Slashdot Mirror
Ask Slashdot: How Do You Handle Hardware That Never Gets Software Updates? (hpe.com)
New submitter pgralla writes from a report via HPE: Many devices, designed for both long-term and short-term use, were shortsighted when it came to flexibility. How do you handle the hardware that never gets software updates, such as embedded systems and task-dedicated equipment? The article that pgralla shared provides the example of medical devices running Windows 7. "Many of the current generation, when they were first released, used Windows 7, and the devices still work well enough that they remain in service today," reports HPE. "But Microsoft ended mainstream support for Windows 7 back in January 2015, so the operating system gets updated only with an occasional security patch as part of Microsoft's extended support. In January 2020, that extended support will end as well." Many IoT devices are in a similar boat as they're powered by embedded Linux and are not designed to be updated after they enter service."
Of course, these outdated devices create all sorts of security concerns. "Hackers and their access to knowledge and computing power only go up as the years pass, which means that long-lived, fixed-firmware devices become ever more insecure over time," says Michael Barr, founder of the Barr Group, which provides engineering and consulting services for the embedded systems industry. The WannaCry ransomware hack in 2017 affected not just PCs but also medical devices, and ended up costing businesses $4 billion.
Of course, these outdated devices create all sorts of security concerns. "Hackers and their access to knowledge and computing power only go up as the years pass, which means that long-lived, fixed-firmware devices become ever more insecure over time," says Michael Barr, founder of the Barr Group, which provides engineering and consulting services for the embedded systems industry. The WannaCry ransomware hack in 2017 affected not just PCs but also medical devices, and ended up costing businesses $4 billion.
The issue isn't updates but people who don't apply updates at all.
Linux and osx let you schrdule them but that says the user is smart enough to do so. 20 years of Windows updates have prove that to be false for 99% of users.
The forced updates of iOS have proven to be !ore secure than the fragmented updates of Android.
How often do you update your router? If your up time is over 60 days you are missing updates and are insecure.
That is the issue. The other issue is designing software to use decraprated apis. Anyone building software using win32
i thought once I was found, but it was only a dream.
Implement a firewall with a small microcontroller with a relatively secure TCP/IP stack (ejip if you don't want to spend money, HCC embedded if you do) and do protocol level sanity checking and filtering of all network inputs.
Unfortunately with Microsoft it doesn't matter if I buy it or not. If I buy a new laptop, I am implicitly paying for a microsoft license. It's baked into the price. Many many years ago you used to be able to call the vendor and say you don't agree to the Microsoft terms of service and they would sell you an OEM version without windows at a savings of like $200. But I don't think this is an option anymore.
That said, I don't buy Microsoft products at all if I'm not forced to (like hardware purchase). I dropped a college class back in the day because they had a requirement that all assignments be typed up in Times New Roman font. I used a freely available font, not having a Microsoft license, and got a 0. Yes I know about the old ttf distributable cab, but it does require that you own a Microsoft product, which I didn't. It was a law class and I explained this to the professor but she didn't care, so I dropped the class.
Before some equally clueless libertarian pinhead starts spouting off about 'over regulation' - stop and think for just one second what this system does. It controls the valves, temperatures, mixing, fermenting, refining, etc. of a chemical that people are to ingest. Where the difference between good and bad is measured in ppm, ppb, or even ppt depending on what's being made. Some endocrine chemicals are measured in 1/10ths or 1/100th of a ug!
Sounds like a great argument for mandatory system isolation. Instead of networking directly to the system, the systems should be isolated and only provide a standard interface which a simple computer terminal could interface with. Something like TCP over serial using a variant of X11. When you minimize the attack surface to basic keyboard and mouse input validation then it becomes much easier to build a defensible system.
Anons need not reply. Questions end with a question mark.
I'd never buy test equipment that requires a computer connected to be usable. Never, ever.
That's as bad as my flex radio that I never use for the same reason, garbage. Every time I sit down, I just turn on my old kenwood ts-430 instead.
If it's a self contained device that requires no network connection, maybe. If there are software updates, they need to be installable offline. Mostly analog is ideal though.
Sometimes "never" is not an option. One electronic test equipment that revolutionized the industry is the Audio Precision line of Distortion Analyzers. Virtually everyone involved in electronic design, testing or repair owns one, and they are almost hobbyist-priced (a new basic unit can be had for less than $US 10,000). The revolutionary part of AP analyzers is they connect to a PC to do the math.
Now, somewhat on topic, AP is very good at updating their SW interfaces and older machines can use modern versions of the WinOS. They also are not themselves normally required to be connected to outside networks, provided you use a dedicated PC on the bench and not one used for general computing. So much of the problems are solved using good management practices.
If you want to be anywhere near current, you need an AP. I don't own one; I send my stuff to another engineer who does to test, but he charges $200/Hr. He has the most advanced unit, somewhere near or north of $US 20K. Plus a Windows PC and a printer if you want output charts, of course. My Distortion Analyzer is adequate (Keithley, a unit of Tektronix, $US 6,000) but only measures to the fifth harmonic.
It is a standalone device, but unless you want to dig around for an old 70's~80's era machine from HP, Tek, Boonton, a Sound Technology 1700B, etc that pre-date the inexpensive computing power era, the norm these days is software / PC / Appropriate Sound Card for low cost measurement. So now you need, again, a dedicated PC and most hobbyists use the same machine for general computing. But the cost is *way* lower than a standalone machine or an AP.
If you fudge the numbers, it comes down to a classic standalone machine (they still sell for almost four figures and sometimes a couple of thousand) or software like ARTA and a good sound card, maybe $400 worth of stuff total in addition to a basic working PC of some kind. You can fight with your wallet or just give up and go PC-enabled.