Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How Do You Handle Hardware That Never Gets Software Updates? (hpe.com)

Posted by BeauHD on from the hardware-dead-ends dept.

New submitter pgralla writes from a report via HPE: Many devices, designed for both long-term and short-term use, were shortsighted when it came to flexibility. How do you handle the hardware that never gets software updates, such as embedded systems and task-dedicated equipment? The article that pgralla shared provides the example of medical devices running Windows 7. "Many of the current generation, when they were first released, used Windows 7, and the devices still work well enough that they remain in service today," reports HPE. "But Microsoft ended mainstream support for Windows 7 back in January 2015, so the operating system gets updated only with an occasional security patch as part of Microsoft's extended support. In January 2020, that extended support will end as well." Many IoT devices are in a similar boat as they're powered by embedded Linux and are not designed to be updated after they enter service."

Of course, these outdated devices create all sorts of security concerns. "Hackers and their access to knowledge and computing power only go up as the years pass, which means that long-lived, fixed-firmware devices become ever more insecure over time," says Michael Barr, founder of the Barr Group, which provides engineering and consulting services for the embedded systems industry. The WannaCry ransomware hack in 2017 affected not just PCs but also medical devices, and ended up costing businesses $4 billion.

10 of 233 comments (clear)

  1. Easy.... by GerryGilmore · · Score: 5, Insightful

    ....don't buy it.

    I've seen SO many people whining about MS' forced reboots, etc. STOP!
    If there is not a sensible option available, demand that your vendor make a version that can be sensibly updated. Too many purchasing decisions just don't have any sensible criteria. ("Oh, it's built on Win XP and you aren't updating it? OK - scratch!")

    1. Re:Easy.... by Shikaku · · Score: 5, Insightful

      Linux is free. Updates only when told to. Doesn't have telemetrics by default. Never looked back except in VMs.

    2. Re: Easy.... by fred6666 · · Score: 4, Insightful

      How often do you update your router? If your up time is over 60 days you are missing updates and are insecure.

      I don't know any home/small business router company (TP-Link, Linksys, Netgear, ...) updating routers every 60 days. More like 1-2 times per year, for 1-2 years. And then nothing.

    3. Re:Easy.... by ShanghaiBill · · Score: 5, Insightful

      ....don't buy it.

      Not an option with a patented medical device.

      demand that your vendor make a version that can be sensibly updated.

      Right. Sure. Because companies with millions of customers always do a complete system redesign to satisfy "demands" from one whiner.

    4. Re:Easy.... by Desler · · Score: 4, Insightful

      Not really. Many more people died without them and had less than half the life expectancy. I'm pretty sure a person who, for example, needs a patented medical device like a pacemaker just to stay alive won't be very impressed by your statement.

    5. Re:Easy.... by ShanghaiBill · · Score: 4, Insightful

      Society got along just fine for thousands of years prior to the invention of said patented medical device.

      1000 years ago people had half the life expectancy they do today, so I would not say everything was "just fine".

      Do you really think it is okay to let people die so your network can be marginally more secure? This is why people roll their eyes at pedantic nerds.

  2. Don't connect it to the internet by MpVpRb · · Score: 4, Insightful

    Many old tools are computer based

    Some old CNC machines run on MS-DOS and a 286 processor

    As long as the hardware stays alive, they continue to do the job

    If they must be networked, restrict their access to the local net

    1. Re:Don't connect it to the internet by kwalker · · Score: 5, Insightful

      Not just the local net. Restrict their access to only trusted control devices on the local net. It may require putting insecure devices on a network segment that has strict access controls, but when the only other alternative is to discontinue a working device (In situations where that's possible), making a sandbox network isn't all THAT much work.

      --
      Improvise, adapt, and overcome.
    2. Re:Don't connect it to the internet by MightyMartian · · Score: 4, Insightful

      This... so much this. Segregate these devices, limit access via VLANs and firewalls. Yes, it may mean only a handful of other devices and workstations can touch these older devices, but you need to reduce the attack surface as much as possible.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
  3. They buy it because it's by raymorris · · Score: 4, Insightful

    They buy it because it's better. It's better than Windows Phone (the first, second, theirs, and fourth attempts), it's better than Symbian, it's better than everything else people have tried. Why is it better? Linux is or reason it's better. Even Microsoft is using more and more Linux now. Is that because Microsoft has a religious zealotry for Linux? No, it's because Linux is better. Better than eating their own dog food.

    >> Legacy software forcing people into Windows nowadays.
    > Yeah, more than a billion people.

    Yeah, legacy software has a LOT of people (companies, really) still stuck on Windows. Your point is?