrades' require a new certification of that system, or depending on what it does, the entire production chain - which could run you a couple 10's of millions dollars.
So, before starting the typical FOSS rant, please have a clue of what you are talking about, first.
How often do you update your router? If your up time is over 60 days you are missing updates and are insecure.
I don't know any home/small business router company (TP-Link, Linksys, Netgear, ...) updating routers every 60 days. More like 1-2 times per year, for 1-2 years. And then nothing.
Perhaps you should look into Asus, which often updates at least quarterly, and often monthly:
* https://www.asus.com/Networking/RTAC68U/HelpDesk_BIOS/
* https://www.asus.com/microsite/2014/networks/routerfirmware_update/
And has been doing it for 4+ year-old products. Plus there is third-party code that leverages the GPL stuff that Asus releases:
* https://asuswrt.lostrealm.ca
* https://github.com/RMerl/asuswrt-merlin.ng
A pacemaker corrects irregular heart rhythms, that if left uncorrected may result in a heart attack, resulting in death. Hence a pacemaker can keep someone alive.
People who have pacemakers usually don't have them implanted for fun. They usually have them implanted as their other option is to die from heart failure.
The issue isn't updates but people who don't apply updates at all.
This is exactly the idea behind Microsoft's forced updates: most people are never applying updates, which causes problems, so if the updates get applied without user intervention, problem solved. I don't think they're entirely wrong, but they went about implementing mandatory updates in a kind of brain dead way.
The forced updates of iOS have proven to be !ore secure than the fragmented updates of Android.
iOS doesn't have forced updates; it is always up to the user to decide to install updates or not, though Apple do a bit to encourage it. The difference between iOS and Android in terms of updates is that Apple as a matter of course rolls out security updates to every device currently supported (and they are supported for quite some time, contrary to the largely inaccurate stereotype of Apple devices getting thrown out and replaced annually) and new versions of iOS to basically all devices capable of running the new version. With android, it's left up to each hardware manufacturer to provide security updates and new versions for their devices. Many don't bother at all, many others do a couple of security updates and maybe a new version while the device in question is "current" before basically abandoning it. Even if a device is technically capable of running a new version, it's not usually an option to "go over the manufacturer's head" for updates; a build has to be tailored to the model in question, and while the wider open source community does offer some for some devices, it's very much a mixed bag of what's supported, how up-to-date it is, and even how trustworthy the third party is.
I work in the medical industry and I have never yet seen Linux as the OS used with any major medical equipment, such as CT scanners, X-Ray scanners, MRI, Ultrasound, etc. Linux is not always the answer in the real world unfortunately.